|
|||||||
|
|
|
 |
|
|
Strumenti |
12-11-2004, 20:17
|
#1 |
|
Senior Member
Iscritto dal: Oct 1999
Città: Lecco
Messaggi: 498
|
Mi si è installata una barra nel browser.. come la elimino?
Una barra si è installata nel mio browser. Non è integrata nel programma, ma "fa parte" della pagina web.
Ho guardato nelle proprietà della barra e vedo che è un collegamento a http://supersearch.com/frame3.html. Come la elimino? Il controllo di spy sweeper non ha trovato nulla. Ho cercato con jv16 se ci sono chiavi di registro col termine "supersearch" risultato zero. |
|
|
|
12-11-2004, 20:30
|
#2 |
|
Senior Member
Iscritto dal: Jun 2001
Città: Lazio
Messaggi: 5936
|
Prova questo programma :
http://www.sicurezzainrete.com/Rimuo...ebShredder.htm se non risolvi prova il trial giant antispyware che rimuove molti di questi oggetti ed è un ottimo programma antispyware. Ciao
__________________
HP Gaming 16 I7 10750H, nVidia GTX1650TI 4Gbyte DDR6, 16Gbyte di Ram, SSD INTEL 500Gbyte, Amplificatore Denon PMA-510AE, Diffusori Q Acoustics 3020i |
|
|
|
|
13-11-2004, 16:13
|
#3 |
|
Senior Member
Iscritto dal: Oct 1999
Città: Lecco
Messaggi: 498
|
Nemmeno giant la rimuove.
Qlc sa di cosa si tratta e come eliminarla? |
|
|
|
|
13-11-2004, 16:22
|
#4 |
|
Senior Member
Iscritto dal: Feb 2003
Città: Pistoia
Messaggi: 4926
|
Prova a fare un log di hijackthis.
Così vediamo se si capisce che cosa è in precisione. |
|
|
|
|
13-11-2004, 16:24
|
#5 |
|
Senior Member
Iscritto dal: Mar 2004
Città: Rimini
Messaggi: 10296
|
Ciao,
hai seguito le indicazioni del manuale del perfetto spybuster? - attivazione visualizzazione file e cartelle nascoste - disabilitazione system restore - cancellazione di tutti i file contenuti nelle cartelle temporanee (tutte le cartelle temporanee, sono parecchie!) - svuotamento completo della cache di internet (cookies compresi) - passaggio con antispyware e antivirus aggiornatissimi da modalità provvisoria. Se nonostante questo la schifezza rimane, log di hijackthis
__________________
sometimes they come back *** Life Happens! - (Professionista I.T. - Tecnico Telecomunicazioni) Latitude E6420 I7 2760QM SSD Crucial M4-512GB --- Tecra R840 I5 2520M SSD Samsung 830-256GB --- Macbook Pro 13,3" I5 2435M SSD Samsung 830-256GB |
|
|
|
|
13-11-2004, 16:25
|
#6 | |
|
Senior Member
Iscritto dal: Oct 1999
Città: Lecco
Messaggi: 498
|
Quote:
A proposito, giant trova questo: "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}", lo elimina, ma ad una seconda scansione lo trova nuovamente. Non lo si può bloccare in origine? |
|
|
|
|
|
13-11-2004, 16:30
|
#7 |
|
Senior Member
Iscritto dal: Oct 1999
Città: Lecco
Messaggi: 498
|
* HijackThis v1.98 *
Written by Merijn - [email protected] http://www.merijn.org/files/hijackthis.zip http://www.merijn.org/index.html See bottom for version history. The different sections of hijacking possibilities have been separated into these groups: R - Registry, StartPage/SearchPage changes R0 - Changed registry value R1 - Created registry value R2 - Created registry key R3 - Created extra registry value where only one should be F - IniFiles, autoloading entries F0 - Changed inifile value F1 - Created inifile value F2 - Changed inifile value, mapped to Registry F3 - Created inifile value, mapped to Registry N - Netscape/Mozilla StartPage/SearchPage changes N1 - Change in prefs.js of Netscape 4.x N2 - Change in prefs.js of Netscape 6 N3 - Change in prefs.js of Netscape 7 N4 - Change in prefs.js of Mozilla O - Other, several sections which represent: O1 - Hijack of auto.search.msn.com with Hosts file O2 - Enumeration of existing MSIE BHO's O3 - Enumeration of existing MSIE toolbars O4 - Enumeration of suspicious autoloading Registry entries O5 - Blocking of loading Internet Options in Control Panel O6 - Disabling of 'Internet Options' Main tab with Policies O7 - Disabling of Regedit with Policies O8 - Extra MSIE context menu items O9 - Extra 'Tools' menuitems and buttons O10 - Breaking of Internet access by New.Net or WebHancer O11 - Extra options in MSIE 'Advanced' settings tab O12 - MSIE plugins for file extensions or MIME types O13 - Hijack of default URL prefixes O14 - Changing of IERESET.INF O15 - Trusted Zone Autoadd O16 - Download Program Files item O17 - Domain hijack O18 - Enumeration of existing protocols and filters O19 - User stylesheet hijack O20 - AppInit_DLLs autorun Registry value O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key O22 - SharedTaskScheduler autorun Registry key You can get more detailed information about an item by selecting it from the list of found items or highlighting the relevant line above, and clicking 'Info on selected item'. * Version history * [v1.98] * Definitive support for Japanese/Chinese/Korean systems * Added O20 (AppInit_DLLs) in light of newer trojans * Added O21 (ShellServiceObjectDelayLoad, SSODL) in light of newer trojans * Added O22 (SharedTaskScheduler) in light of newer trojans * Backups of fixed items are now saved in separate folder * HijackThis now checks if it was started from a temp folder * Added a small process manager (Misc Tools section) [v1.96] * Lots of bugfixes and small enhancements! Among others: * Fix for Japanese IE toolbars * Fix for searchwww.com fake CLSID trick in IE toolbars and BHO's * Attributes on Hosts file will now be restored when scanning/fixing/restoring it. * Added several files to the LSP whitelist * Fixed some issues with incorrectly re-encrypting data, making R0/R1 go undetected until a restart * All sites in the Trusted Zone are now shown, with the exception of those on the nonstandard but safe domain list [v1.95] * Added a new regval to check for from Whazit hijack (Start Page_bak). * Excluded IE logo change tweak from toolbar detection (BrandBitmap and SmBrandBitmap). * New in logfile: Running processes at time of scan. * Checkmarks for running StartupList with /full and /complete in HijackThis UI. * New O19 method to check for Datanotary hijack of user stylesheet. * Google.com IP added to whitelist for Hosts file check. [v1.94] * Fixed a bug in the Check for Updates function that could cause corrupt downloads on certain systems. * Fixed a bug in enumeration of toolbars (Lop toolbars are now listed!). * Added imon.dll, drwhook.dll and wspirda.dll to LSP safelist. * Fixed a bug where DPF could not be deleted. * Fixed a stupid bug in enumeration of autostarting shortcuts. * Fixed info on Netscape 6/7 and Mozilla saying '%shitbrowser%' (oops). * Fixed bug where logfile would not auto-open on systems that don't have .log filetype registered. * Added support for backing up F0 and F1 items (d'oh!). [v1.93] * Added mclsp.dll (McAfee), WPS.DLL (Sygate Firewall), zklspr.dll (Zero Knowledge) and mxavlsp.dll (OnTrack) to LSP safelist. * Fixed a bug in LSP routine for Win95. * Made taborder nicer. * Fixed a bug in backup/restore of IE plugins. * Added UltimateSearch hijack in O17 method (I think). * Fixed a bug with detecting/removing BHO's disabled by BHODemon. * Also fixed a bug in StartupList (now version 1.52.1). [v1.92] * Fixed two stupid bugs in backup restore function. * Added DiamondCS file to LSP files safelist. * Added a few more items to the protocol safelist. * Log is now opened immediately after saving. * Removed rd.yahoo.com from NSBSD list (spammers are starting to use this, no doubt spyware authors will follow). * Updated integrated StartupList to v1.52. * In light of SpywareNuker/BPS Spyware Remover, any strings relevant to reverse-engineers are now encrypted. * Rudimentary proxy support for the Check for Updates function. [v1.91] * Added rd.yahoo.com to the Nonstandard But Safe Domains list. * Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18). * Added listing of programs/links in Startup folders (O4). * Fixed 'Check for Update' not detecting new versions. [v1.9] * Added check for Lop.com 'Domain' hijack (O17). * Bugfix in URLSearchHook (R3) fix. * Improved O1 (Hosts file) check. * Rewrote code to delete BHO's, fixing a really nasty bug with orphaned BHO keys. * Added AutoConfigURL and proxyserver checks (R1). * IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected. * Added check for extra protocols (O18). [v1.81] * Added 'ignore non-standard but safe domains' option. * Improved Winsock LSP hijackers detection. * Integrated StartupList updated to v1.4. [v1.8] * Fixed a few bugs. * Adds detecting of free.aol.com in Trusted Zone. * Adds checking of URLSearchHooks key, which should have only one value. * Adds listing/deleting of Download Program Files. * Integrated StartupList into the new 'Misc Tools' section of the Config screen! [v1.71] * Improves detecting of O6. * Some internal changes/improvements. [v1.7] * Adds backup function! Yay! * Added check for default URL prefix * Added check for changing of IERESET.INF * Added check for changing of Netscape/Mozilla homepage and default search engine. [v1.61] * Fixes Runtime Error when Hosts file is empty. [v1.6] * Added enumerating of MSIE plugins * Added check for extra options in 'Advanced' tab of 'Internet Options'. [v1.5] * Adds 'Uninstall & Exit' and 'Check for update online' functions. * Expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service) [v1.4] * Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer * A few bugfixes/enhancements [v1.3] * Adds detecting of extra MSIE context menu items * Added detecting of extra 'Tools' menu items and extra buttons * Added 'Confirm deleting/ignoring items' checkbox [v1.2] * Adds 'Ignorelist' and 'Info' functions [v1.1] * Supports BHO's, some default URL changes [v1.0] * Original release A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes. |
|
|
|
|
13-11-2004, 16:34
|
#8 | |
|
Senior Member
Iscritto dal: Feb 2003
Città: Pistoia
Messaggi: 4926
|
Quote:
Dopo fai un bel copia/incolla qui sul forum. |
|
|
|
|
|
13-11-2004, 16:36
|
#9 | |
|
Senior Member
Iscritto dal: Oct 1999
Città: Lecco
Messaggi: 498
|
Quote:
Quello di prima è errato: eccolo. C:\Programmi\Microsoft Office\Office10\OUTLOOK.EXE C:\Programmi\Microsoft Office\Office10\WINWORD.EXE C:\Programmi\Internet Explorer\iexplore.exe C:\Documents and Settings\mauro\Documenti\programmi\spyware\HIJACKTHIS\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = F2 - REG:system.ini: Shell=Explorer.exe init32m.exe O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - C:\WINDOWS\sys559.d O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Outpost Firewall] C:\Programmi\Agnitum\Outpost Firewall\outpost.exe /waitservice O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe" O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcASCleaner.exe O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\mauro\Documenti\programmi\Varie\DEFRAMMENTAZIONE RAM\FreeRAM XP Pro 1.40.exe" -win O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [Rundll] rundll.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1\TRASH.EXE (HKCU) O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1\TRASH.EXE (HKCU) O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} - https://www.ibm.com/pc/support/acces...d/IbmEgath.cab O16 - DPF: {99D8AF4F-307A-461C-A404-BFA33D502B31} - http://217.169.119.216/resources/APStart.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{409BFCDA-CC6B-4E9B-8E92-185218F7AB1F}: NameServer = 217.141.107.203 151.99.125.1 Da questo elenco però manca la riga di registro che ho indicato prima perchè l'ho eliminata. Ora sembra funzionare. Ci sono altre schifezze attive? |
|
|
|
|
|
13-11-2004, 16:37
|
#10 |
|
Senior Member
Iscritto dal: Oct 1999
Città: Lecco
Messaggi: 498
|
Contr'ordine!! E' tornata!!
|
|
|
|
|
13-11-2004, 16:39
|
#11 |
|
Senior Member
Iscritto dal: Oct 1999
Città: Lecco
Messaggi: 498
|
Ecco il nuovo log, con la barra attiva.
Logfile of HijackThis v1.98.2 Scan saved at 16.38.46, on 13/11/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe C:\Programmi\Alwil Software\Avast4\ashServ.exe C:\Programmi\Ahead\InCD\InCDsrv.exe C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\init32m.exe C:\Programmi\Ahead\InCD\InCD.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe C:\Documents and Settings\mauro\Documenti\programmi\Varie\DEFRAMMENTAZIONE RAM\FreeRAM XP Pro 1.40.exe C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\System32\rundll.exe C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\WINDOWS\sys542.e C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\sys553.e C:\WINDOWS\sys61.ex C:\WINDOWS\System32\devldr32.exe C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe C:\Programmi\Microsoft Office\Office10\OUTLOOK.EXE C:\Programmi\Microsoft Office\Office10\WINWORD.EXE C:\Programmi\Internet Explorer\iexplore.exe C:\Documents and Settings\mauro\Documenti\programmi\spyware\HIJACKTHIS\HijackThis.exe C:\Programmi\GIANT Company Software\GIANT AntiSpyware\GIANTAntiSpywareMain.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = F2 - REG:system.ini: Shell=Explorer.exe init32m.exe O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - C:\WINDOWS\sys559.d O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Outpost Firewall] C:\Programmi\Agnitum\Outpost Firewall\outpost.exe /waitservice O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe" O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcASCleaner.exe O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\mauro\Documenti\programmi\Varie\DEFRAMMENTAZIONE RAM\FreeRAM XP Pro 1.40.exe" -win O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [Rundll] rundll.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1\TRASH.EXE (HKCU) O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1\TRASH.EXE (HKCU) O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} - https://www.ibm.com/pc/support/acces...d/IbmEgath.cab O16 - DPF: {99D8AF4F-307A-461C-A404-BFA33D502B31} - http://217.169.119.216/resources/APStart.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{409BFCDA-CC6B-4E9B-8E92-185218F7AB1F}: NameServer = 217.141.107.203 151.99.125.1 |
|
|
|
|
13-11-2004, 16:43
|
#12 |
|
Senior Member
Iscritto dal: Oct 1999
Città: Lecco
Messaggi: 498
|
Con HijackThis v1.98.2 ho eliminato la chiave di registro che Giant rilevava come "roba" infetta. "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}".
Ora giant non trova più nulla, ma la barra è rimasta! |
|
|
|
|
13-11-2004, 16:49
|
#13 |
|
Senior Member
Iscritto dal: Feb 2003
Città: Pistoia
Messaggi: 4926
|
Questo processo:
C:\WINDOWS\system32\init32m.exe Che è avviato da questo file .ini : F2 - REG:system.ini: Shell=Explorer.exe init32m.exe Sai cosa è? Ho fatto una ricerca ma non trovo niente di significativo. Per adesso finisco qui. Più tardi continuo ad analizzare il log. Adesso devo uscire. P.S. Anche questi sono un pò strani ma non ho ancora fatto ricerche. O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - C:\WINDOWS\sys559.d O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O16 - DPF: {99D8AF4F-307A-461C-A404-BFA33D502B31} - http://217.169.119.216/resources/APStart.ocx |
|
|
|
|
13-11-2004, 16:55
|
#14 |
|
Senior Member
Iscritto dal: Oct 1999
Città: Lecco
Messaggi: 498
|
Anch'io devo scappare.
Cmq se riesci a capire cosa sono bene, altrimenti elimino tutto e tanti saluti!! 
|
|
|
|
|
13-11-2004, 17:00
|
#15 |
|
Senior Member
Iscritto dal: Oct 1999
Città: Lecco
Messaggi: 498
|
Ho fatto girare AD-Aware intanto e ha trovato 4 criticità. Riporto il log. Non se se serve
Ad-Aware SE Build 1.05 Logfile Created on:sabato 13 novembre 2004 16.44.32 Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R18 08.11.2004 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» MRU List(TAC index:0):20 total references Tracking Cookie(TAC index:3):3 total references Windows(TAC index:3):1 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 13-11-2004 16.44.32 - Scan started. (Full System Scan) MRU List Object Recognized! Location: : S-1-5-21-57989841-602609370-1417001333-1003\software\nico mak computing\winzip\filemenu Description : winzip recently used archives MRU List Object Recognized! Location: : S-1-5-21-57989841-602609370-1417001333-1003\software\microsoft\windows\currentversion\applets\paint\recent file list Description : list of files recently opened using microsoft paint MRU List Object Recognized! Location: : S-1-5-21-57989841-602609370-1417001333-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-57989841-602609370-1417001333-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-57989841-602609370-1417001333-1003\software\microsoft\windows\currentversion\explorer\recentdocs Description : list of recent documents opened MRU List Object Recognized! Location: : S-1-5-21-57989841-602609370-1417001333-1003\software\microsoft\office\10.0\excel\recent files Description : list of recent files used by microsoft excel MRU List Object Recognized! Location: : S-1-5-21-57989841-602609370-1417001333-1003\software\microsoft\internet explorer Description : last download directory used in microsoft internet explorer MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-57989841-602609370-1417001333-1003\software\microsoft\microsoft management console\recent file list Description : list of recent snap-ins used in the microsoft management console MRU List Object Recognized! Location: : S-1-5-21-57989841-602609370-1417001333-1003\software\microsoft\mediaplayer\preferences Description : last cd record path used in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-57989841-602609370-1417001333-1003\software\microsoft\mediaplayer\player\settings Description : last open directory used in jasc paint shop pro MRU List Object Recognized! Location: : S-1-5-21-57989841-602609370-1417001333-1003\software\microsoft\windows\currentversion\applets\regedit Description : last key accessed using the microsoft registry editor MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\mediaplayer\preferences Description : last playlist loaded in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-18\software\microsoft\mediaplayer\preferences Description : last playlist loaded in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-19\software\microsoft\mediaplayer\preferences Description : last playlist loaded in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-20\software\microsoft\mediaplayer\preferences Description : last playlist loaded in microsoft windows media player MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-21-57989841-602609370-1417001333-1003\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : C:\Documents and Settings\mauro\recent Description : list of recently opened documents Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 812 ThreadCreationTime : 13-11-2004 12.50.51 BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 936 ThreadCreationTime : 13-11-2004 12.50.55 BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 1024 ThreadCreationTime : 13-11-2004 12.50.59 BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1084 ThreadCreationTime : 13-11-2004 12.50.59 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Sistema operativo Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Applicazione Servizi e Controller InternalName : services.exe LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1096 ThreadCreationTime : 13-11-2004 12.50.59 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1256 ThreadCreationTime : 13-11-2004 12.50.59 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1400 ThreadCreationTime : 13-11-2004 12.50.59 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1584 ThreadCreationTime : 13-11-2004 12.51.00 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1596 ThreadCreationTime : 13-11-2004 12.51.00 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1792 ThreadCreationTime : 13-11-2004 12.51.01 BasePriority : Normal FileVersion : 5.1.2600.0 (XPClient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:11 [alg.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1912 ThreadCreationTime : 13-11-2004 12.51.07 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Application Layer Gateway Service InternalName : ALG.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : ALG.exe #:12 [aswupdsv.exe] FilePath : C:\Programmi\Alwil Software\Avast4\ ProcessID : 1960 ThreadCreationTime : 13-11-2004 12.51.07 BasePriority : Normal #:13 [ashserv.exe] FilePath : C:\Programmi\Alwil Software\Avast4\ ProcessID : 1976 ThreadCreationTime : 13-11-2004 12.51.07 BasePriority : High FileVersion : 4, 5, 514, 0 ProductVersion : 4, 5, 0, 0 ProductName : avast! Antivirus FileDescription : avast! antivirus service InternalName : aswServ LegalCopyright : Copyright (c) 2003 ALWIL Software OriginalFilename : aswServ.exe #:14 [incdsrv.exe] FilePath : C:\Programmi\Ahead\InCD\ ProcessID : 2028 ThreadCreationTime : 13-11-2004 12.51.07 BasePriority : Normal FileVersion : 4, 0, 5, 4 ProductVersion : 4, 0, 5, 4 ProductName : AHEAD Software incdsrv CompanyName : AHEAD Software FileDescription : incdsrv InternalName : incdsrv LegalCopyright : Copyright © 2003 OriginalFilename : incdsrv.exe #:15 [mdm.exe] FilePath : C:\Programmi\File comuni\Microsoft Shared\VS7Debug\ ProcessID : 160 ThreadCreationTime : 13-11-2004 12.51.08 BasePriority : Normal FileVersion : 7.00.9064.9150 ProductVersion : 7.00.9064.9150 ProductName : Microsoft Development Environment CompanyName : Microsoft Corporation FileDescription : Machine Debug Manager InternalName : mdm.exe LegalCopyright : Copyright (C) Microsoft Corp. 1997-2000 OriginalFilename : mdm.exe #:16 [nvsvc32.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 204 ThreadCreationTime : 13-11-2004 12.51.08 BasePriority : Normal FileVersion : 6.14.10.5672 ProductVersion : 6.14.10.5672 ProductName : NVIDIA Driver Helper Service, Version 56.72 CompanyName : NVIDIA Corporation FileDescription : NVIDIA Driver Helper Service, Version 56.72 InternalName : NVSVC LegalCopyright : (C) NVIDIA Corporation. All rights reserved. OriginalFilename : nvsvc32.exe #:17 [outpost.exe] FilePath : C:\PROGRA~1\AGNITUM\OUTPOS~1\ ProcessID : 600 ThreadCreationTime : 13-11-2004 12.51.11 BasePriority : Normal FileVersion : 2.5.369 ProductVersion : 2.5 ProductName : Outpost Firewall CompanyName : Agnitum FileDescription : Outpost Firewall main module InternalName : Outpost Firewall LegalCopyright : (C) Agnitum, 1999-2004 OriginalFilename : outpost.exe #:18 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 668 ThreadCreationTime : 13-11-2004 12.51.11 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:19 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 924 ThreadCreationTime : 13-11-2004 14.04.58 BasePriority : Normal FileVersion : 6.00.2600.0000 (xpclient.010817-1148) ProductVersion : 6.00.2600.0000 ProductName : Sistema operativo Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Esplora risorse InternalName : explorer LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati. OriginalFilename : EXPLORER.EXE #:20 [init32m.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 952 ThreadCreationTime : 13-11-2004 14.05.01 BasePriority : Normal #:21 [incd.exe] FilePath : C:\Programmi\Ahead\InCD\ ProcessID : 876 ThreadCreationTime : 13-11-2004 14.05.02 BasePriority : Normal FileVersion : 4, 0, 5, 4 ProductVersion : 4, 0, 5, 4 ProductName : InCD CompanyName : Ahead Software AG FileDescription : InCD InternalName : InCD LegalCopyright : Copyright (C) 2003 Ahead Software and its licensors LegalTrademarks : InCD TM OriginalFilename : InCD.exe #:22 [ashdisp.exe] FilePath : C:\PROGRA~1\ALWILS~1\Avast4\ ProcessID : 916 ThreadCreationTime : 13-11-2004 14.05.02 BasePriority : Normal FileVersion : 4, 1, 415, 0 ProductVersion : 4, 1, 0, 0 ProductName : avast! Antivirus FileDescription : avast! service GUI component InternalName : aswDisp LegalCopyright : Copyright (c) 2003 ALWIL Software OriginalFilename : aswDisp.exe #:23 [gcasserv.exe] FilePath : C:\Programmi\GIANT Company Software\GIANT AntiSpyware\ ProcessID : 1516 ThreadCreationTime : 13-11-2004 14.05.03 BasePriority : Idle FileVersion : 1.00.0338 ProductVersion : 1.00.0338 ProductName : GIANT AntiSpyware Service CompanyName : GIANT Company Software inc. FileDescription : GIANT AntiSpyware Service InternalName : gcasServ LegalCopyright : Copyright © 2001-2004, GIANT Company Software Inc. All rights reserved. LegalTrademarks : GIANT Company, GIANT Company Software, GIANT AntiSpyware, SpyNet are trademarks of GIANT Company Software inc. OriginalFilename : gcasServ.exe Comments : GIANT AntiSpyware created by GIANT Company Software inc. #:24 [freeram xp pro 1.40.exe] FilePath : C:\Documents and Settings\mauro\Documenti\programmi\Varie\DEFRAMMENTAZIONE RAM\ ProcessID : 1268 ThreadCreationTime : 13-11-2004 14.05.04 BasePriority : Normal FileVersion : 1.4.0.0 ProductVersion : 1.0.0.0 ProductName : FRXPRO CompanyName : YourWare Solutions (TM) FileDescription : FreeRAM XP Pro (YourWare Solutions) InternalName : FRXPRO LegalCopyright : Copyright YourWare Solutions (TM), 2001-2003 LegalTrademarks : YourWare Solutions, FreeRAM XP, FreeRAM XP Lite, FreeRAM XP Professional OriginalFilename : FRXPRO Comments : Freeware application that frees and defragments your computer's memory to increse performance. Enjoy! Visit website for periodic updates. #:25 [spysweeper.exe] FilePath : C:\Programmi\Webroot\Spy Sweeper\ ProcessID : 1284 ThreadCreationTime : 13-11-2004 14.05.05 BasePriority : Normal FileVersion : 3.2.0.147 ProductVersion : 3.2 ProductName : Spy Sweeper CompanyName : Webroot Software, Inc. FileDescription : Spy Sweeper LegalCopyright : Copyright (c) 2001-2004 Webroot Software, Inc. LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc. #:26 [rundll.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1296 ThreadCreationTime : 13-11-2004 14.05.06 BasePriority : Normal #:27 [gcasdtserv.exe] FilePath : C:\Programmi\GIANT Company Software\GIANT AntiSpyware\ ProcessID : 1320 ThreadCreationTime : 13-11-2004 14.05.06 BasePriority : Normal FileVersion : 1.00.0397 ProductVersion : 1.00.0397 ProductName : GIANT AntiSpyware CompanyName : GIANT Company Software inc. FileDescription : GIANT AntiSpyware Data Service InternalName : gcasDtServ LegalCopyright : Copyright © 2001-2004, GIANT Company Software Inc. All rights reserved. LegalTrademarks : GIANT Company, GIANT Company Software, GIANT AntiSpyware, SpyNet are trademarks of GIANT Company Software inc. OriginalFilename : gcasDtServ.exe Comments : GIANT AntiSpyware created by GIANT Company Software inc. #:28 [wmiapsrv.exe] FilePath : C:\WINDOWS\System32\wbem\ ProcessID : 2052 ThreadCreationTime : 13-11-2004 14.05.11 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Sistema operativo Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Servizio scheda WMI Performance InternalName : WmiApSrv.exe LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati. OriginalFilename : WmiApSrv.exe #:29 [sys542.e] FilePath : C:\WINDOWS\ ProcessID : 1488 ThreadCreationTime : 13-11-2004 14.05.45 BasePriority : Normal #:30 [ctfmon.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1412 ThreadCreationTime : 13-11-2004 14.05.47 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : CTF Loader InternalName : CTFMON LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : CTFMON.EXE #:31 [sys553.e] FilePath : C:\WINDOWS\ ProcessID : 3068 ThreadCreationTime : 13-11-2004 14.05.55 BasePriority : Normal #:32 [sys61.ex] FilePath : C:\WINDOWS\ ProcessID : 3732 ThreadCreationTime : 13-11-2004 14.06.05 BasePriority : Normal #:33 [devldr32.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 2860 ThreadCreationTime : 13-11-2004 14.08.30 BasePriority : Normal FileVersion : 1, 0, 0, 17 ProductVersion : 1, 0, 0, 17 ProductName : Creative Ring3 NT Inteface CompanyName : Creative Technology Ltd. FileDescription : DevLdr32 InternalName : DevLdr LegalCopyright : Copyright (C) Creative Technology Ltd. 1998-2001 OriginalFilename : DevLdr32.exe #:34 [spysweeper.exe] FilePath : C:\Programmi\Webroot\Spy Sweeper\ ProcessID : 2508 ThreadCreationTime : 13-11-2004 14.16.05 BasePriority : Normal FileVersion : 3.2.0.147 ProductVersion : 3.2 ProductName : Spy Sweeper CompanyName : Webroot Software, Inc. FileDescription : Spy Sweeper LegalCopyright : Copyright (c) 2001-2004 Webroot Software, Inc. LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc. #:35 [outlook.exe] FilePath : C:\Programmi\Microsoft Office\Office10\ ProcessID : 3484 ThreadCreationTime : 13-11-2004 15.07.35 BasePriority : Normal #:36 [winword.exe] FilePath : C:\Programmi\Microsoft Office\Office10\ ProcessID : 2116 ThreadCreationTime : 13-11-2004 15.07.50 BasePriority : Normal #:37 [iexplore.exe] FilePath : C:\Programmi\Internet Explorer\ ProcessID : 216 ThreadCreationTime : 13-11-2004 15.23.14 BasePriority : Normal FileVersion : 6.00.2600.0000 (xpclient.010817-1148) ProductVersion : 6.00.2600.0000 ProductName : Sistema operativo Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Internet Explorer InternalName : iexplore LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati. OriginalFilename : IEXPLORE.EXE #:38 [ad-aware.exe] FilePath : C:\Programmi\Lavasoft\Ad-Aware SE Personal\ ProcessID : 856 ThreadCreationTime : 13-11-2004 15.44.06 BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 20 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Windows Object Recognized! Type : RegData Data : explorer.exe init32m.exe Category : Vulnerability Comment : Shell Possibly Compromised Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows nt\currentversion\winlogon Value : Shell Data : explorer.exe init32m.exe Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 1 Objects found so far: 21 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 21 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 21 Deep scanning and examining files (C  »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : chicca@cgi-bin[2].txt Category : Data Miner Comment : Value : C:\Documents and Settings\chicca\Cookies\chicca@cgi-bin[2].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : chicca@cgi-bin[1].txt Category : Data Miner Comment : Value : C:\Documents and Settings\chicca\Cookies\chicca@cgi-bin[1].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : paolo@cgi-bin[1].txt Category : Data Miner Comment : Value : C:\Documents and Settings\paolo\Cookies\paolo@cgi-bin[1].txt Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 24 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 24 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 24 16.58.01 Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00.13.29.516 Objects scanned:150772 Objects identified:4 Objects ignored:0 New critical objects:4 |
|
|
|
|
13-11-2004, 17:01
|
#16 |
|
Senior Member
Iscritto dal: Oct 1999
Città: Lecco
Messaggi: 498
|
Il nuovo log di HijackThis è il seguente:
Logfile of HijackThis v1.98.2 Scan saved at 17.01.06, on 13/11/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe C:\Programmi\Alwil Software\Avast4\ashServ.exe C:\Programmi\Ahead\InCD\InCDsrv.exe C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\init32m.exe C:\Programmi\Ahead\InCD\InCD.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe C:\Documents and Settings\mauro\Documenti\programmi\Varie\DEFRAMMENTAZIONE RAM\FreeRAM XP Pro 1.40.exe C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\System32\rundll.exe C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\WINDOWS\sys542.e C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\sys553.e C:\WINDOWS\sys61.ex C:\WINDOWS\System32\devldr32.exe C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe C:\Programmi\Microsoft Office\Office10\OUTLOOK.EXE C:\Programmi\Microsoft Office\Office10\WINWORD.EXE C:\Programmi\Internet Explorer\iexplore.exe C:\Documents and Settings\mauro\Documenti\programmi\spyware\HIJACKTHIS\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - C:\WINDOWS\sys559.d O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Outpost Firewall] C:\Programmi\Agnitum\Outpost Firewall\outpost.exe /waitservice O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe" O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcASCleaner.exe O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\mauro\Documenti\programmi\Varie\DEFRAMMENTAZIONE RAM\FreeRAM XP Pro 1.40.exe" -win O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [Rundll] rundll.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1\TRASH.EXE (HKCU) O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1\TRASH.EXE (HKCU) O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} - https://www.ibm.com/pc/support/acces...d/IbmEgath.cab O16 - DPF: {99D8AF4F-307A-461C-A404-BFA33D502B31} - http://217.169.119.216/resources/APStart.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{409BFCDA-CC6B-4E9B-8E92-185218F7AB1F}: NameServer = 217.141.107.203 151.99.125.1 |
|
|
|
|
13-11-2004, 17:26
|
#17 |
|
Senior Member
Iscritto dal: Mar 2004
Città: Rimini
Messaggi: 10296
|
Ciao,
confermo quanto ti ha già detto canapa, elimina da mod. provvisoria questo: C:\WINDOWS\system32\init32m.exe Controlla sempre da mod. provvisoria (start>cerca) gli eseguibili rundll32.exe, se ne hai qualcuno fuori dalle cartelle SYSTEM32 e I386, cancellalo. (Rundll32.exe è regolare solo se contenuto in quelle due cartelle) Fissa (seleziona e premi fix) queste voci: F2 - REG:system.ini: Shell=Explorer.exe init32m.exe O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - C:\WINDOWS\sys559.d O4 - HKCU\..\Run: [Rundll] rundll.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab O16 - DPF: {99D8AF4F-307A-461C-A404-BFA33D502B31} - http://217.169.119.216/resources/APStart.ocx Quando hai fatto, riavvia e posta un nuovo log. Ti ricordo, prima di fare queste operazioni di, attivare la visualizzazione dei file nascosti e di sistema, di cancellare tutti i temporanei, la cache di internet e di disattivare il ripristino della configurazione
__________________
sometimes they come back *** Life Happens! - (Professionista I.T. - Tecnico Telecomunicazioni) Latitude E6420 I7 2760QM SSD Crucial M4-512GB --- Tecra R840 I5 2520M SSD Samsung 830-256GB --- Macbook Pro 13,3" I5 2435M SSD Samsung 830-256GB |
|
|
|
|
15-11-2004, 08:03
|
#18 |
|
Senior Member
Iscritto dal: Oct 1999
Città: Lecco
Messaggi: 498
|
Ecco il nuovo log:
Logfile of HijackThis v1.98.2 Scan saved at 7.55.03, on 15/11/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\mauro\Documenti\programmi\spyware\HIJACKTHIS\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Outpost Firewall] C:\Programmi\Agnitum\Outpost Firewall\outpost.exe /waitservice O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\mauro\Documenti\programmi\Varie\DEFRAMMENTAZIONE RAM\FreeRAM XP Pro 1.40.exe" -win O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0 O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} - https://www.ibm.com/pc/support/acces...d/IbmEgath.cab Dato che devo disabilitare il ripristino automatico, mi consigliate qualche programma che permette il ripristino ad una precedente configurazione di windows? |
|
|
|
|
15-11-2004, 10:23
|
#19 |
|
Senior Member
Iscritto dal: Oct 1999
Città: Lecco
Messaggi: 498
|
Ok, la barra è sparita. Grazie!
Ho fatto fare un giro a GIANT e rileva ancora la seguente infezione: HKEY_CURRENT_USER\Software\Microsoft\Internet\Explorer\URL SearchHooks C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70. Di che si tratta? La elimino, ma torna! |
|
|
|
|
15-11-2004, 10:26
|
#20 |
|
Senior Member
Iscritto dal: Feb 2003
Città: Pistoia
Messaggi: 4926
|
Prova a fixare questa con Hijackthis
R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file) |
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 18:58.
