MegaLab.it


http://www.megalab.it/forum/

HiJackme please!

./viewtopic.php?f=33&t=72777&start=0

Pagina 1 di 2

HiJackme please!

MessaggioInviato: dom lug 10, 2011 7:12 pm
da natostanco
Ho fatto pulizia di un bel po di adware e malware di ogni genere che si erano insidiati nel mio pc, come clf cfm etc...ma credo che mi sia sfuggito qualcosa perche' ogni tanto il browser carica pagine di pubblicita' senza cliccare niente :)
potete controllarmi il log di hijack grazie :)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:14:06, on 10/07/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe
C:\Users\Francesco\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Razer Barracuda AC-1 Gaming Audio Card\Razer Barracuda AC-1 Gaming Audio card.exe
C:\Program Files (x86)\Razer\Razer Lycosa\razerhid.exe
C:\Program Files (x86)\Razer\Lachesis\razerhid.exe
C:\Program Files (x86)\Vidalia Bundle\Tor\tor.exe
C:\Program Files (x86)\Vidalia Bundle\Polipo\polipo.exe
C:\Program Files (x86)\Razer\Lachesis\OSD.exe
C:\Users\Francesco\AppData\Roaming\dwm.exe
C:\Users\FRANCE~1\AppData\Local\Temp\csrss.exe
C:\Program Files (x86)\Razer\Lachesis\razertra.exe
C:\Program Files (x86)\Razer\Lachesis\razerofa.exe
C:\Users\Francesco\AppData\Roaming\Microsoft\conhost.exe
C:\Program Files (x86)\SendBlaster\sendblaster2.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:55758
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Razer Barracuda AC-1 Gaming Audio Card] C:\Program Files (x86)\Razer Barracuda AC-1 Gaming Audio Card\Razer Barracuda AC-1 Gaming Audio card.exe
O4 - HKLM\..\Run: [Lycosa] "C:\Program Files (x86)\Razer\Razer Lycosa\razerhid.exe"
O4 - HKLM\..\Run: [Lachesis] C:\Program Files (x86)\Razer\Lachesis\razerhid.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [conhost] C:\Users\Francesco\AppData\Roaming\Microsoft\conhost.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\RunOnce: [Application Restart #1] C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe --conflicting-modules-check --enable-accelerated-2d-canvas --enable-click-to-play --enable-crxless-web-apps --enable-experimental-extension-apis --enable-p2papi --enable-print-preview --enable-remoting --enable-vertical-tabs --experimental-location-features --flag-switches-begin --flag-switches-end --focus-existing-tab-on-open --new-tab-page-4 --show-composited-layer-borders --show-fps-counter --restore-last-session
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = Francesco\AppData\Roaming\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: &Download with BitKinex - C:\Program Files (x86)\BitKinex\ieext_cp.htm
O8 - Extra context menu item: &Register in BitKinex - C:\Program Files (x86)\BitKinex\ieext_reg.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: I&nvia a OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: &Note collegate di OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Note collegate di OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\socketspy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\socketspy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\socketspy.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{47ABB93B-6374-4908-BFB9-70D81DF18CF8}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: WORLDC~1|World Community Grid (BOINC) - World Community Grid - C:\Program Files (x86)\BOINC\boinc.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: @%systemroot%\system32\CISVC.EXE,-1 (CISVC) - Unknown owner - C:\Windows\system32\CISVC.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-20001 (WMSVC) - Unknown owner - C:\Windows\system32\inetsrv\wmsvc.exe (file missing)
O23 - Service: Wyse PocketCloud (WysePocketCloud) - Unknown owner - C:\Program Files (x86)\Wyse\PocketCloud Windows Companion\PocketCloudService.exe

--
End of file - 12294 bytes

Re: HiJackme please!

MessaggioInviato: dom lug 10, 2011 7:26 pm
da Berga95
Questi due programmi non girano in System32, trovali e caricali su VirusTotal, sono probabilmente infetti:
Codice: Seleziona tutto
C:\Users\Francesco\AppData\Roaming\dwm.exe
C:\Users\FRANCE~1\AppData\Local\Temp\csrss.exe
C:\Users\Francesco\AppData\Roaming\Microsoft\conhost.exe

E già che ci sei controlla questa *.dll:
Codice: Seleziona tutto
c:\windows\system32\socketspy.dll


Non ho mai visto questa voce, che è?
Codice: Seleziona tutto
O4 - HKCU\..\RunOnce: [Application Restart #1] C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe --conflicting-modules-check --enable-accelerated-2d-canvas --enable-click-to-play --enable-crxless-web-apps --enable-experimental-extension-apis --enable-p2papi --enable-print-preview --enable-remoting --enable-vertical-tabs --experimental-location-features --flag-switches-begin --flag-switches-end --focus-existing-tab-on-open --new-tab-page-4 --show-composited-layer-borders --show-fps-counter --restore-last-session


EDIT: Se non l'hai già fatta, fai una bella scansione completa con MBAM, che vedo installato nel tuo sistema [^]

Re: HiJackme please!

MessaggioInviato: dom lug 10, 2011 7:29 pm
da eugenio19911
generalmente superantispyware riesce a rilevare questo tipo di problema (DNS cambiati che riportano a pagine pubblicitarie):
la scansione è veloce e dovrebbe trovarti qualcosa:
http://www.superantispyware.com/downloa ... PYWAREFREE

Re: HiJackme please!

MessaggioInviato: dom lug 10, 2011 8:22 pm
da Hpmezzo
[quote="Berga95"]Questi due programmi non girano in System32, trovali e caricali su VirusTotal, sono probabilmente infetti:
Codice: Seleziona tutto
C:\Users\Francesco\AppData\Roaming\dwm.exe
C:\Users\FRANCE~1\AppData\Local\Temp\csrss.exe
C:\Users\Francesco\AppData\Roaming\Microsoft\conhost.exe

I file sopra citati da Berga possono appartenere al malware : My Security Shield

http://tentativi.blogspot.com/2010/08/m ... zione.html
http://answers.microsoft.com/en-us/prot ... e545f5e1c6
Vedi questa guida! Speriamo bene! [Fonte : Microsoft]

Re: HiJackme please!

MessaggioInviato: lun lug 11, 2011 8:57 am
da natostanco
allora dwm.exe lo cancellato a mano dalla cartella, ed ho tolto tutte le entry che si potevano da hijack, poi ho fatto una pulizia di cache e cookie e reg con ccleaner (non si sa mai :p) e per socketspy ho usato LSPfix, dopo di che scansione completa con malware bytes e mi ha tolto tutto, sara' perche' gli ho fatto i preliminari con hijack e ccleaner perche' le scansioni precedenti li rilevava ma non li cancellava :p

Re: HiJackme please!

MessaggioInviato: lun lug 11, 2011 9:20 am
da Hpmezzo
Adesso tutto ok? Riavvia il sistema e prova a postare il LOG HJT... Per essere sicuri di avere debellato il malware con successo.

Re: HiJackme please!

MessaggioInviato: lun lug 11, 2011 12:07 pm
da Berga95
natostanco ha scritto:allora dwm.exe lo cancellato a mano dalla cartella

[acc2] Non riesci a recuperarlo dal cestino ed upparlo su VirusTotal? Sapere il nome del virus con cui abbiamo a che fare può essere utile...
natostanco ha scritto:scansione completa con malware bytes e mi ha tolto tutto

Posta il log [:)]

Re: HiJackme please!

MessaggioInviato: lun lug 11, 2011 12:28 pm
da natostanco
dwm l'ho uppato ieri eccolo
http://www.virustotal.com/file-scan/rep ... 1310325367
il log di mb eh avevo chiuso il log, li salva automaticamente da qualche parte?

Re: HiJackme please!

MessaggioInviato: lun lug 11, 2011 2:27 pm
da Berga95
natostanco ha scritto:il log di mb eh avevo chiuso il log, li salva automaticamente da qualche parte?

Lo trovi nella cartella
Codice: Seleziona tutto
C:\Users\TuoNome\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs

[^]

Re: HiJackme please!

MessaggioInviato: lun lug 11, 2011 4:44 pm
da Hpmezzo
Trojan.Agent/Gen-FakeAlert ==> Rogue giusto?

Re: HiJackme please!

MessaggioInviato: lun lug 11, 2011 5:39 pm
da natostanco
ecco

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7066

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

11/07/2011 09:37:40
mbam-log-2011-07-11 (09-37-40).txt

Scan type: Full scan (C:\|)
Objects scanned: 599965
Time elapsed: 1 hour(s), 23 minute(s), 11 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
c:\Users\francesco\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> 1432 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\francesco\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\francesco\AppData\Local\Temp\e-campaign-8.0.33.1598_tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\francesco\AppData\Local\Temp\robomail-mass-mail-software-3.2_tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\francesco\AppData\Local\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Re: HiJackme please!

MessaggioInviato: lun lug 11, 2011 6:29 pm
da Hpmezzo
Ok anche questo è eliminato! Per essere sicuri che hai eliminato tutti ti consiglio di riavviare sempre il sistema, e postare (credo l'ultimo) log HJT. Da qui sembra che MB ha eliminato tutto...

Re: HiJackme please!

MessaggioInviato: mar lug 12, 2011 12:42 pm
da natostanco
infatti mi sa che ho cantato vittoria troppo presto :)
non si avvia il microsoft security service!
hijack log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:47:06, on 12/07/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe
C:\Users\Francesco\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Razer\Razer Lycosa\razerhid.exe
C:\Program Files (x86)\Razer\Lachesis\razerhid.exe
C:\Program Files (x86)\Vidalia Bundle\Tor\tor.exe
C:\Program Files (x86)\Vidalia Bundle\Polipo\polipo.exe
C:\Program Files (x86)\Razer\Lachesis\OSD.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Razer\Lachesis\razertra.exe
C:\Program Files (x86)\Razer\Lachesis\razerofa.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
J:\Steam\Steam.exe
C:\Program Files (x86)\Trillian\trillian.exe
C:\Program Files (x86)\BOINC\boincmgr.exe
C:\Program Files (x86)\EVGA Precision\EVGAPrecision.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Users\Francesco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Razer Barracuda AC-1 Gaming Audio Card] C:\Program Files (x86)\Razer Barracuda AC-1 Gaming Audio Card\Razer Barracuda AC-1 Gaming Audio card.exe
O4 - HKLM\..\Run: [Lycosa] "C:\Program Files (x86)\Razer\Razer Lycosa\razerhid.exe"
O4 - HKLM\..\Run: [Lachesis] C:\Program Files (x86)\Razer\Lachesis\razerhid.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1441972434-1103307284-2265700626-1011\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'boinc_master')
O4 - HKUS\S-1-5-21-1441972434-1103307284-2265700626-1011\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'boinc_master')
O4 - HKUS\S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'DefaultAppPool')
O4 - HKUS\S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'DefaultAppPool')
O4 - Startup: Dropbox.lnk = Francesco\AppData\Roaming\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: &Download with BitKinex - C:\Program Files (x86)\BitKinex\ieext_cp.htm
O8 - Extra context menu item: &Register in BitKinex - C:\Program Files (x86)\BitKinex\ieext_reg.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: I&nvia a OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: &Note collegate di OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Note collegate di OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{47ABB93B-6374-4908-BFB9-70D81DF18CF8}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: WORLDC~1|World Community Grid (BOINC) - World Community Grid - C:\Program Files (x86)\BOINC\boinc.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: @%systemroot%\system32\CISVC.EXE,-1 (CISVC) - Unknown owner - C:\Windows\system32\CISVC.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-20001 (WMSVC) - Unknown owner - C:\Windows\system32\inetsrv\wmsvc.exe (file missing)
O23 - Service: Wyse PocketCloud (WysePocketCloud) - Unknown owner - C:\Program Files (x86)\Wyse\PocketCloud Windows Companion\PocketCloudService.exe

--
End of file - 11905 bytes

Re: HiJackme please!

MessaggioInviato: mar lug 12, 2011 1:04 pm
da Hpmezzo
Codice: Seleziona tutto
J:\Steam\Steam.exe (Sospetto)
C:\Windows\SysWOW64\rundll32.exe (Sconosciuto)
O17 - HKLM\System\CCS\Services\Tcpip\..\{47ABB93B-6374-4908-BFB9-70D81DF18CF8}: NameServer = 8.8.8.8,8.8.4.4
(Dovrebbe essere indirizzo IP DI GOOGLE)
O23 - Service: Wyse PocketCloud (WysePocketCloud) - Unknown owner - C:\Program Files (x86)\Wyse\PocketCloud Windows Companion\PocketCloudService.exe (Sconosciuto)
O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe (Sconosciuto)

Per aprire di nuovo il centro sicurezza pc vai su start:
Scrivi
Codice: Seleziona tutto
Services.msc
e premi invio
Cerca Centro sicurezza pc (Nome servizio : wscsvc)
Dovrebbe funzionare...Prima Selezioni il tipo di avvio(Impostazione consigliata : Automatica)...
Se è arrestato click sul bottone avvia.
Successivamente riavvia il sistema.
Vedi se tutto work! [:)]

Immagine

Uploaded with ImageShack.us

Re: HiJackme please!

MessaggioInviato: mar lug 12, 2011 7:19 pm
da natostanco
ok fixato tutto :)

Re: HiJackme please!

MessaggioInviato: mer lug 13, 2011 6:58 am
da Hpmezzo
natostanco ha scritto:ok fixato tutto :)

Il centro sicurezza pc adesso si avvia? Oppure spunta ancora quel problema? [...]

Re: HiJackme please!

MessaggioInviato: mer lug 13, 2011 8:27 am
da natostanco
vava non so perche' ma era solo disabilitato :)

Re: HiJackme please!

MessaggioInviato: mer lug 13, 2011 8:37 am
da Hpmezzo
natostanco ha scritto:vava non so perche' ma era solo disabilitato :)

Ok importante che hai risolto. Ti consiglio di controllare il taskmanager, il registro di sistema, il promt dei comandi, e le altre impostazioni per vedere se tutto è ok! [:)] Proprio per stare tranquilli [:D]

Re: HiJackme please!

MessaggioInviato: ven lug 15, 2011 8:00 am
da natostanco
mi sa che il pc e' ancora incasinato :s quando attivo il security service si mette in disabled automaticamente due secondi dopo e quindi non posso far partire per nulla security essentials windows defender o l'antimalware...

Re: HiJackme please!

MessaggioInviato: ven lug 15, 2011 8:29 am
da Hpmezzo
natostanco ha scritto:mi sa che il pc e' ancora incasinato :s quando attivo il security service si mette in disabled automaticamente due secondi dopo e quindi non posso far partire per nulla security essentials windows defender o l'antimalware...

Quindi c'è qualche malware (o qualcosa)dispettosa... Ma strano senza il security service lo stesso l'antimalware dovrebbe partire...
Tutti gli orari sono UTC + 1 ora [ ora legale ]
Pagina 1 di 2
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/