www.MegaLab.it

[manero478]

Ho fatto una scansione veloce e ha trovato ste cose.. che sono??
lui mette il flag, automatico, solo alla penultima riga "HKCU\Software\Cr_Installer\3491"
non ho ancora cancellato nulla.. e sto facendo lo scan completo
questo e' il log :

Malwarebytes Anti-Malware 1.61.0.1400
http://www.malwarebytes.org

Versione database: v2012.07.11.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Gilberto :: GILBERTOC-PC [amministratore]

11/07/2012 17:02:24
mbam-log-2012-07-11 (17-15-00)_gillo.txt

Tipo di scansione: Scansione veloce
Opzioni di scansione attive: Memoria | Esecuzione automatica | Registro | File system | Euristica/Extra | Euristica/Shuriken | PUP | PUM
Opzioni di scansione disattivate: P2P
Elementi esaminati: 216253
Tempo impiegato: 7 minuti, 49 secondi

Processi rilevati in memoria: 0
(non sono stati rilevati elementi nocivi)

Moduli di memoria rilevati: 0
(non sono stati rilevati elementi nocivi)

Chiavi di registro rilevate: 15
HKCR\CLSID\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKCR\TypeLib\{44444444-4444-4444-4444-440044344491} (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKCR\Interface\{55555555-5555-5555-5555-550055345591} (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKCR\CrossriderApp0003491.BHO.1 (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Nessuna

azione intrapresa.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKCR\CrossriderApp0003491.BHO (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKCR\CrossriderApp0003491.FBApi (PUP.CrossFire.Gen) -> Nessuna azione intrapresa.
HKCR\CrossriderApp0003491.FBApi.1 (PUP.CrossFire.Gen) -> Nessuna azione intrapresa.
HKCR\CrossriderApp0003491.Sandbox (PUP.CrossFire.Gen) -> Nessuna azione intrapresa.
HKCR\CrossriderApp0003491.Sandbox.1 (PUP.CrossFire.Gen) -> Nessuna azione intrapresa.
HKCU\Software\Cr_Installer\3491 (Adware.GamePlayLab) -> Nessuna azione intrapresa.
HKLM\SOFTWARE\Google\chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki (PUP.Funmoods) -> Nessuna azione intrapresa.

Valori di registro rilevati: 0
(non sono stati rilevati elementi nocivi)

Voci rilevate nei dati di registro: 0
(non sono stati rilevati elementi nocivi)

Cartelle rilevate: 0
(non sono stati rilevati elementi nocivi)

File rilevati: 2
C:\Program Files\Vid-Saver\Vid-Saver.dll (PUP.GamePlayLab) -> Nessuna azione intrapresa.
C:\Users\Gilberto\Downloads\SoftonicDownloader_per_toon-boom-studio.exe (PUP.ToolbarDownloader) -> Nessuna azione intrapresa.

(fine)

Che faccio??

Grazie

[hashcat]

Rimuovi tutto, si tratta di minacce di poco conto (P.U.P.: Programmi potenzialmente non desiderati) e/o Adware.

Per una verifica più estesa fai un controllo con Adwcleaner e postane il relativo log.

Maggiori Informazioni:

• http://www.MegaLab.it/8139/
• https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Adware:Win32/GamePlayLabs
• https://krebsonsecurity.com/2012/05/facebook-takes-aim-at-cross-browser-lilyjade-worm/

[manero478]

ecco il LOG

# AdwCleaner v1.701 - Logfile created 07/11/2012 at 18:58:51
# Updated 02/07/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Gilberto - GILBERTOC-PC
# Running from : C:\Users\Gilberto\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\Gilberto\AppData\Local\AskToolbar
Folder Found : C:\Users\Gilberto\AppData\Local\Conduit
Folder Found : C:\Users\Gilberto\AppData\Local\freetvradio Air
Folder Found : C:\Users\Gilberto\AppData\Local\moovida air
Folder Found : C:\Users\Gilberto\AppData\Local\OpenCandy
Folder Found : C:\Users\Gilberto\AppData\LocalLow\AskToolbar
Folder Found : C:\Users\Gilberto\AppData\LocalLow\boost_interprocess
Folder Found : C:\Users\Gilberto\AppData\LocalLow\Conduit
Folder Found : C:\Users\Gilberto\AppData\LocalLow\facemoods.com
Folder Found : C:\Users\Gilberto\AppData\Roaming\Babylon
Folder Found : C:\Users\Gilberto\AppData\Roaming\freeTVRadio
Folder Found : C:\Users\Gilberto\AppData\Roaming\moovida-1
Folder Found : C:\Users\Gilberto\AppData\Roaming\OfferBox
Folder Found : C:\Users\Gilberto\AppData\Roaming\OpenCandy
Folder Found : C:\Users\Gilberto\AppData\Roaming\Mozilla\Firefox\Profiles\zpdkg4hv.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}
Folder Found : C:\Users\Gilberto\AppData\Roaming\Mozilla\Firefox\Profiles\zpdkg4hv.default\extensions\ffxtlbr@funmoods.com
Folder Found : C:\Users\Gilberto\AppData\Roaming\Mozilla\Firefox\Profiles\zpdkg4hv.default\extensions\ffxtlbr@searchya.com
Folder Found : C:\ProgramData\Babylon
Folder Found : C:\ProgramData\boost_interprocess
Folder Found : C:\Program Files\freeTVRadio
Folder Found : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
File Found : C:\Users\Gilberto\AppData\Local\funmoods.crx
File Found : C:\Users\Gilberto\AppData\Roaming\Mozilla\Firefox\Profiles\zpdkg4hv.default\searchplugins\searchya.xml
File Found : C:\Users\Gilberto\AppData\Roaming\Mozilla\Firefox\Profiles\zpdkg4hv.default\searchplugins\SearchResults.xml
File Found : C:\Users\Gilberto\AppData\Roaming\Mozilla\Firefox\Profiles\zpdkg4hv.default\searchplugins\SweetIm.xml
File Found : C:\Users\Public\Desktop\Get The Best Facebook Chat Messenger.lnk
File Found : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Found : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
File Found : C:\Program Files\Mozilla Firefox\searchplugins\SearchResults.xml

***** [Registry] *****

[*] Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0003491.BHO
[*] Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0003491.BHO.1
[*] Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0003491.FBApi
[*] Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0003491.FBApi.1
[*] Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0003491.Sandbox
[*] Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0003491.Sandbox.1
[*] Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2612669
[*] Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2801948
Key Found : HKCU\Software\AppDataLow\AskToolbarInfo
Key Found : HKCU\Software\AppDataLow\Software\AskToolbar
Key Found : HKCU\Software\Ask.com
Key Found : HKCU\Software\Ask.com.tmp
Key Found : HKCU\Software\BabylonToolbar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Cr_Installer
Key Found : HKCU\Software\Headlight
Key Found : HKCU\Software\IGearSettings
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\Spointer
Key Found : HKCU\Software\SweetIm
Key Found : HKLM\SOFTWARE\Babylon
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Found : HKLM\SOFTWARE\Classes\escort.escortIEPane
Key Found : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
Key Found : HKLM\SOFTWARE\Classes\f
Key Found : HKLM\SOFTWARE\Classes\funmoods.dskBnd
Key Found : HKLM\SOFTWARE\Classes\funmoods.dskBnd.1
Key Found : HKLM\SOFTWARE\Classes\funmoods.funmoodsHlpr
Key Found : HKLM\SOFTWARE\Classes\funmoods.funmoodsHlpr.1
Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore
Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore.1
Key Found : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar
Key Found : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1
Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook
Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.sweetie
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1
Key Found : HKLM\SOFTWARE\Conduit
Key Found : HKLM\SOFTWARE\Freeze.com
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki
Key Found : HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Key Found : HKLM\SOFTWARE\SweetIM
Value Found : HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{1973277F-87B0-4EA3-9ED2-470A91D284CF}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
Key Found : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Found : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Found : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Found : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://searchya.com/?chnl=dcom-100&s=0& ... tBtDyDtAtC

-\\ Mozilla Firefox v5.0 (it)

Profile name : default
File : C:\Users\Gilberto\AppData\Roaming\Mozilla\Firefox\Profiles\zpdkg4hv.default\prefs.js

Found : user_pref("browser.search.order.1", "Search the web (Babylon)");
Found : user_pref("extensions.hxxps_everywhere.Blekko", true);
Found : user_pref("extensions.hxxps_everywhere.FeedMyInbox", true);
Found : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "Search the web (Babylon)");
Found : user_pref("sweetim.toolbar.previous.browser.search.defaulturl", "");
Found : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "Search the web (Babylon)");
Found : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "hxxp://search.babylon.com/?babsrc=HP[...]
Found : user_pref("sweetim.toolbar.urls.homepage", "hxxp://home.sweetim.com");
Found : user_pref("keyword.URL", "hxxp://search.babylon.com/?affID=111304&tt=220512_53ctrl&babsrc=KW_ss&mntr[...]
Found : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
Found : user_pref("browser.startup.homepage", "hxxp://searchya.com/?chnl=dcom-100&s=0&cr=535499592&cd=2XzutA[...]
Found : user_pref("browser.search.selectedEngine", "SearchYa!");

-\\ Google Chrome v20.0.1132.47

File : C:\Users\Gilberto\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found : "default_icon": "funmoods/img/16.png",
Found : "default_popup": "funmoods/dropdown.html",
Found : "128": "funmoods/img/128.png",
Found : "32": "funmoods/img/32.png",
Found : "48": "funmoods/img/48.png"
Found : "name": "Funmoods",
Found : "update_url": "hxxp://funmoods.com/public/download/chrome/update.xml",

*************************

AdwCleaner[R1].txt - [10734 octets] - [11/07/2012 18:58:51]

########## EOF - C:\AdwCleaner[R1].txt - [10863 octets] ##########

grazie

[hashcat]

Adwcleaner ha rimosso un bel po' di schifezze, prova ad avviarlo nuovamente e posta il log aggiornato.

[manero478]

ecco il NUOVO LOG :

# AdwCleaner v1.701 - Logfile created 07/11/2012 at 19:35:50
# Updated 02/07/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Gilberto - GILBERTOC-PC
# Running from : C:\Users\Gilberto\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Registre - GUID] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v5.0 (it)

Profile name : default
File : C:\Users\Gilberto\AppData\Roaming\Mozilla\Firefox\Profiles\zpdkg4hv.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v20.0.1132.47

File : C:\Users\Gilberto\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [10865 octets] - [11/07/2012 18:58:51]
AdwCleaner[S1].txt - [11336 octets] - [11/07/2012 19:26:38]
AdwCleaner[R2].txt - [978 octets] - [11/07/2012 19:35:50]

########## EOF - C:\AdwCleaner[R2].txt - [1105 octets] ##########

grazie

[manero478]

scusami.. in Malwarebytes ha trovato comunque queste cose.. le tolgo?

Malwarebytes Anti-Malware 1.61.0.1400
http://www.malwarebytes.org

Versione database: v2012.07.11.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Gilberto :: GILBERTOC-PC [amministratore]

11/07/2012 19:38:50
mbam-log-2012-07-11 (19-49-19)_1.txt

Tipo di scansione: Scansione veloce
Opzioni di scansione attive: Memoria | Esecuzione automatica | Registro | File system | Euristica/Extra | Euristica/Shuriken | PUP | PUM
Opzioni di scansione disattivate: P2P
Elementi esaminati: 216012
Tempo impiegato: 8 minuti, 12 secondi

Processi rilevati in memoria: 0
(non sono stati rilevati elementi nocivi)

Moduli di memoria rilevati: 0
(non sono stati rilevati elementi nocivi)

Chiavi di registro rilevate: 7
HKCR\CLSID\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKCR\TypeLib\{44444444-4444-4444-4444-440044344491} (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKCR\Interface\{55555555-5555-5555-5555-550055345591} (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Nessuna azione intrapresa.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Nessuna azione intrapresa.

Valori di registro rilevati: 0
(non sono stati rilevati elementi nocivi)

Voci rilevate nei dati di registro: 0
(non sono stati rilevati elementi nocivi)

Cartelle rilevate: 0
(non sono stati rilevati elementi nocivi)

File rilevati: 2
C:\Program Files\Vid-Saver\Vid-Saver.dll (PUP.GamePlayLab) -> Nessuna azione intrapresa.
C:\Users\Gilberto\Downloads\SoftonicDownloader_per_toon-boom-studio.exe (PUP.ToolbarDownloader) -> Nessuna azione intrapresa.

(fine)

grazie

[hashcat]

scusami.. in Malwarebytes ha trovato comunque queste cose.. le tolgo?

grazie

Si, rimuovi tutto.

P.S.: Ti consiglio di aggiornare FireFox (v. 5) ad una versione più recente.

[manero478]

grazie di tutto...
ah! per firefox... non lo uso :)

ciao