www.MegaLab.it

[trigly]

da ieri hho un'icona control center che non so cosa sia. Stamattina all'avvio del pc si è aperta una finestra, impossibile da chiudere, che chiedeva di rinnovare una licenza per la protezione del pc.
Per un paio di volte questa finestra ha impedito l'avvio del pc, ma poi miracolosamente, spento e riacceso, si è avviato regolarmente.
Ho fatto girare hijack e questo è il log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.11.06, on 06/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Personal\Dati applicazioni\SystemProc\lsass.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Intel\AMT\atchk.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programmi\File comuni\Nokia\MPlatform\NokiaMServer.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\Personal\Dati applicazioni\CCenter\ccagent.exe
C:\Programmi\OpenOffice.org 3\program\soffice.exe
C:\Programmi\OpenOffice.org 3\program\soffice.bin
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Intel\AMT\atchksrv.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Programmi\Java\jre6\bin\jqs.exe
c:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\Intel\AMT\LMS.exe
C:\Programmi\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\Programmi\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Intel\AMT\UNS.exe
C:\Programmi\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAMTEAE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FARNEAE.EXE
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACA ... riton_m461
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACA ... riton_m461
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACA ... riton_m461
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {019ECB58-BDF4-4B2D-B3C7-C96118172AC0} - C:\WINDOWS\System32\dinput32.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Programmi\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Programmi\Norton AntiVirus\Engine\17.1.0.19\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [atchk] "C:\Programmi\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NokiaMServer] C:\Programmi\File comuni\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ccagent.exe] C:\Documents and Settings\Personal\Dati applicazioni\CCenter\ccagent.exe
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Personal\Dati applicazioni\SystemProc\lsass.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Programmi\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Programmi\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Nokia Nseries PC Suite.lnk = C:\Programmi\Nokia\NNPCS\RunLauncher.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{73A41E98-2853-4574-A8C3-8FE97C022A9F}: NameServer = 151.99.125.1,151.99.0.100
O20 - AppInit_DLLs: C:\WINDOWS\System32\els32.dll
O20 - Winlogon Notify: 1450a751724 - C:\WINDOWS\System32\els32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Programmi\Intel\AMT\atchksrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Programmi\Intel\AMT\LMS.exe
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Programmi\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Programmi\Intel\AMT\UNS.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Programmi\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11770 bytes

Cosa posso fare per eliminare il problema?
Vi ringrazio

[crazy.cat]

Ci sono vari colpevoli, ti consiglio una bella scansione con malwarebytes o superantispyware. Poi dopo il riavvio del pc vedi come va.
O2 - BHO: (no name) - {019ECB58-BDF4-4B2D-B3C7-C96118172AC0} - C:\WINDOWS\System32\dinput32.dll
O4 - HKCU\..\Run: [ccagent.exe] C:\Documents and Settings\Personal\Dati applicazioni\CCenter\ccagent.exe (conosci questo file????)
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Personal\Dati applicazioni\SystemProc\lsass.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\els32.dll
O20 - Winlogon Notify: 1450a751724 - C:\WINDOWS\System32\els32.dll

[tiger]

Ho letto il log, ti consiglio, dopo aver effettuato una scansione con malwarebytes (come suggerito da crazy)

1) Pulizia del tuo hard disk eseguendo ccleaner

2) Scarica kaspersky virus removal tool (free e potente) al seguente link: http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
ed effettua in modalità provvisoria una scansione/clean totale del tuo pc.

3) Per prevenire futuri attacchi virali prova a considerare l'idea di utilizzare un firewall (in alternativa al firewall windows)

[trigly]

malwarebytes sembra aver pulito, ed al riavvio non ci sono stati problemi. Sempre puntualissimi, siete una garanzia, hanno usufruito del vostro aiuto anche alcuni miei amici che quando erano ormai semidisperati ho indirizzato su questo sito.
Grazie ancora