www.MegaLab.it

[Lele.1990]

salve ragazzi,sono nuovo,vedendo il pc un po' lento un mio amico mi ha consigliato di installare hijackthis ...appena installato ho scansionato. Secondo voi ce qualcosa da eliminare? vi posto il log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2.12.51, on 13/02/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\Yuna Software\Messenger Plus!\PlusService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\uTorrent\uTorrent.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Avira\AntiVir Desktop\avfwsvc.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Avira\AntiVir Desktop\avshadow.exe
C:\Programmi\Avira\AntiVir Desktop\avmailc.exe
C:\Programmi\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Programmi\Trend Micro\HiJackThis\HiJackThis.exe
C:\Documents and Settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - (no file)
O3 - Toolbar: (no name) - {98889811-442D-49dd-99D7-DC866BE87DBC} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [PlusService] C:\Programmi\Yuna Software\Messenger Plus!\PlusService.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Programmi\uTorrent\uTorrent.exe" /MINIMIZED
O4 - HKCU\..\Run: [Windows Live Messenger] C:\Programmi\Windows Live\Messenger\msnmsgr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: I&nvia a OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programmi\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programmi\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: &Note collegate di OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programmi\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Note collegate di OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programmi\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: PokerStars.it - {C4046502-6524-4d87-896C-878F57D1FF07} - C:\Programmi\PokerStars.IT\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/Messenger ... E_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{161E34F5-847E-492C-8B10-F25FEC7A2B74}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C1C6A73-3C45-4152-94E2-8857D1A2B15E}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{161E34F5-847E-492C-8B10-F25FEC7A2B74}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CS2\Services\Tcpip\..\{161E34F5-847E-492C-8B10-F25FEC7A2B74}: NameServer = 176.31.229.24,176.31.229.25
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programmi\File comuni\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira FireWall (AntiVirFirewallService) - Avira Operations GmbH & Co. KG - C:\Programmi\Avira\AntiVir Desktop\avfwsvc.exe
O23 - Service: Avira Mail Protection (AntiVirMailService) - Avira Operations GmbH & Co. KG - C:\Programmi\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira Pianificatore (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH & Co. KG - C:\Programmi\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: @C:\Programmi\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Programmi\Nero\Update\NASvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Programmi\Skype\Updater\Updater.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Programmi\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe

--
End of file - 9396 bytes

[crazy.cat]

Di pericoloso non si vede niente, di inutile ci sono queste tre righe che puoi eliminare.
O3 - Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - (no file)
O3 - Toolbar: (no name) - {98889811-442D-49dd-99D7-DC866BE87DBC} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

E questo servizio che puoi disabilitare dall'avvio automatico.
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe

[Lele.1990]

Sui primi due ero sicuro anchio mentre sul terzo no... sinceramente non so cosa sia... potresti spiegarmelo? mi riferisco a :

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

il sito di Hijackthis mi dava queste 4 voci come sconosciute:
O17 - HKLM\System\CCS\Services\Tcpip\..\{161E34F5-847E-492C-8B10-F25FEC7A2B74}: NameServer = 176.31.229.24,176.31.229.25

O17 - HKLM\System\CCS\Services\Tcpip\..\{5C1C6A73-3C45-4152-94E2-8857D1A2B15E}: NameServer = 176.31.229.24,176.31.229.25

O17 - HKLM\System\CS1\Services\Tcpip\..\{161E34F5-847E-492C-8B10-F25FEC7A2B74}: NameServer = 176.31.229.24,176.31.229.25

O17 - HKLM\System\CS2\Services\Tcpip\..\{161E34F5-847E-492C-8B10-F25FEC7A2B74}: NameServer = 176.31.229.24,176.31.229.25

sapresti spiegarmi cosa sono? e magari a cosa servono?

grazie per tutte le informazioni che mi darai.

[crazy.cat]

E' una riga che rimane nel log quando il pc va in blue screen o si riavvia per qualche errore.

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

sapresti spiegarmi cosa sono? e magari a cosa servono?

Ti stavo per rispondere una cosa ma vedo che sono indirizzi di rete francesi. Sei all'estero?

Se non sei all'estero, prova a fare una scansione con combofix e vediamo cosa ne viene fuori.

[Lele.1990]

No sono sempre stato in Italia.. ho fatto la scansione con combofix (mi sono permesso di farla in modalità provvisoria... ho sbagliato?)

ecco il log :

ComboFix 12-02-13.01 - samuele 14/02/2012 4.23.52.4.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.958.758 [GMT 1:00]
Eseguito da: c:\documents and settings\samuele.MASSIMO-27049C9\Documenti\Downloads\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: FireWall *Enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
.
((((((((((((((((((((((((( Files Creati Da 2012-01-14 al 2012-02-14 )))))))))))))))))))))))))))))))))))


.
.
2012-02-14 02:14 . 2012-02-14 02:14 -------- d-----w- c:\programmi\WinPcap
2012-02-14 02:13 . 2012-02-14 02:35 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Dati applicazioni\vso
2012-02-11 20:58 . 2012-02-11 21:15 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Songr
2012-02-09 15:02 . 2012-02-09 15:02 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Supremo
2012-02-08 16:08 . 2012-02-08 16:19 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Ares
2012-02-08 11:04 . 2012-02-08 11:05 -------- dc-h--w- c:\windows\ie8
2012-02-08 02:25 . 2012-02-08 02:25 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\VS Revo Group
2012-02-06 18:39 . 2012-02-06 18:39 -------- d-----w- c:\programmi\CCleaner
2012-02-06 16:20 . 2012-02-06 16:20 -------- d-----w- c:\windows\system32\oodag
2012-02-06 16:20 . 2012-02-06 16:20 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\O&O
2012-02-06 16:18 . 2012-02-06 16:18 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Downloaded Installations
2012-02-06 01:31 . 2012-02-06 01:31 -------- d-----r- c:\documents and settings\LocalService.NT AUTHORITY.006\Preferiti
2012-02-06 00:52 . 2012-02-06 00:52 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Dati applicazioni\{7159CBC6-DD81-425C-AA97-17777FE759F6}
2012-02-03 19:39 . 2012-02-03 19:39 388096 ----a-r- c:\documents and settings\samuele.MASSIMO-27049C9\Dati applicazioni\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-03 19:39 . 2012-02-03 19:39 -------- d-----w- c:\programmi\Trend Micro
2012-02-03 02:34 . 2012-02-03 02:34 -------- d-----r- c:\programmi\Skype
2012-02-03 02:28 . 2012-02-03 02:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Skype
2012-02-02 21:30 . 2012-02-02 21:30 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\APN
2012-02-01 00:21 . 2012-02-01 00:41 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Linkury
2012-02-01 00:19 . 2012-02-01 00:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Messenger Plus!
2012-02-01 00:17 . 2012-02-01 00:17 -------- d-----w- c:\programmi\Yuna Software
2012-01-31 12:15 . 2010-04-28 06:44 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2012-01-31 12:12 . 2012-01-31 12:12 -------- d-----w- c:\programmi\Windows Live SkyDrive
2012-01-31 12:12 . 2012-02-01 02:00 -------- d-----w- c:\programmi\Windows Live
2012-01-31 02:23 . 2012-01-31 02:23 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\vdownloader
2012-01-31 01:25 . 2012-01-31 01:25 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Dati applicazioni\Avira
2012-01-31 01:25 . 2011-12-16 08:44 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-01-31 01:25 . 2011-12-16 08:44 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-01-31 01:25 . 2011-12-16 08:44 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-01-31 01:25 . 2011-12-16 08:44 111160 ----a-w- c:\windows\system32\drivers\avfwot.sys
2012-01-31 01:25 . 2011-12-16 08:44 91096 ----a-w- c:\windows\system32\drivers\avfwim.sys
2012-01-31 01:25 . 2012-01-31 01:25 -------- d-----w- c:\programmi\Avira
2012-01-31 01:21 . 2012-01-31 01:21 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2012-01-31 01:21 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-31 01:13 . 2012-01-31 01:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Office Genuine Advantage
2012-01-30 22:16 . 2012-01-31 00:17 -------- d--h--w- c:\documents and settings\samuele.MASSIMO-27049C9\Dati applicazioni\drivers
2012-01-30 02:30 . 2012-01-30 17:48 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Systweak
2012-01-30 02:04 . 2012-01-30 02:04 -------- d-----w- c:\programmi\Opera
2012-01-25 22:29 . 2012-01-25 22:29 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Aero_Software
2012-01-23 22:56 . 2012-01-24 11:40 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\PosService
2012-01-23 19:25 . 2012-01-23 19:25 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\.swt
2012-01-20 01:05 . 2012-01-20 01:06 1491 ----a-w- C:\user.js
2012-01-20 01:03 . 2012-01-20 01:03 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Babylon
2012-01-20 01:03 . 2012-01-20 01:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Babylon
2012-01-16 16:48 . 2012-01-16 16:56 -------- d-----w- c:\documents and settings\samuele.MASSIMO-27049C9\Dati applicazioni\EAST Technologies
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-05 14:06 . 2012-01-05 14:06 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-05 14:06 . 2011-11-06 18:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-30 16:03 . 2011-11-21 18:03 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2011-12-08 16:36 . 2011-12-08 16:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2008-04-13 17:13 293888 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 14:40 . 2008-04-13 16:50 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-20 06:12 . 2008-04-13 17:14 60928 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:22 . 2008-04-13 17:13 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:22 . 2008-04-13 17:13 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-05-08 . 4ED067D8270174E777286A26FECDB3E8 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\programmi\uTorrent\uTorrent.exe" [2012-01-29 737656]
"Windows Live Messenger"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" [2005-11-01 163840]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2011-12-16 258512]
"PlusService"="c:\programmi\Yuna Software\Messenger Plus!\PlusService.exe" [2011-10-24 801792]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RDReminder]
2011-11-19 10:52 7224704 ----a-w- c:\programmi\RegClean Pro\RegCleanPro.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean Pro]
2011-11-19 10:52 7224704 ----a-w- c:\programmi\RegClean Pro\RegCleanPro.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" /minimized /regrun
"Google Update"="c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
"Advanced SystemCare 5"="c:\programmi\IObit\Advanced SystemCare 5\ASCTray.exe" /Manual
"RDReminder"=c:\programmi\RegClean Pro\RegCleanPro.exe -rem
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe"
"BCSSync"="c:\programmi\Microsoft Office\Office14\BCSSync.exe" /DelayServices
"NBAgent"="c:\programmi\Nero\Nero 11\Nero BackItUp\NBAgent.exe" /WinStart
"UnlockerAssistant"="c:\programmi\Unlocker\UnlockerAssistant.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Opera\\opera.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\samuele.MASSIMO-27049C9\\Desktop\\Sicurezza\\Supremo.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Gestione remota Windows
.
R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [06/01/2012 14.08.53 56496]
R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [06/01/2012 14.08.55 12464]
R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [08/05/2008 17.29.59 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [08/05/2008 17.30.00 52736]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [31/01/2012 2.25.13 111160]
R3 avfwim;AvFw Packet Filter Service;c:\windows\system32\drivers\avfwim.sys [31/01/2012 2.25.13 91096]
S1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [31/01/2012 2.25.13 36000]
S2 AntiVirFirewallService;Avira FireWall;c:\programmi\Avira\AntiVir Desktop\avfwsvc.exe [31/01/2012 2.25.13 616400]
S2 AntiVirMailService;Avira Mail Protection;c:\programmi\Avira\AntiVir Desktop\avmailc.exe [31/01/2012 2.25.13 342480]
S2 AntiVirSchedulerService;Avira Pianificatore;c:\programmi\Avira\AntiVir Desktop\sched.exe [31/01/2012 2.25.14 86224]
S2 AntiVirWebService;Avira Web Protection;c:\programmi\Avira\AntiVir Desktop\avwebgrd.exe [31/01/2012 2.25.13 463824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13.16.28 130384]
S2 NAUpdate;@c:\programmi\Nero\Update\NASvc.exe,-200;c:\programmi\Nero\Update\NASvc.exe [23/09/2011 18.37.42 641832]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [16/07/2010 1.45.44 35088]
S2 SkypeUpdate;Skype Updater;c:\programmi\Skype\Updater\Updater.exe [31/01/2012 15.09.34 158856]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\programmi\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe [07/11/2011 10.38.22 1479488]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\programmi\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys [31/10/2011 15.00.20 10064]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [13/04/2008 18.14.22 14336]
S4 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\programmi\IObit\Advanced SystemCare 5\ASCService.exe [21/01/2012 18.52.14 497496]
S4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\programmi\Microsoft Office\Office14\GROOVE.EXE [12/06/2011 11.15.00 31125880]
S4 osppsvc;Office Software Protection Platform;c:\programmi\File comuni\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21.37.50 4640000]
S4 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13.16.28 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contenuto della cartella 'Scheduled Tasks'
.
2012-02-11 c:\windows\Tasks\ASC5_AutoUpdate.job
- c:\programmi\IObit\Advanced SystemCare 5\AutoUpdate.exe [2012-01-21 00:02]
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-2146824231-682003330-1003Core.job
- c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2012-02-09 23:48]
.
2012-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-2146824231-682003330-1003UA.job
- c:\documents and settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2012-02-09 23:48]
.
2012-02-11 c:\windows\Tasks\RegClean Pro_DEFAULT.job
- c:\programmi\RegClean Pro\RegCleanPro.exe [2011-12-16 10:52]
.
2012-02-11 c:\windows\Tasks\RegClean Pro_UPDATES.job
- c:\programmi\RegClean Pro\RegCleanPro.exe [2011-12-16 10:52]
.
2012-02-14 c:\windows\Tasks\User_Feed_Synchronization-{0C5EB3AB-7454-4437-A0BA-7C564190BDEF}.job
- c:\windows\system32\msfeedssync.exe [2008-05-08 03:31]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: I&nvia a OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {{C4046502-6524-4d87-896C-878F57D1FF07} - c:\programmi\PokerStars.IT\PokerStarsUpdate.exe
LSP: c:\programmi\Avira\AntiVir Desktop\avsda.dll
TCP: Interfaces\{161E34F5-847E-492C-8B10-F25FEC7A2B74}: NameServer = 176.31.229.24,176.31.229.25
TCP: Interfaces\{5C1C6A73-3C45-4152-94E2-8857D1A2B15E}: NameServer = 176.31.229.24,176.31.229.25
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-14 04:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\01\01\17\13\18:t"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG15.00.00.01PROFESSIONAL"="5A42F6BF8436BF177FDB2695D6B476917B466ADE42E34046842B69D0CBC359274E4BD184188EB58A30073EEC972027C55FC11C9049BF0D0E2E07261D863717BA6A8B6EC960319BC63EF67A051073F02B2B856D7577606B070DED41CA2A4AD69CAF21925D119D0F11FAD6792216CD1D8CA3E97767E29E6D2173856C653037117E239EA7A025099301BAC47D1CC200D4088CBAF3526609851B3BE67B8F5468A3E7CD0B3C0BD75B0F85D8546E5B758F2A8F3339C436A0638E10BE1F687E16FD50B5BBDE82A62CB2CBDC310DD5E24F368D67E4966C28F722C2685DAECEF939C9BA177D88CE90E5DDF79D2769E3C337E159AAF3FDFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98085D575E7D6A3B9808A6171C11EC38DE3DFEBC9E127BECC74C5784A68CC88EC16EE3ECBBD5EB65CBC0B3C667F83304F04ADEE83FC9F09926036A697CBE55D14BB72F06A86B8DE7DDEA3967DEC3FA0DC0FB453198AC73A692A9CFE10DE494529657A7859EB6274126302133D7FE8C5EBC8F4861818048C98ABEB202B6050F1C1C81D3759A5BE78590736CCB138D61B0623280D01A0452FEBADC66F51A5F2D8FD95CDD76DF33E3980B863DE11106558CB184A969C52BD69655905FFA1DE03FE2D18395BBF34B123409B35DC19B332950AC9BA426AD1D7DB38C5CB964E8B0F69D89066E8C21E6CD688135B8C5BA1302B0DA80F6983CB6D54E9BB6B196E9A66A1D8A657DC3F57A5795ED3B5EDD415866334A3149E7A386D0B2BD89A90D51CD1412E21A7ED0442FD070CDE9838EBF6AC3B3089DE9CBD6D043FE33B2A8569468D001248FD1B7A263C284A2D97DF08DE26BDFA9AA47138E8BE6A941055694ECE966C263A3770EEA2817AE74174AB0C6108FB9C5B2789C4663D8F731C402FDD67CF9043BA919013BC21F20CCA1090ECA754B1BF70134DEBE379A07CEAD9CDC94F9944648697FCDF42E0C603BEB7EDC3BC8192CDFD7D9647C1C9146E9ED3E8E2AF425DDAC1D9BC9BF1677C7D260118601F4596CA26CE848C6D788F9D9251E8661327E730E73FEDA855CDB05A85ACD87C598D12EE5E6853EAAE62AB975EB1CCA4829D7831611DFFD729798195728E46D79062A1956E37A09F6F789EF98CBB8752E86C960738A1B407B8F715AFE10A95FCE436E282376B304416F1DDDA5411B34A9AAD3ACD5ED2EC5D4448CF2424913953E8B0F288022C11A60E4BB177FBF8C4B132BD862F3B7BC46F9E4F6DEC7FE3FD9814DE0BEA65F5A4FF1A22583122EF98E084F9D4E075C0D8CA7D89E71B7526C8E182B9C604F1C553755A9785EC5E3F6E9E814CE10CD428AF8E0B7D75044D6FE28C57B5D58BAB9B07B2EAD3D378D3139DADB29F89D88C4C37D6B50D9F41E95FEAD9049A5C5AD8C8CD9E4145CF2"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'explorer.exe'(1036)
c:\windows\system32\WININET.dll
c:\progra~1\FILECO~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1040\GrooveIntlResource.dll
c:\windows\system32\msi.dll
c:\programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.ITA
c:\windows\system32\portabledeviceapi.dll
.
Ora fine scansione: 2012-02-14 04:30:33
ComboFix-quarantined-files.txt 2012-02-14 03:30
.
Pre-Run: 25.981.272.064 byte disponibili
Post-Run: 25.996.668.928 byte disponibili
.
- - End Of File - - AF390D098ED444EE591F28E0CD6F81A4

le posso eliminare oppure la loro eliminazione creerebbe danni?

Grazie

[crazy.cat]

elimina pure i "francesi", chiudi e riapri il collegamento internet e vedi se si ricreano.

[Lele.1990]

Ho trovato e eliminato questo :

O3 - Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - (no file)

O3 - Toolbar: (no name) - {98889811-442D-49dd-99D7-DC866BE87DBC} - (no file)

O17 - HKLM\System\CCS\Services\Tcpip\..\{161E34F5-847E-492C-8B10-F25FEC7A2B74}: NameServer = 176.31.229.24,176.31.229.25

O17 - HKLM\System\CCS\Services\Tcpip\..\{5C1C6A73-3C45-4152-94E2-8857D1A2B15E}: NameServer = 176.31.229.24,176.31.229.25

O17 - HKLM\System\CS1\Services\Tcpip\..\{161E34F5-847E-492C-8B10-F25FEC7A2B74}: NameServer = 176.31.229.24,176.31.229.25

O17 - HKLM\System\CS2\Services\Tcpip\..\{161E34F5-847E-492C-8B10-F25FEC7A2B74}: NameServer = 176.31.229.24,176.31.229.25

cosa cogliono dire questi ip francesi? per caso mi spiavano in francia ?

questo non lo trovo piu e non capisco il perché ad essere sincero :

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

ho disattivato all avvio :
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe

il log di hijackthis ora si presenta cosi

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17.16.09, on 14/02/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\Yuna Software\Messenger Plus!\PlusService.exe
C:\Programmi\uTorrent\uTorrent.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Avira\AntiVir Desktop\avfwsvc.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Avira\AntiVir Desktop\avshadow.exe
C:\Programmi\Avira\AntiVir Desktop\avmailc.exe
C:\Programmi\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Programmi\Trend Micro\HiJackThis\HiJackThis.exe
C:\Programmi\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
C:\Documents and Settings\samuele.MASSIMO-27049C9\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [PlusService] C:\Programmi\Yuna Software\Messenger Plus!\PlusService.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Programmi\uTorrent\uTorrent.exe" /MINIMIZED
O4 - HKCU\..\Run: [Windows Live Messenger] C:\Programmi\Windows Live\Messenger\msnmsgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: I&nvia a OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programmi\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programmi\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: &Note collegate di OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programmi\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Note collegate di OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programmi\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: PokerStars.it - {C4046502-6524-4d87-896C-878F57D1FF07} - C:\Programmi\PokerStars.IT\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/Messenger ... E_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programmi\File comuni\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira FireWall (AntiVirFirewallService) - Avira Operations GmbH & Co. KG - C:\Programmi\Avira\AntiVir Desktop\avfwsvc.exe
O23 - Service: Avira Mail Protection (AntiVirMailService) - Avira Operations GmbH & Co. KG - C:\Programmi\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira Pianificatore (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH & Co. KG - C:\Programmi\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: @C:\Programmi\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Programmi\Nero\Update\NASvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Programmi\Skype\Updater\Updater.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Programmi\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe

--
End of file - 8122 bytes

per la pazienza

[crazy.cat]

cosa cogliono dire questi ip francesi? per caso mi spiavano in francia ?

forse qualche rimasuglio di vecchie infezioni.
Dai log sembra non ci siano altri problemi eveidenti, se hai ancora problemi prova e leggere pagina 1 e 3 http://www.MegaLab.it/3502/computer-len ... ei-malware

[Lele.1990]

come posso disinstallare combofix? il metodo da esegui non riesco...
un altra domamda : cos'è winpcap? a cosa serve? è utile o posso rimuoverlo?

[crazy.cat]

cos'è winpcap? a cosa serve? è utile o posso rimuoverlo?

http://www.winpcap.org/docs/WinPcap-AICA03.pdf

[hashcat]

come posso disinstallare combofix? il metodo da esegui non riesco...
un altra domamda : cos'è winpcap? a cosa serve? è utile o posso rimuoverlo?

Per disinstallare Combofix in maniera alternativa basta rinominarlo in uninstall.exe ed eseguirlo

WinPcap è una libreria sviluppata presso il Politecnico di Torino che permette a varie applicazioni di accedere al traffico di rete a livello macchina (non è un componente indispensabile).

[Lele.1990]

quindi serve per collegarsi ad internet? senza di quello non mi collego? posso eliminarlo?

[hashcat]

quindi serve per collegarsi ad internet? senza di quello non mi collego? posso eliminarlo?

Si, puoi disinstallare WinPcap senza problemi (tieni presente che non è niente di pericoloso).

[Lele.1990]

mi è compasrsa questa applicazione in C
si chiama NircmdB e sta in C:\uninstall
è la rimanenza di combofix? se si posso eliminarla?

[hashcat]

mi è compasrsa questa applicazione in C
si chiama NircmdB e sta in C:\uninstall
è la rimanenza di combofix? se si posso eliminarla?

Si, NirCmd è un componente utilizzato da Combofix, puoi eliminarlo senza problemi

[Lele.1990]

in C ho molti file Hotfile installer e HotFixInstallerUI.dll.. sapresti spiegarmi cosa sono? sono nocivi... devo essere eliminati?

In C ho queste cartelle :
4ff294295984755b1abe49c5c423dcdf

4fface5cbf49ce13d8b9904c489b4aba

08bad66f04bb29fc26

8c84b3807d5dbf2376c849b083

024f740107dbb524d28eda

49ea923172fcf60af6e0

51ebcbaa3aa169c78dda

e via dicendo... sono 1496 file in 336 cartelle e occupano 322 mb ... cosa sono?

[destriero]

Scusate se riesumo una "vecchia" discussione ma ho verificato l'origine del problema.
L'utente a quanto pare ha preso il virus DNSchanger anche io mi sono accorto della presenza di questi dns, i medesimi, impostati automaticamente (oggi pomeriggio non ho avuto nessun problema).
A quanto pare risalgono a questa notizia:
http://www.tomshw.it/cont/news/lunedi-2 ... 478/1.html
ed infatti non mi era permesso di navigare.

Mi sono iscritto proprio adesso giusto per informare eventuali utenti futuri di questo problema!!!
STATE ATTENTI!!