Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

sospetta infezione con impossibilità connessione internet

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

sospetta infezione con impossibilità connessione internet

Messaggioda valeriuzzz » sab nov 06, 2010 10:18 am

Ciao a tutti,
ho un problema di questo tipo:
qualche gg fa ho beccato un "general antivirus" che ho rimosso seguendo le istruzioni da internet. Ho poi cercato di installare Kasperski 2011, ma il software diceva che era impossibile l'installazione a causa di infezioni su pc. Ho allora lanciato Kasperski virus removal tool che ha fatto una sorta di pulizia, ma ora ho ancora questi problemi:

- impossibilità di connessione a internet, anche se la presenza della rete è rilevata e avviene scambio di byte.
- è sparita la possibilità di accedere al task manager con CTRL-CANC-ALT

il notebook è un ACER travelmate 7720G con win Vista

vi allego il log di hijack, per una verifica:

item: Invia pagina alla periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: &Tastiera Virtuale - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: C&ontrollo URL - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O13 - Gopher Prefix:
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Servizio Kaspersky Anti-Virus (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Servizio di Google Update (gupdate1c9ed2ae1d01733) (gupdate1c9ed2ae1d01733) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: PowerSave Service (PowerSave) - Packard Bell Services - C:\Program Files\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe
O23 - Service: RelevantKnowledge - Unknown owner - C:\Program Files\RelevantKnowledge\rlservice.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13517 bytes

grazie in anticipo
Avatar utente
valeriuzzz
Neo Iscritto
Neo Iscritto
 
Messaggi: 6
Iscritto il: sab nov 06, 2010 10:04 am

Re: sospetta infezione con impossibilità connessione interne

Messaggioda The Doctor » sab nov 06, 2010 10:43 am

Ciao e benvenuto su MegaLab.it

Ti raccomando l'uso del tag MEMO per allegare i log e non solo: [!!!] Allegare contenuti alle discussioni - nuovo tag MEMO
Ciao Nonno
Avatar utente
The Doctor
MLI Hero
MLI Hero
 
Messaggi: 5553
Iscritto il: mer mar 24, 2010 9:10 am
Località: Fiumicino (Roma)

Re: sospetta infezione con impossibilità connessione interne

Messaggioda crazy.cat » sab nov 06, 2010 11:07 am

valeriuzzz ha scritto:- è sparita la possibilità di accedere al task manager con CTRL-CANC-ALT

Intanto questo
http://www.MegaLab.it/2448/abilitare-o- ... sk-manager

vi allego il log di hijack, per una verifica:

E' incompleto, mancano le parti più importanti.
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre


Re: sospetta infezione con impossibilità connessione interne

Messaggioda valeriuzzz » sab nov 06, 2010 11:29 am

scusa, non me n'ero accorto, eccolo:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9.38.00, on 06/11/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Samsung\Samsung PC Studio 7\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\etMon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Packard Bell\Software Suite\PBSoftSuite.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\USB CAMERA\DRIVER\emSwapAp2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Packard Bell\Software Suite\pbDevDetect.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://it.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.intl.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://it.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [S60TrayApplication] C:\PROGRA~1\Samsung\SAMSUN~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [etMonitor] C:\Windows\etMon.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [svchost] C:\Users\utente\AppData\Roaming\Microsoft\svchost.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe"
O4 - HKCU\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Software Suite] "C:\Program Files\Packard Bell\Software Suite\PBSoftSuite.exe" /RUN
O4 - HKCU\..\Run: [Packard Bell Software Suite] "C:\Program Files\Packard Bell\Software Suite\PBSoftSuite.exe" /run
O4 - HKCU\..\Run: [{42424AC5-B432-4EA9-A82C-1FB0AAA56A2F}] C:\Users\utente\AppData\Roaming\Iqgal\ircy.exe
O4 - HKCU\..\Run: [Ckoqi] rundll32.exe "C:\Users\utente\AppData\Local\KBDINTan.dll",Startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Samsung\Samsung PC Studio 7\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Samsung\Samsung PC Studio 7\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: setup_9.0.0.722_04.11.2010_18-08.lnk = D:\Virus Removal Tool\setup_9.0.0.722_04.11.2010_18-08\startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Empowering Technology Launcher.lnk = C:\Acer\Empowering Technology\eAPLauncher.exe
O4 - Global Startup: emSwapAp2.exe.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Invia immagine alla periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Invia pagina alla periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: &Tastiera Virtuale - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: C&ontrollo URL - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O13 - Gopher Prefix:
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Servizio Kaspersky Anti-Virus (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Servizio di Google Update (gupdate1c9ed2ae1d01733) (gupdate1c9ed2ae1d01733) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: PowerSave Service (PowerSave) - Packard Bell Services - C:\Program Files\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe
O23 - Service: RelevantKnowledge - Unknown owner - C:\Program Files\RelevantKnowledge\rlservice.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13517 bytes
Avatar utente
valeriuzzz
Neo Iscritto
Neo Iscritto
 
Messaggi: 6
Iscritto il: sab nov 06, 2010 10:04 am

Re: sospetta infezione con impossibilità connessione interne

Messaggioda crazy.cat » sab nov 06, 2010 12:44 pm

Controlla se sono ancora presenti i tre file indicati nelle righe con 04 e caricarli sul sito www.virustotal.com per vedere quali virus sono.
valeriuzzz ha scritto:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370 (Usi un proxy e hai fatto tu questa modifica?)
O4 - HKLM\..\Run: [svchost] C:\Users\utente\AppData\Roaming\Microsoft\svchost.exe
O4 - HKCU\..\Run: [{42424AC5-B432-4EA9-A82C-1FB0AAA56A2F}] C:\Users\utente\AppData\Roaming\Iqgal\ircy.exe
O4 - HKCU\..\Run: [Ckoqi] rundll32.exe "C:\Users\utente\AppData\Local\KBDINTan.dll",Startup


Io poi dare un pulita alle toolbar a cominciare da quella di google se non la usi per qualche tuo motivo-
Si può eliminare anche windows defender tanto con kaspersky installato è inutile.
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Re: sospetta infezione con impossibilità connessione interne

Messaggioda valeriuzzz » sab nov 06, 2010 1:56 pm

ciao,
no, non ho cambiato io il proxy.

Ecco invece i risultati dei 2 dei tre file (svchost non lo trovo più, forse dopo la scansione è stato già cancellato...):

ircy.exe

Antivirus Version Last Update Result
AhnLab-V3 2010.11.06.00 2010.11.06 -
AntiVir 7.10.13.145 2010.11.05 TR/Dldr.Agent.eqvu
Antiy-AVL 2.0.3.7 2010.11.06 Trojan/Win32.Agent.gen
Authentium 5.2.0.5 2010.11.05 -
Avast 4.8.1351.0 2010.11.06 Win32:Malware-gen
Avast5 5.0.594.0 2010.11.06 Win32:Malware-gen
AVG 9.0.0.851 2010.11.06 FakeAV.DYH
BitDefender 7.2 2010.11.06 Gen:Variant.Kazy.444
CAT-QuickHeal 11.00 2010.11.04 -
ClamAV 0.96.2.0-git 2010.11.06 -
Comodo 6627 2010.11.06 -
DrWeb 5.0.2.03300 2010.11.06 -
Emsisoft 5.0.0.50 2010.11.06 -
eSafe 7.0.17.0 2010.11.04 -
eTrust-Vet 36.1.7958 2010.11.05 -
F-Prot 4.6.2.117 2010.11.05 -
F-Secure 9.0.16160.0 2010.11.06 Gen:Variant.Kazy.444
Fortinet 4.2.249.0 2010.11.06 W32/Zbot.AK
GData 21 2010.11.06 Gen:Variant.Kazy.444
Ikarus T3.1.1.90.0 2010.11.06 -
Jiangmin 13.0.900 2010.11.06 -
K7AntiVirus 9.67.2903 2010.11.03 -
Kaspersky 7.0.0.125 2010.11.06 -
McAfee 5.400.0.1158 2010.11.06 -
McAfee-GW-Edition 2010.1C 2010.11.05 -
Microsoft 1.6301 2010.11.06 -
NOD32 5596 2010.11.06 a variant of Win32/Kryptik.HDT
Norman 6.06.10 2010.11.06 -
nProtect 2010-11-06.01 2010.11.06 Gen:Variant.Kazy.444
Panda 10.0.2.7 2010.11.06 -
PCTools 7.0.3.5 2010.11.06 Trojan.Zbot
Prevx 3.0 2010.11.06 -
Rising 22.72.04.00 2010.11.06 -
Sophos 4.59.0 2010.11.06 Mal/Zbot-AK
Sunbelt 7232 2010.11.06 Trojan-Downloader.Win32.Agent
SUPERAntiSpyware 4.40.0.1006 2010.11.06 -
Symantec 20101.2.0.161 2010.11.06 Trojan.Zbot
TheHacker 6.7.0.1.076 2010.11.05 Trojan/Kryptik.guy
TrendMicro 9.120.0.1004 2010.11.06 TROJ_KRAP.SMBD
TrendMicro-HouseCall 9.120.0.1004 2010.11.06 TROJ_KRAP.SMBD
VBA32 3.12.14.1 2010.11.05 TrojanDownloader.Agent.eqvu
ViRobot 2010.10.4.4074 2010.11.06 -
VirusBuster 12.71.7.0 2010.11.05 Trojan.Kryptik.BEUJ
Additional informationShow all
MD5 : 18709cef3c6a1ebd3da6be38cb34bf05
SHA1 : a3717a7f4c6d05fdf0c50f710bf497db6d11d55c
SHA256: fb0a5a9b4ac04f387617dcf3426cb858e57c2664985dc6aeff2a5457ebac15eb


KBDINTan.dll

Antivirus Version Last Update Result
AhnLab-V3 2010.11.06.00 2010.11.06 -
AntiVir 7.10.13.145 2010.11.05 -
Antiy-AVL 2.0.3.7 2010.11.06 -
Authentium 5.2.0.5 2010.11.05 W32/Hiloti.I.gen!Eldorado
Avast 4.8.1351.0 2010.11.06 -
Avast5 5.0.594.0 2010.11.06 -
AVG 9.0.0.851 2010.11.06 Hiloti.BK
BitDefender 7.2 2010.11.06 Gen:Variant.Hiloti.3
CAT-QuickHeal 11.00 2010.11.04 -
ClamAV 0.96.2.0-git 2010.11.06 -
Comodo 6627 2010.11.06 -
DrWeb 5.0.2.03300 2010.11.06 -
Emsisoft 5.0.0.50 2010.11.06 Trojan-Downloader.Win32.Mufanom!IK
eSafe 7.0.17.0 2010.11.04 -
eTrust-Vet 36.1.7958 2010.11.05 Win32/FakeAV.I!generic
F-Prot 4.6.2.117 2010.11.05 W32/Hiloti.I.gen!Eldorado
F-Secure 9.0.16160.0 2010.11.06 Gen:Variant.Hiloti.3
Fortinet 4.2.249.0 2010.11.06 W32/Tdss.PLT!tr
GData 21 2010.11.06 Gen:Variant.Hiloti.3
Ikarus T3.1.1.90.0 2010.11.06 Trojan-Downloader.Win32.Mufanom
Jiangmin 13.0.900 2010.11.06 -
K7AntiVirus 9.67.2903 2010.11.03 Riskware
Kaspersky 7.0.0.125 2010.11.06 -
McAfee 5.400.0.1158 2010.11.06 -
McAfee-GW-Edition 2010.1C 2010.11.05 -
Microsoft 1.6301 2010.11.06 Trojan:Win32/Hiloti.gen!D
NOD32 5596 2010.11.06 a variant of Win32/Cimag.DZ
Norman 6.06.10 2010.11.06 -
nProtect 2010-11-06.01 2010.11.06 Gen:Variant.Hiloti.3
Panda 10.0.2.7 2010.11.06 -
PCTools 7.0.3.5 2010.11.06 -
Prevx 3.0 2010.11.06 Medium Risk Malware
Rising 22.72.04.00 2010.11.06 -
Sophos 4.59.0 2010.11.06 Mal/Hiloti-D
Sunbelt 7232 2010.11.06 Trojan.Win32.Hiloti.ad (v)
SUPERAntiSpyware 4.40.0.1006 2010.11.06 -
Symantec 20101.2.0.161 2010.11.06 -
TheHacker 6.7.0.1.076 2010.11.05 -
TrendMicro 9.120.0.1004 2010.11.06 TROJ_HILOTI.SMEO
TrendMicro-HouseCall 9.120.0.1004 2010.11.06 TROJ_HILOTI.SMEO
VBA32 3.12.14.1 2010.11.05 -
ViRobot 2010.10.4.4074 2010.11.06 -
VirusBuster 12.71.7.0 2010.11.05 Trojan.Hiloti.Gen!Pac
Avatar utente
valeriuzzz
Neo Iscritto
Neo Iscritto
 
Messaggi: 6
Iscritto il: sab nov 06, 2010 10:04 am

Re: sospetta infezione con impossibilità connessione interne

Messaggioda FDAC » sab nov 06, 2010 2:19 pm

Rilancia Hijackthis:
- Do a System Scan Only
- spunta la casellina fianco di ogni singola voce che ti indicherò sotto
- una volta spuntate le voci:
- chiudi tutte le applicazioni aperte
- chiudi tutte le pagine del browser aperte
- in Hijackthis fixa le voci cliccando su Fix checked

Queste le voci da fixare:

R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [S60TrayApplication] C:\PROGRA~1\Samsung\SAMSUN~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [svchost] C:\Users\utente\AppData\Roaming\Microsoft\svchost.exe
O4 - HKCU\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Software Suite] "C:\Program Files\Packard Bell\Software Suite\PBSoftSuite.exe" /RUN
O4 - HKCU\..\Run: [Packard Bell Software Suite] "C:\Program Files\Packard Bell\Software Suite\PBSoftSuite.exe" /run
O4 - HKCU\..\Run: [{42424AC5-B432-4EA9-A82C-1FB0AAA56A2F}] C:\Users\utente\AppData\Roaming\Iqgal\ircy.exe
O4 - HKCU\..\Run: [Ckoqi] rundll32.exe "C:\Users\utente\AppData\Local\KBDINTan.dll",Startup
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Samsung\Samsung PC Studio 7\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Samsung\Samsung PC Studio 7\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: setup_9.0.0.722_04.11.2010_18-08.lnk = D:\Virus Removal Tool\setup_9.0.0.722_04.11.2010_18-08\startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
Poi:

Scarica ed installa MalwareBytes:
http://www.aiutamici.com/software?id=80346
Prima di fare la scansione aggiornalo -clicca su Aggiornamento in alto-
Esegui una scansione completa del sistema.
Elimina tutto ciò che trova.
Invia il log.
Avatar utente
FDAC
Rompiballe
Rompiballe
 
Messaggi: 750
Iscritto il: dom set 05, 2010 1:00 pm

Re: sospetta infezione con impossibilità connessione interne

Messaggioda hashcat » sab nov 06, 2010 2:38 pm

crazy.cat ha scritto:Controlla se sono ancora presenti i tre file indicati nelle righe con 04 e caricarli sul sito http://www.virustotal.com per vedere quali virus sono.
valeriuzzz ha scritto:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
O4 - HKLM\..\Run: [svchost] C:\Users\utente\AppData\Roaming\Microsoft\svchost.exe
O4 - HKCU\..\Run: [{42424AC5-B432-4EA9-A82C-1FB0AAA56A2F}] C:\Users\utente\AppData\Roaming\Iqgal\ircy.exe
O4 - HKCU\..\Run: [Ckoqi] rundll32.exe "C:\Users\utente\AppData\Local\KBDINTan.dll",Startup


Io poi dare un pulita alle toolbar a cominciare da quella di google se non la usi per qualche tuo motivo-
Si può eliminare anche windows defender tanto con kaspersky installato è inutile.


Oltre alle voci da fixare/controllare indicate da crazy.cat aggiungerei questa:

Codice: Seleziona tutto
O23 - Service: RelevantKnowledge - Unknown owner - C:\Program Files\RelevantKnowledge\rlservice.exe (file missing)


Inoltre i due file sono infetti quindi per ricapitolare fixa:

Codice: Seleziona tutto
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
O4 - HKLM\..\Run: [svchost] C:\Users\utente\AppData\Roaming\Microsoft\svchost.exe
O4 - HKCU\..\Run: [{42424AC5-B432-4EA9-A82C-1FB0AAA56A2F}] C:\Users\utente\AppData\Roaming\Iqgal\ircy.exe
O4 - HKCU\..\Run: [Ckoqi] rundll32.exe  "C:\Users\utente\AppData\Local\KBDINTan.dll",Startup
O23 - Service: RelevantKnowledge - Unknown owner - C:\Program Files\RelevantKnowledge\rlservice.exe (file missing)


E fai come una scansione con malwarebytes come detto da FDAC:

FDAC ha scritto:Scarica ed installa MalwareBytes:
Link download Malwarebytes
Prima di fare la scansione aggiornalo -clicca su Aggiornamento in alto-
Esegui una scansione completa del sistema.
Elimina tutto ciò che trova.
Posta il log.
<<Intelligence is the ability to avoid doing work, yet getting the work done.>>
Linus Torvalds

EX [MLI] Power User.
Avatar utente
hashcat
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 2285
Iscritto il: lun ott 25, 2010 1:26 pm

Re: sospetta infezione con impossibilità connessione interne

Messaggioda valeriuzzz » dom nov 07, 2010 8:16 pm

Ok, fatto tutto, addirittura windows mi si avviava con schermata nera e dovevo tramite task manager far partire explorer manualmente per vedere il desktop... Ora dopo la scansione e pulizia sembrerebbe (incrocio le dita) fungere tutto.
Vi allego il log:

Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Versione database: 5067

Windows 6.0.6000 (Safe Mode)
Internet Explorer 8.0.6001.18828

07/11/2010 20.04.20
mbam-log-2010-11-07 (20-04-20).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi esaminati: 316771
Tempo trascorso: 54 minuti, 57 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 1
Valori di registro infetti: 4
Voci infette nei dati di registro: 1
Cartelle infette: 2
File infetti: 18

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_LOCAL_MACHINE\SOFTWARE\AnVi (Rogue.AnVi) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ckoqi (Trojan.Hiloti) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{42424ac5-b432-4ea9-a82c-1fb0aaa56a2f} (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.

Voci infette nei dati di registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Cartelle infette:
C:\Program Files\AnVi (Rogue.AntiVirus) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.

File infetti:
C:\Users\utente\AppData\Local\KBDINTan.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Users\utente\AppData\Roaming\Iqgal\ircy.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Program Files\AnVi\avtext.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\utente\Desktop\Osmos.v1.5.6.1057.cracked-THETA\NFOviewer.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.
C:\Users\utente\Desktop\Osmos.v1.5.6.1057.cracked-THETA\Uninstall.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.
C:\Users\utente\Desktop\Osmos.v1.5.6.1057.cracked-THETA\osmos\Uninstall.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.
C:\Users\utente\Downloads\Starry Night Pro Plus 6.0.6 [PC 2xDVD IMAGE]\Diffraction Limited MaxIm DL v4.58 Incl Keygen\KeyMaker\keygen.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.
C:\Windows\Temp\~osC735.tmp\rlvknlg.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\Windows\Temp\~osEBD5.tmp\rlvknlg.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\Windows\Temp\~osEBD5.tmp\rlxf.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\Windows\Temp\~osEBD5.tmp\rlxg.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
D:\grafica\adobe-lightroom3\keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
D:\grafica\lightroom3\Adobe Phot.Lightroom_3_By.Bhs\APL3-EMBRACE\Adobe.Photoshop.Lightroom.v3.Onlyl.Keymaker-EMBRACE\Windows\keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge\Support.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge\Uninstall Instructions.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Users\utente\AppData\Roaming\Microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.


Grazie ancora, questo forum è fenomenale [applauso+]
Avatar utente
valeriuzzz
Neo Iscritto
Neo Iscritto
 
Messaggi: 6
Iscritto il: sab nov 06, 2010 10:04 am

Re: sospetta infezione con impossibilità connessione interne

Messaggioda hashcat » dom nov 07, 2010 8:52 pm

valeriuzzz ha scritto:Ok, fatto tutto, addirittura windows mi si avviava con schermata nera e dovevo tramite task manager far partire explorer manualmente per vedere il desktop... Ora dopo la scansione e pulizia sembrerebbe (incrocio le dita) fungere tutto.
Vi allego il log:

Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Versione database: 5067

Windows 6.0.6000 (Safe Mode)
Internet Explorer 8.0.6001.18828

07/11/2010 20.04.20
mbam-log-2010-11-07 (20-04-20).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi esaminati: 316771
Tempo trascorso: 54 minuti, 57 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 1
Valori di registro infetti: 4
Voci infette nei dati di registro: 1
Cartelle infette: 2
File infetti: 18

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_LOCAL_MACHINE\SOFTWARE\AnVi (Rogue.AnVi) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ckoqi (Trojan.Hiloti) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{42424ac5-b432-4ea9-a82c-1fb0aaa56a2f} (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.

Voci infette nei dati di registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Cartelle infette:
C:\Program Files\AnVi (Rogue.AntiVirus) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.

File infetti:
C:\Users\utente\AppData\Local\KBDINTan.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Users\utente\AppData\Roaming\Iqgal\ircy.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Program Files\AnVi\avtext.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\utente\Desktop\Osmos.v1.5.6.1057.cracked-THETA\NFOviewer.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.
C:\Users\utente\Desktop\Osmos.v1.5.6.1057.cracked-THETA\Uninstall.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.
C:\Users\utente\Desktop\Osmos.v1.5.6.1057.cracked-THETA\osmos\Uninstall.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.
C:\Users\utente\Downloads\Starry Night Pro Plus 6.0.6 [PC 2xDVD IMAGE]\Diffraction Limited MaxIm DL v4.58 Incl Keygen\KeyMaker\keygen.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.
C:\Windows\Temp\~osC735.tmp\rlvknlg.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\Windows\Temp\~osEBD5.tmp\rlvknlg.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\Windows\Temp\~osEBD5.tmp\rlxf.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\Windows\Temp\~osEBD5.tmp\rlxg.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
D:\grafica\adobe-lightroom3\keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
D:\grafica\lightroom3\Adobe Phot.Lightroom_3_By.Bhs\APL3-EMBRACE\Adobe.Photoshop.Lightroom.v3.Onlyl.Keymaker-EMBRACE\Windows\keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge\Support.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge\Uninstall Instructions.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Users\utente\AppData\Roaming\Microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.


Grazie ancora, questo forum è fenomenale [applauso+]


Bene, le infezioni non mancavano ma sono state tutte rimosse, a questo punto scaricati hitman pro, esegui la scansione completa e posta il log. Posta anche il log aggiornato di hijackthis.

Link hitman pro:

Hitman pro download link
<<Intelligence is the ability to avoid doing work, yet getting the work done.>>
Linus Torvalds

EX [MLI] Power User.
Avatar utente
hashcat
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 2285
Iscritto il: lun ott 25, 2010 1:26 pm

Re: sospetta infezione con impossibilità connessione interne

Messaggioda valeriuzzz » lun nov 08, 2010 10:36 pm

Hitman ha trovato anche un file RootKit nel System, ora rimosso, più qualche tracking cookie.
Ecco il nuovo log di Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.30.03, on 08/11/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\etMon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\USB CAMERA\DRIVER\emSwapAp2.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://it.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.intl.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://it.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [etMonitor] C:\Windows\etMon.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - Global Startup: Empowering Technology Launcher.lnk = C:\Acer\Empowering Technology\eAPLauncher.exe
O4 - Global Startup: emSwapAp2.exe.lnk = ?
O8 - Extra context menu item: Aggiungi ad Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Invia immagine alla periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Invia pagina alla periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: &Tastiera Virtuale - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: C&ontrollo URL - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O13 - Gopher Prefix:
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Servizio Kaspersky Anti-Virus (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Servizio di Google Update (gupdate1c9ed2ae1d01733) (gupdate1c9ed2ae1d01733) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: PowerSave Service (PowerSave) - Packard Bell Services - C:\Program Files\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10730 bytes


Ogni tanto mi compare una finestra di errore: "il processo host per i servizi ha smesso di funzionare. Si è verificato un problema che impedisce il funzionamento...". Prima molto più spesso, ora dopo la scansione è successo una sola volta...
Avatar utente
valeriuzzz
Neo Iscritto
Neo Iscritto
 
Messaggi: 6
Iscritto il: sab nov 06, 2010 10:04 am

Re: sospetta infezione con impossibilità connessione interne

Messaggioda hashcat » mar nov 09, 2010 2:45 pm

valeriuzzz ha scritto:Hitman ha trovato anche un file RootKit nel System, ora rimosso, più qualche tracking cookie.
Ecco il nuovo log di Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.30.03, on 08/11/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\etMon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\USB CAMERA\DRIVER\emSwapAp2.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://it.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.intl.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://it.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [etMonitor] C:\Windows\etMon.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - Global Startup: Empowering Technology Launcher.lnk = C:\Acer\Empowering Technology\eAPLauncher.exe
O4 - Global Startup: emSwapAp2.exe.lnk = ?
O8 - Extra context menu item: Aggiungi ad Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Invia immagine alla periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Invia pagina alla periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: &Tastiera Virtuale - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: C&ontrollo URL - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O13 - Gopher Prefix:
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Servizio Kaspersky Anti-Virus (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Servizio di Google Update (gupdate1c9ed2ae1d01733) (gupdate1c9ed2ae1d01733) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: PowerSave Service (PowerSave) - Packard Bell Services - C:\Program Files\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10730 bytes


Ogni tanto mi compare una finestra di errore: "il processo host per i servizi ha smesso di funzionare. Si è verificato un problema che impedisce il funzionamento...". Prima molto più spesso, ora dopo la scansione è successo una sola volta...

Fixa solo questa, per quanto riguarda quell'errore fai come detto da FDAC:
FDAC ha scritto:Scarica ATF Cleaner da qui:
http://www.atribune.org/ccount/click.php?id=1
Avvia ATF Cleaner con un doppio click
1) seleziona la casella Select All
2) clicca sul pulsante Empty selected
3) aspetta l'avviso Done Cleaning
(se usi Opera o Firefox, spunta anche le loro sezioni)

Scarica ed installa CCleaner (Basta cliccare su Windows/Scarica Adesso): http://www.aiutamici.com/software?ID=11223
Una volta installato configuralo in questo modo:
- lancia il programma, nel menu di sinistra portati alla voce Opzioni e nella finestra successiva clicca su:
- Impostazioni, e spunta la voce Cancellazione sicura (lenta) e nel menu a tendina seleziona la voce DOD 520.22-M (3 passaggi)
poi clicca su:
- Avanzate togli la spunta alla voce Cancella solo file più vecchi di 48 ore
- alla voce Pulizia nella sezione Avanzate spunta le voci Vecchi dati Prefetch e Disinstallatori aggiornamenti di WinUpdate
- nel menu a sinistra, clicca sulla voce Pulizia e clicca su tasto Avvia pulizia per eseguire la scansione
- finita la scansione, sempre nel menu a sinistra, clicca sulla voce Registro e spunta tutte le voci comprese nella sezione meno la voce Estensioni file non usate
- clicca sul tasto Trova problemi ed avvia una scansione
- al termine della scansione clicca sulla voce Ripara selezionati e prosegui con la riparazione (questo ultimo passaggio ripetilo più volte, fino a quando non verranno rilevati più problemi da correggere)

* Scarica Glary Utilities Free (Basta cliccare su Windows/Scarica Adesso):
http://www.aiutamici.com/software?ID=80312
* Installa Glary Utilities
In fase di installazione ti chiederà di installare anche la Ask Toolbar, togli la Spunta
* Avvia Glary Utilities
* Menu - Settings - Language - Italian
* Manutenzione 1 Click
- Controlla che tutte queste voci siano spuntate:
- Pulizia registro
- Riparazione collegamenti
- Gestione esecuzioni automatiche
- Pulizia File Temporanei
- Eliminazione Tracce
- Rimozione Spyware

Nel riquadro Eliminazione Tracce clicca con il tasto destro su Opzioni - Selezionale le tracce da eliminare e selezionale tutte
Nel riquadro Eliminazione Tracce clicca con il tasto destro su Opzioni - Opzioni - Elimina i cookie non contrassegnati
Infine, clicca su Ricerca Errori
*Attendi la scansione - puo' durare 3-4 minuti al massimo -
*A scansione finita, clicca su Ripara Errori
*Ripeti questa operazione più volte, in quanto Glary Utilities, come tanti altri Software di pulizia del Registro di Windows, non riesce a far fuori tutte le schifezze al primo colpo.


• Scarica OTC by OldTimer sul desktop:
http://oldtimer.geekstogo.com/OTC.exe
doppio clic per eseguirlo
Clicca su CleanUp.
Ti chiederà di riavviare il pc.
Clicca sì.

• Scarica TFC by OldTimer sul desktop
http://oldtimer.geekstogo.com/TFC.exe
chiudi tutti i programmi
avvia TFC, clicca su "start"
al termine della scansione ti chiederà il riavvio, dai ok.


Fatto questo riferiscici se il computer torna a funzionare normalmente.
<<Intelligence is the ability to avoid doing work, yet getting the work done.>>
Linus Torvalds

EX [MLI] Power User.
Avatar utente
hashcat
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 2285
Iscritto il: lun ott 25, 2010 1:26 pm

Re: sospetta infezione con impossibilità connessione interne

Messaggioda hashcat » mar nov 09, 2010 8:21 pm

[quote="hashcat"][quote="valeriuzzz"]
Fixa solo questa:
Codice: Seleziona tutto
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
, scusa, mi ero dimenticato di scrivere la voce da fixare.
<<Intelligence is the ability to avoid doing work, yet getting the work done.>>
Linus Torvalds

EX [MLI] Power User.
Avatar utente
hashcat
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 2285
Iscritto il: lun ott 25, 2010 1:26 pm


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 9 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising