MegaLab.it


http://www.megalab.it/forum/

Allego log Hijackthis ma chiedo altri test

./viewtopic.php?f=33&t=54294&start=0

Pagina 1 di 1

Allego log Hijackthis ma chiedo altri test

MessaggioInviato: mer giu 17, 2009 8:36 pm
da Pacopas
Ciao ragazzi mia sorella mi ha portato il suo portatile, dicendo di avere qualcosa di strano.
In effetti avira era aggiornato a gennaio 2008, ho detto tutto.

Ho ripulito il sistema che aveva discreti problemi, ancora mi è rimasto da risolvere la "dissociazione" nel menù contestuale dei drive con il comando esplora...

Ma è un altro discorso.
Ho fatto un po' di pulizie varie; ma è tanto che non ho a che fare con pc infetti; di solito applico molta prevenzione e non sono aggiornato sulle tecniche nuove.

Allego il log Hijackthis ma se potete consigliarmi qualche altro test per scovare eventuali minacce.
Io di solito agisco alla vecchia maniera, cerco ciò che sembra insolito tra i processi faccio ricerche, ma credo che i virus siano moolto più aggiornati di me.

Vi ringrazio

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21.30.28, on 17/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Programmi\Avira\AntiVir Desktop\sched.exe
D:\Programmi\Synaptics\SynTP\SynTPEnh.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
D:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
D:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Programmi\Motorola\SMSERIAL\sm56hlpr.exe
D:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
D:\Programmi\Avira\AntiVir Desktop\avgnt.exe
D:\Programmi\RocketDock\RocketDock.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Programmi\Avira\AntiVir Desktop\avguard.exe
D:\Programmi\Intel\Wireless\Bin\EvtEng.exe
D:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
D:\Programmi\File comuni\LightScribe\LSSrvc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
D:\WINDOWS\system32\svchost.exe
D:\Programmi\Intel\Wireless\Bin\WLKeeper.exe
D:\Programmi\Intel\Wireless\Bin\Dot1XCfg.exe
D:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
D:\Programmi\MozillaFirefox\firefox.exe
d:\Windows\explorer.exe
D:\Documents and Settings\Emi\Documenti\Download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] D:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IAAnotif] "D:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SMSERIAL] D:\Programmi\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [RocketDock] "D:\Programmi\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: &Point&&Go - D:\Programmi\File comuni\Expert System\PGPlatform\PGPlatform.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - D:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - D:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - D:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - D:\Programmi\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6954 bytes

Re: Allego log Hijackthis ma chiedo altri test

MessaggioInviato: mer giu 17, 2009 8:42 pm
da ste_95
Pacopas ha scritto:Ho ripulito il sistema che aveva discreti problemi, ancora mi è rimasto da risolvere la "dissociazione" nel menù contestuale dei drive con il comando esplora...

Hai già provato con il Perlovga Removal Tool?

Scarica ComboFix , salvandolo sul desktop con un nome di fantasia, ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto inserendolo tra i tag LOG, in questo modo:
Codice: Seleziona tutto
[LOG]qui va inserito il log[/LOG]

Re: Allego log Hijackthis ma chiedo altri test

MessaggioInviato: mer giu 17, 2009 9:13 pm
da Pacopas
innanzi tutto grazie Ste.

Dai una occhiata al log di combofix

ComboFix 09-06-16.05 - Emi 17/06/2009 22.11.20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2046.1480 [GMT 2:00]
Eseguito da: d:\documents and settings\Emi\Documenti\Download\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {00000002-0002-0000-6C25-9E7C08000A00}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Desktop.ini

.
((((((((((((((((((((((((( Files Creati Da 2009-05-17 al 2009-06-17 )))))))))))))))))))))))))))))))))))
.

2009-06-17 17:34 . 2009-06-17 17:34 56 ---ha-w- d:\windows\system32\ezsidmv.dat
2009-06-17 17:34 . 2009-06-17 17:34 -------- d-----w- d:\programmi\File comuni\Skype
2009-06-17 17:34 . 2009-06-17 17:34 -------- d-----r- d:\programmi\Skype
2009-06-17 17:21 . 2009-06-17 17:21 -------- d-----w- d:\windows\system32\Adobe
2009-06-17 17:19 . 2009-06-17 17:19 -------- d-----w- d:\documents and settings\Emi\Dati applicazioni\vlc
2009-06-17 16:57 . 2009-03-30 08:33 96104 ----a-w- d:\windows\system32\drivers\avipbb.sys
2009-06-17 16:57 . 2009-02-13 10:29 22360 ----a-w- d:\windows\system32\drivers\avgntmgr.sys
2009-06-17 16:57 . 2009-02-13 10:17 45416 ----a-w- d:\windows\system32\drivers\avgntdd.sys
2009-06-17 16:56 . 2009-06-17 16:56 -------- d-----w- d:\programmi\Avira
2009-06-17 16:56 . 2009-06-17 16:56 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Avira
2009-06-17 15:05 . 2009-03-24 14:08 55640 ----a-w- d:\windows\system32\drivers\avgntflt.sys
2009-06-04 11:37 . 2009-06-04 11:37 348160 ----a-w- d:\windows\system32\msvcr71.dll
2009-06-04 11:37 . 2009-06-04 11:37 499712 ----a-w- d:\windows\system32\msvcp71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 20:01 . 2004-08-30 19:00 73304 ----a-w- d:\windows\system32\perfc010.dat
2009-06-17 20:01 . 2004-08-30 19:00 446994 ----a-w- d:\windows\system32\perfh010.dat
2009-06-17 20:00 . 2008-01-20 20:53 -------- d-----w- d:\programmi\MozillaFirefox
2009-06-17 17:39 . 2008-01-21 00:11 -------- d-----w- d:\documents and settings\Emi\Dati applicazioni\Skype
2009-06-17 17:34 . 2008-01-21 00:11 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Skype
2009-06-17 17:34 . 2008-01-20 22:24 -------- d-----w- d:\programmi\CCleaner
2009-06-17 17:28 . 2008-01-21 16:33 -------- d-----w- d:\documents and settings\Emi\Dati applicazioni\skypePM
2009-06-06 17:21 . 2008-01-20 22:12 -------- d-----w- d:\documents and settings\Emi\Dati applicazioni\XnView
.

------- Sigcheck -------

[-] 2008-01-20 14:21 1548288 971FF887CDC7316A944A95C335F5C24A d:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="d:\programmi\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-30 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="d:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2007-09-06 8486912]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2007-09-06 81920]
"IntelZeroConfig"="d:\programmi\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="d:\programmi\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"IAAnotif"="d:\programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SMSERIAL"="d:\programmi\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-16 634880]
"QlbCtrl"="d:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
"SunJavaUpdateSched"="d:\programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"avgnt"="d:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2007-09-06 1626112]
"RTHDCPL"="RTHDCPL.EXE" - d:\windows\RTHDCPL.exe [2007-12-20 16860672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2004-08-30 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" - d:\windows\system32\advpack.dll [2007-12-07 124928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Programmi\\Hp\\HP Software Update\\HPWUCli.exe"=
"d:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1731:TCP"= 1731:TCP:swatax

S2 cwlmp;ymmtni;d:\windows\system32\svchost.exe -k netsvcs [30/08/2004 21.00.00 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
cwlmp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"d:\programmi\File comuni\LightScribe\LSRunOnce.exe"
.
.
------- Scansione supplementare -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &Point&&Go - d:\programmi\File comuni\Expert System\PGPlatform\PGPlatform.htm
IE: E&sporta in Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 22:13
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cwlmp]
"ServiceDll"="d:\windows\system32\rcxrxlv.dll"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(3176)
d:\programmi\RocketDock\RocketDock.dll
d:\windows\system32\wpdshserviceobj.dll
d:\windows\system32\portabledevicetypes.dll
d:\windows\system32\portabledeviceapi.dll
.
Ora fine scansione: 2009-06-17 22.14.52
ComboFix-quarantined-files.txt 2009-06-17 20:14

Pre-Run: 30.097.367.040 byte disponibili
Post-Run: 30.402.473.984 byte disponibili

111 --- E O F --- 2009-01-10 17:08

Re: Allego log Hijackthis ma chiedo altri test

MessaggioInviato: gio giu 18, 2009 6:34 am
da ste_95
Pacopas ha scritto:innanzi tutto grazie Ste.

[^]

2009-06-17 17:34 . 2009-06-17 17:34 56 ---ha-w- d:\windows\system32\ezsidmv.dat

Questo non mi convince, ma guardando un po' in giro non sembra nocivo.

"1731:TCP"= 1731:TCP:swatax
S2 cwlmp;ymmtni;d:\windows\system32\svchost.exe -k netsvcs [30/08/2004 21.00.00 14336]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
cwlmp

Questi tre vanno di pari passo, ma non vedendo cose in esecuzione, cancella il servizio e il seguente file:

"ServiceDll"="d:\windows\system32\rcxrxlv.dll"

Re: Allego log Hijackthis ma chiedo altri test

MessaggioInviato: gio giu 18, 2009 3:54 pm
da Pacopas
Grazie ancora.

Per ora diciamo che parcheggiamo il problema, in quanto il computer sembra vada egregiamente e le serve con urgenza; appena me lo riporta farò qualche altra domanda e i test a seguire. [;)]
Tutti gli orari sono UTC + 1 ora [ ora legale ]
Pagina 1 di 1
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/