Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

strano comportamento di un processo svchost.exe

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

Rispondi al messaggio

strano comportamento di un processo svchost.exe

Messaggioda Wolfasr1 » mar ago 03, 2010 5:23 pm

ciao ragazzi ho un problema strano che mi è capitato provando ad aprire l'anteprima di un video di un sito internet

in pratica ho notato subito qualche strana anomalia ho visto per esempio che uno dei sevizi svchost.exe presenti nel mio task

manager ( ne ho ben 11 non sò se è un record [:D] penso è perché siano legati a tanti servizi) , ma in particolare uno è

impazzito improvvisamente a cominciato a segnare un 158kb di utilizzo addirittura più di firefox in esecuzione . sono riuscito a

terminarlo non è riapparso ma per un po' ho avuto la cpu completamente intasata , inoltre ho dovuto riabilitare il servizio zero configuration senza fili che stranamente si era disattivato [uhm]

ho riavviato in mod provvisoria ho fatto una scansione con combofix , con spybot e infine pochi minuti fà con hjack this

a primo impatto pare che non ci siano infezioni [uhm]

ma ovviamente chiedo a voi se cortesemente mi potete fare un anilisi del log di hjack e mi date qualche informazionie più dettagliata [grazie]


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18.15.36, on 03/08/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Apoint2K\Apoint.exe
C:\Programmi\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\RamBooster 2.0\Rambooster.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqbam08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Sandro\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programmi\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Programmi\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [Tvs] C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [RamBooster] C:\Programmi\RamBooster 2.0\Rambooster.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [KeyScrambler] C:\Programmi\KeyScrambler\getting_started.html (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [KeyScrambler] C:\Programmi\KeyScrambler\getting_started.html (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Visualizza o nasconde HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Programmi\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D4DFAFC-B8D4-4E9D-BCF0-F37B20E0E157}: NameServer = 8.8.4.4,85.37.17.16
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\Skype4COM.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Programmi\Sandboxie\SbieSvc.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

--
End of file - 7249 bytes
NON SI FINISCE MAI DI IMPARARE MAI CEDERE ALLA SUPERBIA
Avatar utente
Wolfasr1
Senior Member
Senior Member
 
Messaggi: 359
Iscritto il: dom dic 07, 2008 10:35 pm
Top

Re: strano comportamento di un processo svchost.exe

Messaggioda Wolfasr1 » mar ago 03, 2010 5:52 pm

ah dimenticavo se può essere utile dato che ho fatto anche la scansione con combofix (l'ho fatto in modalità provvisoria non sò se è veritiero)

posto anche questo di log aspetto risposte [^]


ComboFix 10-07-30.04 - Sandro 03/08/2010 17.41.36.6.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.510.262 [GMT 2:00]
Eseguito da: c:\documents and settings\Sandro\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {00000002-0002-0000-6C25-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((( Files Creati Da 2010-07-03 al 2010-08-03 )))))))))))))))))))))))))))))))))))
.

2010-07-31 14:20 . 2010-07-31 14:20 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Autorun Eater
2010-07-28 20:55 . 2010-07-28 20:55 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2010-07-27 10:16 . 2001-10-28 15:42 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2010-07-27 10:16 . 1998-08-05 06:45 122128 ----a-w- c:\windows\system32\VB6IT.DLL
2010-07-27 10:16 . 1998-08-05 06:45 150528 ----a-w- c:\windows\system32\MSCMCIT.DLL
2010-07-27 10:16 . 1998-08-05 06:45 63488 ----a-w- c:\windows\system32\MSCC2IT.DLL
2010-07-27 10:16 . 1998-07-05 23:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2010-07-27 10:16 . 2010-07-27 10:16 -------- d-----w- c:\programmi\PDFCreator
2010-07-14 17:10 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-09 12:31 . 2009-07-23 09:57 100480 ----a-r- c:\windows\system32\drivers\ewusbfake.sys
2010-07-08 13:47 . 2010-07-08 13:47 -------- d-----w- c:\documents and settings\Sandro\Dati applicazioni\it.vodafone.counterswidget.75C5D0AC8E830B80BD4FBC0B32A23F0123E8C097.1
2010-07-08 13:44 . 2010-07-08 13:44 -------- d-----w- c:\documents and settings\Sandro\Dati applicazioni\FLEXnet
2010-07-08 13:37 . 2010-07-08 13:37 -------- d-----w- c:\documents and settings\Sandro\Dati applicazioni\Vodafone
2010-07-08 13:36 . 2009-07-23 09:57 112640 ----a-r- c:\windows\system32\drivers\ewusbnet.sys
2010-07-08 13:36 . 2009-07-23 09:57 102528 ----a-r- c:\windows\system32\drivers\ewusbmdm.sys
2010-07-08 13:35 . 2010-07-08 13:35 -------- d-----w- c:\documents and settings\LocalService\Dati applicazioni\Vodafone
2010-07-08 13:35 . 2010-07-08 13:35 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Vodafone
2010-07-08 13:35 . 2010-07-08 13:35 -------- d-----w- c:\programmi\Vodafone
2010-07-08 13:35 . 2010-07-08 13:35 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\FLEXnet
2010-07-08 13:35 . 2010-07-08 13:35 -------- d-----w- c:\documents and settings\Sandro\Impostazioni locali\Dati applicazioni\{4D4E02EE-0904-4442-8E6A-B77395E9B072}
2010-07-06 21:28 . 2010-07-06 21:27 53632 ----a-w- c:\documents and settings\Sandro\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-06 21:28 . 2010-07-06 21:28 -------- d-----w- c:\programmi\Widget Contatori
2010-07-06 21:28 . 2010-07-06 21:28 -------- d-----w- c:\programmi\File comuni\Adobe AIR
2010-07-06 21:27 . 2010-07-06 21:27 -------- d-----w- c:\documents and settings\Sandro\Impostazioni locali\Dati applicazioni\Adobe
2010-07-04 20:44 . 2010-07-04 20:44 49152 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-07-04 20:44 . 2010-07-04 20:44 45056 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-07-04 20:44 . 2010-07-04 20:44 45056 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-07-04 20:44 . 2010-07-04 20:44 45056 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-07-04 20:44 . 2010-07-04 20:44 45056 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-07-04 20:44 . 2010-07-04 20:44 40960 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-07-04 20:44 . 2010-07-04 20:44 308808 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-07-04 20:44 . 2010-07-04 20:44 14848 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-07-04 20:44 . 2010-07-04 20:44 341600 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-07-04 20:43 . 2010-07-04 20:43 -------- d-----w- c:\programmi\File comuni\xing shared
2010-07-04 20:42 . 2010-07-04 20:43 -------- d-----w- c:\programmi\Real
2010-07-04 20:42 . 2010-07-04 20:43 -------- d-----w- c:\programmi\File comuni\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 14:38 . 2005-02-02 07:15 489038 ----a-w- c:\windows\system32\perfh010.dat
2010-08-03 14:38 . 2005-02-02 07:15 83934 ----a-w- c:\windows\system32\perfc010.dat
2010-08-03 14:28 . 2010-04-26 12:59 -------- d-----w- c:\documents and settings\Sandro\Dati applicazioni\HPAppData
2010-08-02 10:57 . 2009-08-06 14:31 -------- d-----w- c:\documents and settings\Sandro\Dati applicazioni\vlc
2010-08-02 08:31 . 2009-08-05 13:11 -------- d-----w- c:\documents and settings\Sandro\Dati applicazioni\TeraCopy
2010-07-31 14:20 . 2010-01-04 19:47 -------- d-----w- c:\programmi\Autorun Eater
2010-07-29 09:28 . 2010-02-12 10:32 -------- d-----w- c:\documents and settings\Sandro\Dati applicazioni\Skype
2010-07-29 09:24 . 2010-02-12 10:36 -------- d-----w- c:\documents and settings\Sandro\Dati applicazioni\skypePM
2010-07-27 06:35 . 2010-03-14 22:28 -------- d-----w- c:\programmi\River Past
2010-07-27 06:35 . 2010-02-28 22:39 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\River Past G5
2010-07-19 15:53 . 2009-08-17 08:29 -------- d-----w- c:\documents and settings\Sandro\Dati applicazioni\dvdcss
2010-07-04 20:42 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-07-04 20:42 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-26 09:37 . 2010-04-26 12:22 202179 ----a-w- c:\windows\hpoins43.dat
2010-06-26 09:06 . 2010-06-26 09:04 -------- d-----w- c:\documents and settings\Sandro\Dati applicazioni\U3
2010-06-23 15:20 . 2010-06-10 10:52 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SlySoft
2010-06-23 15:20 . 2010-06-23 15:20 -------- d-----w- c:\programmi\SlySoft
2010-06-14 14:31 . 2005-02-02 07:29 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 13:17 . 2010-06-14 13:12 -------- d-----w- c:\programmi\eMule
2010-06-14 11:39 . 2010-06-14 11:39 -------- d-----w- c:\programmi\Sandboxie
2010-06-14 09:04 . 2010-06-09 16:58 -------- d-----w- c:\documents and settings\Sandro\Dati applicazioni\uTorrent
2010-06-10 17:44 . 2010-06-10 17:44 -------- d-----w- c:\programmi\Freeware PDF Unlocker
2010-06-10 10:57 . 2010-06-09 16:13 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\DVD Shrink
2010-06-10 09:57 . 2010-06-10 09:57 -------- d-----w- c:\programmi\DVD Shrink
2010-06-10 07:11 . 2010-06-09 16:58 -------- d-----w- c:\programmi\uTorrent
2010-06-09 17:22 . 2010-02-16 18:14 -------- d-----w- c:\programmi\PeerBlock
2010-06-08 20:24 . 2010-06-08 20:24 -------- d-----w- c:\documents and settings\Sandro\Dati applicazioni\MPEG Streamclip
2010-06-05 07:53 . 2009-11-29 23:13 -------- d-----w- c:\programmi\Microsoft Silverlight
.

------- Sigcheck -------

[-] 2010-02-22 . 7EE936A57B5901D6B1C4AF9A9E6C500A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\ERDNT\cache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RamBooster"="c:\programmi\RamBooster 2.0\Rambooster.exe" [2005-11-17 561664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\programmi\Apoint2K\Apoint.exe" [2004-03-23 196608]
"TFncKy"="TFncKy.exe" [BU]
"Tvs"="c:\programmi\TOSHIBA\Tvs\TvsTray.exe" [2004-11-12 73728]
"SmoothView"="c:\programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-12-21 118784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-01-26 5529600]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KeyScrambler"="c:\programmi\KeyScrambler\getting_started.html" [X]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^RAMASST.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-10-28 13:37 88363 ----a-w- c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Autorun Eater]
2010-05-06 16:59 516216 ----a-w- c:\programmi\Autorun Eater\oldmcdonald.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY]
2004-11-29 08:10 667648 -c--a-w- c:\programmi\TOSHIBA\E-KEY\CeEKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2007-12-22 23:03 916240 ----a-w- c:\programmi\Eraser\Eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 14:24 54840 ----a-w- c:\programmi\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
2004-12-23 17:07 28672 -c--a-w- c:\programmi\TOSHIBA\TOSHIBA Applet\HWSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
2009-09-18 15:48 2412032 ----a-w- c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883856 ----a-w- c:\programmi\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 13:40 155648 -c--a-w- c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-01-26 23:07 1490944 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
2004-06-29 17:04 1077326 ----a-w- c:\programmi\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-15 17:50 417792 ----a-w- c:\programmi\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2010-04-17 10:56 394984 ----a-w- c:\programmi\Sandboxie\SbieCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2]
2004-08-30 14:37 286720 ----a-w- c:\windows\vsnpstd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-06 20:48 149280 -c--a-w- c:\programmi\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
2004-12-27 09:26 61440 -c--a-w- c:\programmi\TOSHIBA\Windows Utilities\SVPWUTIL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCtryIOHook]
2005-01-24 12:51 28672 ----a-w- c:\windows\system32\TCtrlIOHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-04 20:42 202256 ----a-w- c:\programmi\File comuni\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSHIBA Accessibility]
2005-01-14 12:40 24576 -c--a-w- c:\programmi\TOSHIBA\Accessibility\FnKeyHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPNF]
2004-11-29 20:06 53248 -c--a-w- c:\programmi\TOSHIBA\TouchPad\TPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2004-12-23 12:52 266240 ----a-w- c:\windows\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]
2004-07-14 15:07 24576 ----a-w- c:\windows\system32\ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [29/12/2009 22.40.46 115312]
S2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [03/05/2010 0.18.02 20968]
S2 HWiNFO32;HWiNFO32 Kernel Driver;\??\c:\documents and settings\Sandro\Desktop\hwhardware\HWiNFO32.SYS --> c:\documents and settings\Sandro\Desktop\hwhardware\HWiNFO32.SYS [?]
S2 VMCService;Vodafone Mobile Connect Service;c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [18/09/2009 17.48.28 9216]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [08/07/2010 15.36.39 112640]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [09/07/2010 14.31.12 100480]
S3 pbfilter;pbfilter;c:\programmi\PeerBlock\pbfilter.sys [16/02/2010 20.14.31 14424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contenuto della cartella 'Scheduled Tasks'

2010-08-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2978951802-1120063500-3202925473-1006.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-06-03 01:02]

2010-07-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2978951802-1120063500-3202925473-1006.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-06-03 01:02]
.
.
------- Scansione supplementare -------
.
uInternet Settings,ProxyOverride = local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {7D4DFAFC-B8D4-4E9D-BCF0-F37B20E0E157} = 8.8.4.4,85.37.17.16
FF - ProfilePath - c:\documents and settings\Sandro\Dati applicazioni\Mozilla\Firefox\Profiles\sr0tafyo.Sandrino\
FF - prefs.js: browser.startup.homepage - www.google.it
FF - component: c:\documents and settings\Sandro\Dati applicazioni\Mozilla\Firefox\Profiles\sr0tafyo.Sandrino\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 17:47
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Ora fine scansione: 2010-08-03 17:51:03
ComboFix-quarantined-files.txt 2010-08-03 15:50
ComboFix2.txt 2010-07-31 18:19

Pre-Run: 23.800.242.176 byte disponibili
Post-Run: 23.789.158.400 byte disponibili

- - End Of File - - DAE41B109D68F0DD4BA7EC451971D1F1
NON SI FINISCE MAI DI IMPARARE MAI CEDERE ALLA SUPERBIA
Avatar utente
Wolfasr1
Senior Member
Senior Member
 
Messaggi: 359
Iscritto il: dom dic 07, 2008 10:35 pm
Top

Re: strano comportamento di un processo svchost.exe

Messaggioda The Stroker ® » mar ago 03, 2010 11:36 pm

Io di solito quando noto qualcosa di strano con i processi svchost.exe utilizzo un programma creato appostamente per controllare quest'ultimi..

Si chiama Svchost Viewer e lo puoi reperire da questo indirizzo.

Una volta aperto il programma ti da informazioni dettagliate sul processo svchost in questione..dal programma poi puoi vedere tranquillamente se uno dei file contiene qualche processo che è un virus..ti basta cercare su google per averne la certezza..
Avatar utente
The Stroker ®
Aficionado
Aficionado
 
Messaggi: 49
Iscritto il: mer lug 28, 2010 6:11 pm
Località: Melfi
Top
Rispondi al messaggio

Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 25 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising