www.MegaLab.it

[albertokobra]

Salve a tutti.
Vorrei porvi un quesito dato che nemmeno Googlando ho trovato una risposta.

Controllando il mio registro ho notato un valore sconosciuto in una chiave.
Il valore in discussione è: mwicuow.exe
Si trova nella chiave \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\run
Nel valore c'è un percorso: "c:\documents and settings\alberto\impostazioni locali\dati applicazioni\mwicuow.exe" mwicuow
Nella cartella invece ci sono i seguenti file: mwicuow_nav.dat, mwicuow_navps.dat, mwicuow.dat.

Qualcuno saprebbe dirmi a cosa si riferisce?

Saluti
Alberto

N.B.
vi allego il file *.log di HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23.30.05, on 15/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\D-Tools\daemon.exe
C:\Programmi\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\VMware\VMware Workstation\vmware-tray.exe
C:\Programmi\VMware\VMware Workstation\hqtray.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Messenger\MSMSGS.EXE
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Alberto\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\LogMeIn\x86\RaMaint.exe
C:\Programmi\QUAD Utilities\QUAD Registry Cleaner\QUAD Scheduler.exe
C:\Programmi\LogMeIn\x86\LogMeIn.exe
C:\Programmi\LogMeIn\x86\LMIGuardian.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\VMware\VMware Workstation\vmware-authd.exe
C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: NitroPDFBHO Class - {CF070CB8-F02F-4af4-A7B7-8D45CAD4BB54} - C:\Programmi\Nitro PDF\PDF Download\NitroPDF.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programmi\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [nod32kui] C:\Programmi\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Programmi\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vmware-tray] C:\Programmi\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Programmi\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Alberto\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [mwicuow] "c:\documents and settings\alberto\impostazioni locali\dati applicazioni\mwicuow.exe" mwicuow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services5] dllhosts.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-20 Startup: userinit.exe (User 'SERVIZIO DI RETE')
O4 - S-1-5-18 Startup: userinit.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: userinit.exe (User 'Default user')
O4 - Startup: systray.lnk = C:\WINDOWS\system32\systray.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Page As PDF ... - file://C:\Programmi\Nitro PDF\PDF Download\nitroweb.htm
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {AD9E6088-E00B-42f9-9F0C-8480525D234E} - C:\Programmi\Nitro PDF\PDF Download\NitroPDF.dll
O9 - Extra 'Tools' menuitem: PDF Download - Options - {AD9E6088-E00B-42f9-9F0C-8480525D234E} - C:\Programmi\Nitro PDF\PDF Download\NitroPDF.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: PDF Download - {F1C0FD6C-A6A0-49a7-A932-71A56461867F} - C:\Programmi\Nitro PDF\PDF Download\NitroPDF.dll (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 2934442792
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2934398230
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F1CF537-9111-4E8A-B1FA-9855F348DBBC}: NameServer = 213.140.2.12,213.140.2.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DB48BF3-CFCE-4752-A976-ABC916130B1C}: NameServer = 213.140.12.2,213.140.2.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{900BBE57-02E0-4F7D-A2E9-DCCF9F845D28}: NameServer = 213.140.2.12,213.140.2.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0CD78A0-C56E-470E-AD23-E681378F4407}: NameServer = 213.140.2.21,213.140.2.12,39.235.8.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F1CF537-9111-4E8A-B1FA-9855F348DBBC}: NameServer = 213.140.2.12,213.140.2.21
O17 - HKLM\System\CS2\Services\Tcpip\..\{4F1CF537-9111-4E8A-B1FA-9855F348DBBC}: NameServer = 213.140.2.12,213.140.2.21
O17 - HKLM\System\CS3\Services\Tcpip\..\{4F1CF537-9111-4E8A-B1FA-9855F348DBBC}: NameServer = 213.140.2.12,213.140.2.21
O17 - HKLM\System\CS5\Services\Tcpip\..\{4F1CF537-9111-4E8A-B1FA-9855F348DBBC}: NameServer = 213.140.2.12,213.140.2.21
O17 - HKLM\System\CS6\Services\Tcpip\..\{4F1CF537-9111-4E8A-B1FA-9855F348DBBC}: NameServer = 213.140.2.12,213.140.2.21
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Programmi\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Programmi\LogMeIn\x86\LogMeIn.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programmi\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Programmi\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programmi\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 10375 bytes

[xalx67]

Io ho trovato solo questo - http://www.prevx.com/filenames/15406023 ... W.EXE.html

[albertokobra]

si, anche io ho trovato solo quella pagina, ma mi sa di spam però...per farti scaricare il software insomma.

[xalx67]

Prova ad analizzare i file in questione su virus total e vedi se trovi qualche riscontro

[albertokobra]

niente...0%

vabè vado a dormire, magari domattina se qualcun altro leggerà magari saprà dirci qualcosa in più

Buona Notte, piacere di averti conosciuto.

[xalx67]

Piacere mio....
Magari domani riposta il log nella sezione sicurezza.

[ste_95]

Si tratta del virus CiD.

Scarica ComboFix , salvandolo sul desktop con un nome di fantasia, ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto inserendolo tra i tag LOG, in questo modo:

Codice: Seleziona tutto

[LOG]qui va inserito il log[/LOG]