Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

strana applicazione nel task manager

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

strana applicazione nel task manager

Postdi yanez » 07/12/06 12:30

ciao a tutti.


da qualche giorno sul mio pc dell'ufficio nel task manager appare un'applicazione strana e sconosciuta con nome random (cambia di giorno in giorno - oggi è GKE7AF.EXE). ho rintracciato il file: è un file temporaneo nella cartella windows/temp.

Ho provato ad entrare come amministratore e a terminare il processo. ma riavviando il pc il file è stato rigenerato.
probabilmente c'è una istruzione maligna nel file di registro ma non so da dove partire per risolvere il problema.

mi dareste una mano?


Gragie anticipatamente

Y.

vi allego il report di HijackThis


Logfile of HijackThis v1.99.1
Scan saved at 10.41.34, on 07/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmi\Garzanti Linguistica\Hazon clic\HAZON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Mozilla Thunderbird\thunderbird.exe
C:\Programmi\Internet Explorer\iexplore.exe
G:\Documenti Utente\ciaffi\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://config.****/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {E54DE325-1519-45AC-AE9F-DFCFC7E5F3CD} - C:\WINDOWS\System32\fofg.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PrevxRootkitRemovalTool] "C:\Documents and Settings\ciaffi\Desktop\PrevxFixGrom.exe" -scan
O4 - HKLM\..\Run: [Hazon clic] "C:\Programmi\Garzanti Linguistica\Hazon clic\HAZON.EXE" -I
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet
O15 - Trusted Zone: http://www.archiviosex.net
O15 - Trusted Zone: http://www.skymasters.biz
O15 - Trusted Zone: http://www.yeak.net
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pc.***.it
O17 - HKLM\Software\..\Telephony: DomainName = pc.****
O17 - HKLM\System\CCS\Services\Tcpip\..\{6333CD3E-E345-4F26-A39D-E5FF002EC493}: Domain = pc.*****.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{6333CD3E-E345-4F26-A39D-E5FF002EC493}: NameServer = 10.18.100.26,10.18.100.29,10.18.185.200
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pc.*****.it
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pc.*****.it,*****.it
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pc.*****.it,*****.it
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Programmi\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Programmi\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programmi\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe


e quello di Gmer


GMER 1.0.12.11865 - http://www.gmer.net
Rootkit scan 2006-12-07 11:59:39
Windows 5.1.2600 Service Pack 2


---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE
ADS G:\RECYCLER\S-1-5-21-3870216755-816221577-1611797413-14738\Dg88.mdb:_SummaryInformation
ADS G:\RECYCLER\S-1-5-21-3870216755-816221577-1611797413-14738\Dg88.mdb:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

---- EOF - GMER 1.0.12 ----



GMER 1.0.12.11865 - http://www.gmer.net
Autostart scan 2006-12-07 12:00:21
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon@DLLName = C:\WINDOWS\System32\NavLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
LogWatch /*Event Log Watch*/@ = C:\Programmi\CA\SharedComponents\CA_LIC\LogWatNT.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
ntrtscan /*OfficeScanNT RealTime Scan*/@ = "C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe"
OfcPfwSvc /*OfficeScanNT Personal Firewall*/@ = "C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe"
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
tmlisten /*OfficeScanNT Listener*/@ = "C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@OfficeScanNT Monitor"C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow = "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_02\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
@PrevxRootkitRemovalTool"C:\Documents and Settings\ciaffi\Desktop\PrevxFixGrom.exe" -scan /*file not found*/ = "C:\Documents and Settings\ciaffi\Desktop\PrevxFixGrom.exe" -scan /*file not found*/
@Hazon clic"C:\Programmi\Garzanti Linguistica\Hazon clic\HAZON.EXE" -I = "C:\Programmi\Garzanti Linguistica\Hazon clic\HAZON.EXE" -I

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{C169E5F0-E2B3-41F3-B81A-7BA529CBE193} /*ZipGenius Shell Extension*/(null) =
@{2E5AC2E0-406D-11D4-86B3-FA5861508E25} /*ZipGenius Zip InfoTip*/(null) =
@{310A0C95-EA11-42AE-A8E4-53E69E650310} /*ZipGenius Drop handler*/(null) =
@{DCED20BE-3645-11D4-BC95-00C04F0E0588} /*InoShell*/C:\Programmi\CA\eTrust Antivirus\InoShell.dll /*file not found*/ = C:\Programmi\CA\eTrust Antivirus\InoShell.dll /*file not found*/
@{BDA77241-42F6-11d0-85E2-00AA001FE28C} /*LDVP Shell Extensions*/(null) =
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
InoShell@{DCED20BE-3645-11D4-BC95-00C04F0E0588} = C:\Programmi\CA\eTrust Antivirus\InoShell.dll /*file not found*/
PowerArchiver@{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} = C:\Programmi\PowerArchiver\PASHLEXT.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\InoShell@{DCED20BE-3645-11D4-BC95-00C04F0E0588} = C:\Programmi\CA\eTrust Antivirus\InoShell.dll /*file not found*/

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\PowerArchiver@{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} = C:\Programmi\PowerArchiver\PASHLEXT.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\Programmi\Spybot - Search & Destroy\SDHelper.dll = C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
@{E54DE325-1519-45AC-AE9F-DFCFC7E5F3CD}C:\WINDOWS\System32\fofg.dll /*file not found*/ = C:\WINDOWS\System32\fofg.dll /*file not found*/

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://intranet = http://intranet
@Start Pageabout:blank = about:blank
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.pcw.it = http://www.pcw.it
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = pc.*****.it

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6333CD3E-E345-4F26-A39D-E5FF002EC493} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress10.18.186.28 = 10.18.186.28
@NameServer10.18.100.26,10.18.100.29,10.18.185.200 = 10.18.100.26,10.18.100.29,10.18.185.200
@DefaultGateway10.18.186.254 = 10.18.186.254
@Domainpc.*****.it = pc.*****.it

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Microsoft Office.lnk = Microsoft Office.lnk

---- EOF - GMER 1.0.12 ----
yanez
Utente Junior
 
Post: 21
Iscritto il: 24/08/06 08:27

Sponsor
 

Postdi Dylan666 » 08/12/06 00:37

Incolla il log di HijackThis qui e vedi tu stesso cosa eliminare. Se hai dubbi chiedi:

http://hijackthis.de/it

http://www.pc-facile.com/guida_hijackthis_t148946/
Avatar utente
Dylan666
Moderatore
 
Post: 38040
Iscritto il: 18/11/03 16:46

Postdi Luke57 » 10/12/06 12:23

Ciao, apri hijackthis, premi "do a system scan only", cerchi e spunti:
O2 - BHO: (no name) - {E54DE325-1519-45AC-AE9F-DFCFC7E5F3CD} - C:\WINDOWS\System32\fofg.dll (file missing)
TUTTE LE VOCI 015

premi fix checked

(le voci 06 e 07 penso che siano aggiunte da spybot search & destroy, altrimenti spunta anche quelle).

Elimina tutti i file temp e tmp di windows e di IE ( allo scopo scarica CCleaner ultima versione, da qui:
http://www.filehippo.com/download_ccleaner/
lo installi, evitando di scegliere tra le varie opzioni la barra di Yahoo. Nelle opzioni, premi avanzate e togli la spunta a "elimina file temp di windows solo se più vecchi di 48 ore".
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10


Torna a Sicurezza e Privacy


Topic correlati a "strana applicazione nel task manager":


Chi c’è in linea

Visitano il forum: Nessuno e 7 ospiti