Browser apre pubblicita' indesiderata

rendipiero · 18-07-2008, 16:13

Salve, da qualche giorno sia Firefox che Explorer mi continua ad aprire siti non voluti di pubblicita' (es. fastweb, tele2, poker) con un notevole rallentamento del pc. Presumo che ci sia un rootkit.
Ho provato una scansione con Gmer, Ad-aware, Sophos-Rootkit, per non parlare di AVAST!, Panda 2008, ma nulla da fare.
Potete aiutarmi
Vi allego i log di hijackthis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.04.46, on 18/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\LogMeIn\x86\LogMeIn.exe
C:\Programmi\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Programmi\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
C:\Programmi\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Programmi\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Programmi\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
c:\programmi\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Panda Security\Panda Internet Security 2008\psimsvc.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Programmi\U.S. Robotics\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe
C:\Programmi\Sitecom\Wireless Internet USB Phone\Wireless Internet USB Phone.exe
C:\Programmi\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
C:\Programmi\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\documents and settings\angelo\impostazioni locali\dati applicazioni\wcuik.exe
C:\Programmi\WinFax\WFXCTL32.EXE
C:\Programmi\LogMeIn\x86\LMIGuardian.exe
C:\Programmi\OpenOffice.org 2.3\program\soffice.exe
C:\Programmi\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Ahead\lib\NMIndexStoreSvr.exe
C:\Programmi\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\Programmi\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Programmi\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Programmi\LogMeIn\x86\LogMeIn.exe
C:\Programmi\LogMeIn\x86\LMIGuardian.exe
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\Angelo\IMPOST~1\Temp\Rar$EX00.078\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [USRobotics USB Internet Mini Phone] "C:\Programmi\U.S. Robotics\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe"
O4 - HKLM\..\Run: [USRobotics USB Internet Mini Phone Control Panel] "C:\Programmi\U.S. Robotics\USB Internet Mini Phone\USB Internet Mini Phone UI.exe"
O4 - HKLM\..\Run: [SitecomWirelessInternetUsbPhone] "C:\Programmi\Sitecom\Wireless Internet USB Phone\Wireless Internet USB Phone.exe"
O4 - HKLM\..\Run: [SitecomWirelessInternetUsbPhoneUI] "C:\Programmi\Sitecom\Wireless Internet USB Phone\Wireless Internet USB Phone UI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Programmi\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Programmi\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [wcuik] c:\documents and settings\angelo\impostazioni locali\dati applicazioni\wcuik.exe wcuik
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-21-73586283-1284227242-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LogMeInRemoteUser')
O4 - HKUS\S-1-5-21-73586283-1284227242-839522115-1004\..\RunOnce: [NeroHomeFirstStart] C:\Programmi\File comuni\Ahead\Lib\NeroScoutOptions.exe (User 'LogMeInRemoteUser')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Programmi\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Programmi\WinFax\WFXCTL32.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9509D20-A198-465D-97CF-168C2C2169D4}: NameServer = 151.99.125.1,151.99.1.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC984903-AF4F-40EE-B0F2-D47A5971BFC9}: NameServer = 151.99.125.1,151.99.0.100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Programmi\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Programmi\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programmi\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Programmi\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programmi\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Programmi\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\programmi\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programmi\Panda Security\Panda Internet Security 2008\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Programmi\Panda Security\Panda Internet Security 2008\TPSrv.exe

--
End of file - 9997 bytes

giofio · 18-07-2008, 16:39

Da hijackthis seleziona questa voce e premi fix checked:
O4 - HKCU\..\Run: [wcuik] c:\documents and settings\angelo\impostazioni locali\dati applicazioni\wcuik.exe wcuik

Poi scarica avenger http://swandog46.geekstogo.com/avenger2/download.php, avvialo e nella casella bianca copia/incolla:

Files to delete:
c:\documents and settings\angelo\impostazioni locali\dati applicazioni\wcuik.exe

Folders to delete:
C:\Windows\Temp
C:\documents and settings\angelo\impostazioni locali\Temp
Fai riavviare il pc e posta il log avenger seguendo le regole (il log postato non è a regola) e un altro log hijackthis.

**Chill-Out** · 18-07-2008, 19:01

Prima di procedere con l'eliminazione del file sopra citato ovvero wcuik.exe sarebbe meglio farlo scansionare su http://www.virustotal.com/it/ così da avere qualche elemento in più

Per i risultati è sufficiente copiare ed incollare nel prossimo post il link che viene rilasciato al termine della scansione

Ciao

rendipiero · 19-07-2008, 16:11

Quote:

Originariamente inviato da Chill-Out

Prima di procedere con l'eliminazione del file sopra citato ovvero wcuik.exe sarebbe meglio farlo scansionare su http://www.virustotal.com/it/ così da avere qualche elemento in più

Per i risultati è sufficiente copiare ed incollare nel prossimo post il link che viene rilasciato al termine della scansione

Ciao

Ho effettuato la scansione del file con virus total è questo è il risultato
http://www.virustotal.com/it/analisi...8b12e34b4a3f7e

**Chill-Out** · 19-07-2008, 16:15

Quote:

Originariamente inviato da rendipiero

Ho effettuato la scansione del file con virus total è questo è il risultato
http://www.virustotal.com/it/analisi...8b12e34b4a3f7e

1 su 32 ha tutta l'aria di un Falso positivo oppure sei un pò sfortunato per sicurezza fallo controllare anche qui http://virusscan.jotti.org/ copia ed incolla i risultati nel prossimo post

rendipiero · 19-07-2008, 16:40

Quote:

Originariamente inviato da giofio

Da hijackthis seleziona questa voce e premi fix checked:
O4 - HKCU\..\Run: [wcuik] c:\documents and settings\angelo\impostazioni locali\dati applicazioni\wcuik.exe wcuik

Poi scarica avenger http://swandog46.geekstogo.com/avenger2/download.php, avvialo e nella casella bianca copia/incolla:

Files to delete:
c:\documents and settings\angelo\impostazioni locali\dati applicazioni\wcuik.exe

Folders to delete:
C:\Windows\Temp
C:\documents and settings\angelo\impostazioni locali\Temp
Fai riavviare il pc e posta il log avenger seguendo le regole (il log postato non è a regola) e un altro log hijackthis.

Come da voi suggerito ecco il log di avenger:

Codice:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\documents and settings\angelo\impostazioni locali\dati applicazioni\wcuik.exe" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Ed il log di hijackthis

Codice:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16.38.29, on 19/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programmi\LogMeIn\x86\RaMaint.exe
C:\Programmi\LogMeIn\x86\LogMeIn.exe
C:\Programmi\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\LogMeIn\x86\LogMeInSystray.exe
C:\Programmi\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Programmi\U.S. Robotics\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe
C:\Programmi\U.S. Robotics\USB Internet Mini Phone\USB Internet Mini Phone UI.exe
C:\Programmi\Sitecom\Wireless Internet USB Phone\Wireless Internet USB Phone.exe
C:\Programmi\Sitecom\Wireless Internet USB Phone\Wireless Internet USB Phone UI.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\WinFax\WFXCTL32.EXE
C:\Programmi\OpenOffice.org 2.3\program\soffice.exe
C:\Programmi\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\Programmi\LogMeIn\x86\LogMeIn.exe
C:\Programmi\LogMeIn\x86\LMIGuardian.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\Angelo\IMPOST~1\Temp\Rar$EX03.531\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programmi\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programmi\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [USRobotics USB Internet Mini Phone] "C:\Programmi\U.S. Robotics\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe"
O4 - HKLM\..\Run: [USRobotics USB Internet Mini Phone Control Panel] "C:\Programmi\U.S. Robotics\USB Internet Mini Phone\USB Internet Mini Phone UI.exe"
O4 - HKLM\..\Run: [SitecomWirelessInternetUsbPhone] "C:\Programmi\Sitecom\Wireless Internet USB Phone\Wireless Internet USB Phone.exe"
O4 - HKLM\..\Run: [SitecomWirelessInternetUsbPhoneUI] "C:\Programmi\Sitecom\Wireless Internet USB Phone\Wireless Internet USB Phone UI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Programmi\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-21-73586283-1284227242-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LogMeInRemoteUser')
O4 - HKUS\S-1-5-21-73586283-1284227242-839522115-1004\..\RunOnce: [NeroHomeFirstStart] C:\Programmi\File comuni\Ahead\Lib\NeroScoutOptions.exe (User 'LogMeInRemoteUser')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Programmi\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Programmi\WinFax\WFXCTL32.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9509D20-A198-465D-97CF-168C2C2169D4}: NameServer = 151.99.125.1,151.99.1.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC984903-AF4F-40EE-B0F2-D47A5971BFC9}: NameServer = 151.99.125.1,151.99.0.100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Programmi\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Programmi\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8605 bytes

rendipiero · 19-07-2008, 17:04

Quote:

Originariamente inviato da Chill-Out

1 su 32 ha tutta l'aria di un Falso positivo oppure sei un pò sfortunato per sicurezza fallo controllare anche qui http://virusscan.jotti.org/ copia ed incolla i risultati nel prossimo post

Fatto, con virusscan.jotti.org ho a tutti questo risultato "Found nothing"

18-07-2008, 16:13	#1
rendipiero Junior Member Iscritto dal: Jul 2008 Messaggi: 4	Browser apre pubblicita' indesiderata Salve, da qualche giorno sia Firefox che Explorer mi continua ad aprire siti non voluti di pubblicita' (es. fastweb, tele2, poker) con un notevole rallentamento del pc. Presumo che ci sia un rootkit. Ho provato una scansione con Gmer, Ad-aware, Sophos-Rootkit, per non parlare di AVAST!, Panda 2008, ma nulla da fare. Potete aiutarmi Vi allego i log di hijackthis. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14.04.46, on 18/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programmi\Panda Security\Panda Internet Security 2008\TPSrv.exe C:\WINDOWS\system32\spoolsv.exe C:\Programmi\LogMeIn\x86\RaMaint.exe C:\WINDOWS\Explorer.EXE C:\Programmi\LogMeIn\x86\LogMeIn.exe C:\Programmi\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programmi\Panda Security\Panda Internet Security 2008\PsCtrls.exe C:\Programmi\Panda Security\Panda Internet Security 2008\PavFnSvr.exe C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe C:\Programmi\Panda Security\Panda Internet Security 2008\pavsrv51.exe C:\Programmi\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe C:\Programmi\Panda Security\Panda Internet Security 2008\AVENGINE.EXE c:\programmi\panda security\panda internet security 2008\firewall\PSHOST.EXE C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programmi\Panda Security\Panda Internet Security 2008\psimsvc.exe C:\PROGRA~1\WinFax\WFXSWTCH.exe C:\WINDOWS\system32\wfxsnt40.exe C:\Programmi\U.S. Robotics\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe C:\Programmi\Sitecom\Wireless Internet USB Phone\Wireless Internet USB Phone.exe C:\Programmi\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE C:\Programmi\LogMeIn\x86\LogMeInSystray.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmi\Messenger\msmsgs.exe C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe C:\Programmi\Skype\Phone\Skype.exe C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\documents and settings\angelo\impostazioni locali\dati applicazioni\wcuik.exe C:\Programmi\WinFax\WFXCTL32.EXE C:\Programmi\LogMeIn\x86\LMIGuardian.exe C:\Programmi\OpenOffice.org 2.3\program\soffice.exe C:\Programmi\OpenOffice.org 2.3\program\soffice.BIN C:\WINDOWS\system32\svchost.exe C:\Programmi\File comuni\Ahead\lib\NMIndexStoreSvr.exe C:\Programmi\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE C:\Programmi\Skype\Plugin Manager\skypePM.exe C:\Programmi\Panda Security\Panda Internet Security 2008\WebProxy.exe C:\Programmi\Panda Security\Panda Internet Security 2008\PavBckPT.exe C:\Programmi\LogMeIn\x86\LogMeIn.exe C:\Programmi\LogMeIn\x86\LMIGuardian.exe C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe C:\Programmi\WinRAR\WinRAR.exe C:\DOCUME~1\Angelo\IMPOST~1\Temp\Rar$EX00.078\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKLM\..\Run: [USRobotics USB Internet Mini Phone] "C:\Programmi\U.S. Robotics\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe" O4 - HKLM\..\Run: [USRobotics USB Internet Mini Phone Control Panel] "C:\Programmi\U.S. Robotics\USB Internet Mini Phone\USB Internet Mini Phone UI.exe" O4 - HKLM\..\Run: [SitecomWirelessInternetUsbPhone] "C:\Programmi\Sitecom\Wireless Internet USB Phone\Wireless Internet USB Phone.exe" O4 - HKLM\..\Run: [SitecomWirelessInternetUsbPhoneUI] "C:\Programmi\Sitecom\Wireless Internet USB Phone\Wireless Internet USB Phone UI.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [SCANINICIO] "C:\Programmi\Panda Security\Panda Internet Security 2008\Inicio.exe" O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Programmi\LogMeIn\x86\LogMeInSystray.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [wcuik] c:\documents and settings\angelo\impostazioni locali\dati applicazioni\wcuik.exe wcuik O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE') O4 - HKUS\S-1-5-21-73586283-1284227242-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LogMeInRemoteUser') O4 - HKUS\S-1-5-21-73586283-1284227242-839522115-1004\..\RunOnce: [NeroHomeFirstStart] C:\Programmi\File comuni\Ahead\Lib\NeroScoutOptions.exe (User 'LogMeInRemoteUser') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: OpenOffice.org 2.3.lnk = C:\Programmi\OpenOffice.org 2.3\program\quickstart.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Controller.LNK = C:\Programmi\WinFax\WFXCTL32.EXE O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O17 - HKLM\System\CCS\Services\Tcpip\..\{B9509D20-A198-465D-97CF-168C2C2169D4}: NameServer = 151.99.125.1,151.99.1.100 O17 - HKLM\System\CCS\Services\Tcpip\..\{BC984903-AF4F-40EE-B0F2-D47A5971BFC9}: NameServer = 151.99.125.1,151.99.0.100 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Programmi\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Programmi\LogMeIn\x86\LogMeIn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Panda Software Controller - Panda Software International - C:\Programmi\Panda Security\Panda Internet Security 2008\PsCtrls.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Programmi\Panda Security\Panda Internet Security 2008\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programmi\Panda Security\Panda Internet Security 2008\pavsrv51.exe O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Programmi\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\programmi\panda security\panda internet security 2008\firewall\PSHOST.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programmi\Panda Security\Panda Internet Security 2008\psimsvc.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Programmi\Panda Security\Panda Internet Security 2008\TPSrv.exe -- End of file - 9997 bytes

18-07-2008, 16:39	#2
giofio Member Iscritto dal: Jul 2008 Messaggi: 86	Da hijackthis seleziona questa voce e premi fix checked: O4 - HKCU\..\Run: [wcuik] c:\documents and settings\angelo\impostazioni locali\dati applicazioni\wcuik.exe wcuik Poi scarica avenger http://swandog46.geekstogo.com/avenger2/download.php, avvialo e nella casella bianca copia/incolla: Files to delete: c:\documents and settings\angelo\impostazioni locali\dati applicazioni\wcuik.exe Folders to delete: C:\Windows\Temp C:\documents and settings\angelo\impostazioni locali\Temp Fai riavviare il pc e posta il log avenger seguendo le regole (il log postato non è a regola) e un altro log hijackthis. __________________ Iscritto in altri forum come gio!

18-07-2008, 19:01	#3
Chill-Out Moderatore Iscritto dal: Jun 2007 Città: 127.0.0.1 Messaggi: 25885	Prima di procedere con l'eliminazione del file sopra citato ovvero wcuik.exe sarebbe meglio farlo scansionare su http://www.virustotal.com/it/ così da avere qualche elemento in più Per i risultati è sufficiente copiare ed incollare nel prossimo post il link che viene rilasciato al termine della scansione Ciao __________________ Regole di Sezione ▪ Guida alla Disinfezione ▪ Attenzione: Thread importanti Try again and you will be luckier.

Strumenti
Mostra una versione stampabile Invia questa pagina per email