Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

Processo all'avvio sospetto

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

Processo all'avvio sospetto

Postdi markmoon » 02/06/10 15:51

Ho preso un trojan,Nod32 mi ha messo in quarantena gli elementi incriminati,ho eliminato file temporanei con Ccleaner,ho fatto una scansione con Malwarebit che mi ha eliminato schifezze varie,ho fatto girare Combofix che anch'esso mi ha eliminato processi all'avvio e file.Ho fixato alcuni voci con Hijackthis.
Ma in msconfig continuo a vedere un processo all'avvio che non mi piace,non so cosa sia:
Immagine
MChk ----->ktmlindu.exe
Gli ho tolto la spunta,poi ho ripetuto di nuovo Malewarebit e Combofixl che non mi hanno trovato niente di nuovo,ma quel ktmlindu.exe continua ad essere presente.

Questo l'ultimo log di Combofix:
ComboFix 10-06-01.03 - Mark 02/06/2010 15.28.38.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.39.1040.18.2038.1016 [GMT 2:00]
Eseguito da: c:\users\Mark\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((( Files Creati Da 2010-05-02 al 2010-06-02 )))))))))))))))))))))))))))))))))))
.

2010-06-02 13:35 . 2010-06-02 13:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-02 13:35 . 2010-06-02 13:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-02 09:53 . 2010-06-02 09:53 50981 ----a-w- c:\windows\system32\tibjlcokjl.exe
2010-06-02 09:53 . 2010-06-02 09:53 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-06-01 14:04 . 2010-06-02 11:59 -------- d-----w- c:\program files\SopCast
2010-05-26 12:20 . 2010-05-26 12:20 -------- d-----w- C:\f8cc4bbb612aaaea02
2010-05-26 07:10 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-25 08:42 . 2010-05-25 08:43 -------- d-----w- c:\program files\Photoshop
2010-05-25 07:28 . 2001-10-28 14:42 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2010-05-25 07:28 . 1998-08-05 05:45 122128 ----a-w- c:\windows\system32\VB6IT.DLL
2010-05-25 07:28 . 1998-08-05 05:45 150528 ----a-w- c:\windows\system32\MSCMCIT.DLL
2010-05-25 07:28 . 1998-08-05 05:45 63488 ----a-w- c:\windows\system32\MSCC2IT.DLL
2010-05-25 07:28 . 1998-07-05 22:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2010-05-25 07:28 . 2010-05-25 07:29 -------- d-----w- c:\program files\PDFCreator
2010-05-25 05:38 . 2010-05-25 05:38 309248 ----a-w- c:\windows\system32\ranrfdpw.dll
2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\ktmlindu.exe
2010-05-20 13:42 . 2010-05-20 13:42 -------- d-----w- c:\programdata\Apple Computer
2010-05-20 13:40 . 2010-05-20 13:40 -------- d-----w- c:\program files\Common Files\Apple
2010-05-20 13:39 . 2010-05-20 13:39 -------- d-----w- c:\users\Mark\AppData\Local\Apple
2010-05-20 13:39 . 2010-05-20 13:39 -------- d-----w- c:\program files\Apple Software Update
2010-05-20 13:39 . 2010-05-20 13:39 -------- d-----w- c:\programdata\Apple
2010-05-20 13:35 . 2010-06-02 11:59 -------- d-----w- c:\program files\QuickTime
2010-05-11 18:15 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-06 06:57 . 2010-05-06 06:57 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-06 06:56 . 2010-05-06 06:56 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-05-06 06:56 . 2010-05-06 06:56 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 11:51 . 2010-05-29 19:56 -------- d-----w- c:\users\Mark\AppData\Roaming\LimeWire
2010-06-02 11:50 . 2009-12-31 13:21 2815 ----a-w- c:\windows\bthservsdp.dat
2010-06-02 10:11 . 2006-11-06 01:52 662846 ----a-w- c:\windows\system32\perfh010.dat
2010-06-02 10:11 . 2006-11-06 01:52 120326 ----a-w- c:\windows\system32\perfc010.dat
2010-06-01 10:18 . 2010-02-12 20:37 -------- d-----w- c:\program files\Replay Media Catcher
2010-06-01 10:09 . 2009-12-31 13:22 -------- d-----w- c:\users\Mark\AppData\Roaming\Toshiba
2010-06-01 09:57 . 2010-02-12 20:39 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-06-01 09:57 . 2010-02-12 20:39 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-05-29 20:04 . 2010-04-22 12:09 -------- d-----w- c:\program files\JDownloader
2010-05-25 08:45 . 2009-12-31 14:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-25 08:22 . 2009-12-31 15:11 -------- d-----w- c:\program files\CCleaner
2010-05-24 23:04 . 2010-04-23 15:52 115530836 ----a-w- c:\windows\system32\~.tmp
2010-05-12 09:21 . 2009-12-31 16:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 18:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 18:17 . 2010-01-25 13:19 -------- d-----w- c:\programdata\Microsoft Help
2010-05-06 06:58 . 2010-04-15 16:28 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-06 06:57 . 2010-04-15 16:10 -------- d-----w- c:\programdata\DivX
2010-05-06 06:57 . 2009-12-31 17:46 -------- d-----w- c:\program files\DivX
2010-05-06 06:55 . 2010-04-15 19:04 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-05-06 06:55 . 2010-04-15 16:14 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-05-04 19:30 . 2009-12-31 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 13:39 . 2009-12-31 15:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2009-12-31 15:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 08:32 . 2010-04-26 08:32 -------- d-----w- c:\program files\Widget vodafone.it
2010-04-22 14:30 . 2010-04-22 14:24 -------- d-----w- c:\program files\ESET
2010-04-22 12:04 . 2010-04-22 12:03 -------- d-----w- c:\program files\Nvu
2010-04-15 19:04 . 2010-04-15 19:04 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-04-15 19:03 . 2010-04-15 19:03 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-15 19:03 . 2010-04-15 19:03 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-04-15 19:03 . 2010-04-15 19:03 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-10 18:00 . 2010-03-11 21:20 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-03-05 14:01 . 2010-04-13 18:29 420352 ----a-w- c:\windows\system32\vbscript.dll
.

------- Sigcheck -------

[-] 2010-01-01 . 690D53BD10A804BB6D0A772D1C0E6907 . 247296 . . [6.0.6000.16386] . . c:\windows\System32\shsvcs.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-06-02_11.36.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-04-16 08:37 . 2010-06-02 11:53 41328 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2007-04-16 08:37 . 2010-06-02 11:16 41328 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:05 . 2010-06-02 11:16 73284 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-06-02 11:53 73284 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-04-17 14:18 . 2010-06-02 11:51 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-04-17 14:18 . 2010-06-02 11:14 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-04-17 14:18 . 2010-06-02 11:51 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-04-17 14:18 . 2010-06-02 11:14 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-04-17 14:18 . 2010-06-02 11:51 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-04-17 14:18 . 2010-06-02 11:14 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-31 19:19 . 2010-06-02 10:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-31 19:19 . 2010-06-02 13:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-31 19:19 . 2010-06-02 10:06 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-31 19:19 . 2010-06-02 13:01 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-31 19:19 . 2010-06-02 13:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-31 19:19 . 2010-06-02 10:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-31 19:19 . 2010-06-02 11:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-31 19:19 . 2010-06-02 08:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-31 19:19 . 2010-06-02 08:42 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-31 19:19 . 2010-06-02 11:51 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-31 19:19 . 2010-06-02 11:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-31 19:19 . 2010-06-02 08:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-31 13:29 . 2010-06-02 11:16 9736 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1818783399-2505984025-1408226993-1000_UserData.bin
+ 2009-12-31 13:29 . 2010-06-02 11:53 9736 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1818783399-2505984025-1408226993-1000_UserData.bin
+ 2010-06-02 11:51 . 2010-06-02 11:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-06-02 11:14 . 2010-06-02 11:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-02 11:51 . 2010-06-02 11:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-06-02 11:14 . 2010-06-02 11:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-12-31 21:46 . 2010-06-02 12:01 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-12-31 21:46 . 2010-06-02 09:25 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2007-04-16 07:05 . 2010-06-02 11:13 1816864 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2007-04-16 07:05 . 2010-06-02 11:50 1816864 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Hotkey CD Eject"="c:\program files\Hotkey CD Eject\cdeject.exe" [2003-02-21 597504]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-24 4423680]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-19 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 34352]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 438272]
"NDSTray.exe"="NDSTray.exe" [BU]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-04-02 577536]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-03 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-03 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-03 133912]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Mark^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2007-03-23 12:41 538744 ----a-w- c:\program files\TOSHIBA\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ask and Record FLV Service]
2009-09-22 19:09 156672 ----a-w- c:\program files\Replay Media Catcher\FLVSrvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MChk]
2010-05-24 16:31 40633 ----a-w- c:\windows\System32\ktmlindu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nitro PDF Printer Monitor]
2008-02-01 14:38 210208 ----a-w- c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2007-04-03 14:52 509496 ----a-w- c:\program files\TOSHIBA\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Registration]
2007-02-19 14:00 571024 ----a-w- c:\program files\TOSHIBA\Registration\ToshibaRegistration.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):0f,06,42,f0,f3,8a,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1818783399-2505984025-1408226993-1000]
"EnableNotificationsRef"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 135664]
R3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe [2007-11-15 151552]
R3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\DRIVERS\TpChoice.sys [x]
R3 WSDPrintDevice;Supporto stampa WSD via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
S0 CplIR;Embedded IR Driver;c:\windows\system32\DRIVERS\CplIR.SYS [2007-03-06 14848]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2009-12-18 95896]
S3 BthAvrcp;Profilo Bluetooth AVRCP;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-27 27488]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contenuto della cartella 'Scheduled Tasks'

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 09:54]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 09:54]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?IT
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 15:35
Windows 6.0.6002 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\ProgramData\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000410
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{CFE9A1C8-0A2E-4536-84EE-B392E735E807}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.474.0"
"UniqueId"="001D5A5F4BD05C3C"
"ScannerBuild"=dword:000018d4
"ScannerVersionId"=dword:00001292
"ScannerVersion"="Locked/open ESET for status."
"FixId"=dword:00000006

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Ora fine scansione: 2010-06-02 15:38:38
ComboFix-quarantined-files.txt 2010-06-02 13:38
ComboFix2.txt 2010-06-02 11:40

Pre-Run: 50.321.960.960 byte disponibili
Post-Run: 50.329.333.760 byte disponibili

- - End Of File - - 65EE3409CA6A912C2C9C7EC8CC2FD91F
Avatar utente
markmoon
Utente Senior
 
Post: 437
Iscritto il: 28/04/06 19:03

Sponsor
 

Re: Processo all'avvio sospetto

Postdi -> EleKtrA <- » 02/06/10 22:04

Apri un file di testo sul Desktop
Start > esegui, digita: notepad.exe e poi clicca Ok
Incolla il codice che vedi qui sotto, e salvi il file di testo obbligatoriamente
con il nome CFScript
Codice: Seleziona tutto
Killall::
File::
c:\windows\system32\tibjlcokjl.exe
c:\windows\system32\ktmlindu.exe
c:\windows\system32\ranrfdpw.dll
c:\windows\system32\~.tmp
Folder::
C:\WINDOWS\temp
C:\WINDOWS\Tasks

Con il mouse trascina il file CFScript.txt sull'icona rossa di Combofix
Immagine
Lascia lavorare il programma
Verrà creato un nuovo log combofix.txt
Allega il rapporto per un controllo.

Scarica KASPERSKY VIRUS REMOVAL TOOL
● al termine della installazione verrà mostrata la schermata principale del tool
● verrà creata una cartella sul Desktop dal nome Virus Removal Tool
● seleziona la partizione da scansionare e clicca su Scan per avviare la scansione
● terminata la scansione, in caso di rilevazione di infezioni, clicca su Neutralize all
● si apriranno dei popup dove potrai scegliere se Cancellare o Disinfettare l'oggetto
● metti la spunta su Apply to all e clicca su Quarantine
● per salvare il Report che verrà rilasciato, clicca sul tasto Reports: salvalo sul Desktop poi allegalo sul forum.
“Ieri è storia, domani è mistero, ma oggi è un dono... per questo si chiama presente!”.
Avatar utente
-> EleKtrA <-
Moderatore
 
Post: 436
Iscritto il: 11/12/08 12:50

Re: Processo all'avvio sospetto

Postdi markmoon » 02/06/10 23:31

Ho terminato la scansione con Combofix trascinando il file di testo come mi avevi detto,mi ha eliminato il file da system32 e in msconfig non compare più,questo il log.
Devo scaricare anche Kaspersky Virus Removal Tool o posso evitare?


ComboFix 10-06-02.01 - Mark 03/06/2010 0.04.51.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.39.1040.18.2038.1011 [GMT 2:00]
Eseguito da: c:\users\Mark\Desktop\ComboFix.exe
Opzioni usate :: c:\users\Mark\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\~.tmp"
"c:\windows\system32\ktmlindu.exe"
"c:\windows\system32\ranrfdpw.dll"
"c:\windows\system32\tibjlcokjl.exe"
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\~.tmp
c:\windows\system32\ktmlindu.exe
c:\windows\system32\ranrfdpw.dll
c:\windows\system32\tibjlcokjl.exe

.
((((((((((((((((((((((((( Files Creati Da 2010-05-02 al 2010-06-02 )))))))))))))))))))))))))))))))))))
.

2010-06-02 22:12 . 2010-06-02 22:13 -------- d-----w- c:\users\Mark\AppData\Local\temp
2010-06-02 22:12 . 2010-06-02 22:12 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-02 22:12 . 2010-06-02 22:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-02 21:23 . 2010-06-02 21:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-02 21:23 . 2010-06-02 21:53 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-02 09:53 . 2010-06-02 09:53 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-06-01 14:04 . 2010-06-02 11:59 -------- d-----w- c:\program files\SopCast
2010-05-29 19:56 . 2010-06-02 11:51 -------- d-----w- c:\users\Mark\AppData\Roaming\LimeWire
2010-05-26 12:20 . 2010-05-26 12:20 -------- d-----w- C:\f8cc4bbb612aaaea02
2010-05-26 07:10 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-25 08:42 . 2010-05-25 08:43 -------- d-----w- c:\program files\Photoshop
2010-05-25 07:28 . 2001-10-28 14:42 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2010-05-25 07:28 . 1998-08-05 05:45 122128 ----a-w- c:\windows\system32\VB6IT.DLL
2010-05-25 07:28 . 1998-08-05 05:45 150528 ----a-w- c:\windows\system32\MSCMCIT.DLL
2010-05-25 07:28 . 1998-08-05 05:45 63488 ----a-w- c:\windows\system32\MSCC2IT.DLL
2010-05-25 07:28 . 1998-07-05 22:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2010-05-25 07:28 . 2010-05-25 07:29 -------- d-----w- c:\program files\PDFCreator
2010-05-20 13:42 . 2010-05-20 13:42 -------- d-----w- c:\programdata\Apple Computer
2010-05-20 13:40 . 2010-05-20 13:40 -------- d-----w- c:\program files\Common Files\Apple
2010-05-20 13:39 . 2010-05-20 13:39 -------- d-----w- c:\users\Mark\AppData\Local\Apple
2010-05-20 13:39 . 2010-05-20 13:39 -------- d-----w- c:\program files\Apple Software Update
2010-05-20 13:39 . 2010-05-20 13:39 -------- d-----w- c:\programdata\Apple
2010-05-20 13:35 . 2010-06-02 11:59 -------- d-----w- c:\program files\QuickTime
2010-05-11 18:15 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 22:12 . 2009-12-31 13:21 2815 ----a-w- c:\windows\bthservsdp.dat
2010-06-02 20:29 . 2009-12-31 15:11 -------- d-----w- c:\program files\CCleaner
2010-06-02 10:11 . 2006-11-06 01:52 662846 ----a-w- c:\windows\system32\perfh010.dat
2010-06-02 10:11 . 2006-11-06 01:52 120326 ----a-w- c:\windows\system32\perfc010.dat
2010-06-01 10:18 . 2010-02-12 20:37 -------- d-----w- c:\program files\Replay Media Catcher
2010-06-01 10:09 . 2009-12-31 13:22 -------- d-----w- c:\users\Mark\AppData\Roaming\Toshiba
2010-06-01 09:57 . 2010-02-12 20:39 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-06-01 09:57 . 2010-02-12 20:39 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-05-29 20:04 . 2010-04-22 12:09 -------- d-----w- c:\program files\JDownloader
2010-05-25 08:45 . 2009-12-31 14:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-12 09:21 . 2009-12-31 16:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 18:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 18:17 . 2010-01-25 13:19 -------- d-----w- c:\programdata\Microsoft Help
2010-05-06 06:58 . 2010-04-15 16:28 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-06 06:57 . 2010-05-06 06:57 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-06 06:57 . 2010-04-15 16:10 -------- d-----w- c:\programdata\DivX
2010-05-06 06:57 . 2009-12-31 17:46 -------- d-----w- c:\program files\DivX
2010-05-06 06:56 . 2010-05-06 06:56 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-05-06 06:56 . 2010-05-06 06:56 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-05-06 06:55 . 2010-04-15 19:04 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-05-06 06:55 . 2010-04-15 16:14 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-05-04 19:30 . 2009-12-31 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 13:39 . 2009-12-31 15:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2009-12-31 15:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 08:32 . 2010-04-26 08:32 -------- d-----w- c:\program files\Widget vodafone.it
2010-04-22 14:30 . 2010-04-22 14:24 -------- d-----w- c:\program files\ESET
2010-04-22 12:04 . 2010-04-22 12:03 -------- d-----w- c:\program files\Nvu
2010-04-15 19:04 . 2010-04-15 19:04 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-04-15 19:03 . 2010-04-15 19:03 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-15 19:03 . 2010-04-15 19:03 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-04-15 19:03 . 2010-04-15 19:03 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-10 18:00 . 2010-03-11 21:20 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-03-05 14:01 . 2010-04-13 18:29 420352 ----a-w- c:\windows\system32\vbscript.dll
.

------- Sigcheck -------

[-] 2010-01-01 . 690D53BD10A804BB6D0A772D1C0E6907 . 247296 . . [6.0.6000.16386] . . c:\windows\System32\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Hotkey CD Eject"="c:\program files\Hotkey CD Eject\cdeject.exe" [2003-02-21 597504]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-24 4423680]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-19 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 34352]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 438272]
"NDSTray.exe"="NDSTray.exe" [BU]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-04-02 577536]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-03 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-03 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-03 133912]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Mark^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2007-03-23 12:41 538744 ----a-w- c:\program files\TOSHIBA\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ask and Record FLV Service]
2009-09-22 19:09 156672 ----a-w- c:\program files\Replay Media Catcher\FLVSrvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nitro PDF Printer Monitor]
2008-02-01 14:38 210208 ----a-w- c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2007-04-03 14:52 509496 ----a-w- c:\program files\TOSHIBA\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Registration]
2007-02-19 14:00 571024 ----a-w- c:\program files\TOSHIBA\Registration\ToshibaRegistration.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):0f,06,42,f0,f3,8a,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1818783399-2505984025-1408226993-1000]
"EnableNotificationsRef"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 135664]
R3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe [2007-11-15 151552]
R3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\DRIVERS\TpChoice.sys [x]
R3 WSDPrintDevice;Supporto stampa WSD via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
S0 CplIR;Embedded IR Driver;c:\windows\system32\DRIVERS\CplIR.SYS [2007-03-06 14848]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2009-12-18 95896]
S3 BthAvrcp;Profilo Bluetooth AVRCP;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-27 27488]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contenuto della cartella 'Scheduled Tasks'

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 09:54]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 09:54]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?IT
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

MSConfigStartUp-MChk - c:\windows\system32\ktmlindu.exe
AddRemove-tibjlcokjl - c:\windows\system32\tibjlcokjl.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 00:13
Windows 6.0.6002 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\ProgramData\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000410
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{CFE9A1C8-0A2E-4536-84EE-B392E735E807}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.474.0"
"UniqueId"="001D5A5F4BD05C3C"
"ScannerBuild"=dword:000018d4
"ScannerVersionId"=dword:00001292
"ScannerVersion"="Locked/open ESET for status."
"FixId"=dword:00000006

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'Explorer.exe'(3924)
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ita.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\RtHDVCpl.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint2K\Apntex.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Microsoft Games\Solitaire\Solitaire.exe
.
**************************************************************************
.
Ora fine scansione: 2010-06-03 00:21:38 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-06-02 22:21

Pre-Run: 52.435.501.056 byte disponibili
Post-Run: 52.279.566.336 byte disponibili

- - End Of File - - 6045E65FF772C44ED26C809E0A4B0910
Avatar utente
markmoon
Utente Senior
 
Post: 437
Iscritto il: 28/04/06 19:03

Re: Processo all'avvio sospetto

Postdi -> EleKtrA <- » 03/06/10 09:00

Decidi tu se vuoi eseguire questo controllo con Kaspersky, io posso solo consigliarti e dire che il tool effettuerà una scansione/rimozione di eventuali virus, poi si auto-disinstallerà al termine dell'operazione.

Per disinstallare Combofix
Scarica OTC by OldTimer sul desktop
doppio clic per eseguirlo
clicca su "CleanUP" > "Yes" > "Yes"
riavvia.
“Ieri è storia, domani è mistero, ma oggi è un dono... per questo si chiama presente!”.
Avatar utente
-> EleKtrA <-
Moderatore
 
Post: 436
Iscritto il: 11/12/08 12:50

Re: Processo all'avvio sospetto

Postdi markmoon » 03/06/10 16:22

Questo è il log:

Autoscan: completed 4 minutes ago (events: 14, objects: 346311, time: 03.33.42)
03/06/2010 13.41.43 Task started
03/06/2010 13.55.38 Detected: Exploit.Java.Agent.f C:\Documents and Settings\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\30feb821-483f23ed/vmain.class
03/06/2010 13.55.38 Detected: Exploit.Java.Agent.f C:\Documents and Settings\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\e649f74-6435269f/vmain.class
03/06/2010 13.55.38 Detected: Trojan-Downloader.Java.Agent.bu C:\Documents and Settings\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\5cb67b66-6e45986a/sklif/Hieeyfc.class
03/06/2010 13.58.05 Deleted: Exploit.Java.Agent.f C:\Documents and Settings\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\30feb821-483f23ed/vmain.class
03/06/2010 13.58.05 Deleted: Exploit.Java.Agent.f C:\Documents and Settings\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\e649f74-6435269f/vmain.class
03/06/2010 13.58.05 Detected: Exploit.Java.Agent.f C:\Documents and Settings\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\61248b39-57be5613/sklif/Hieeyfc.class
03/06/2010 13.58.14 Deleted: Trojan-Downloader.Java.Agent.bu C:\Documents and Settings\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\5cb67b66-6e45986a/sklif/Hieeyfc.class
03/06/2010 13.58.15 Detected: Trojan-Downloader.Java.Agent.bu C:\Documents and Settings\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\5cb67b66-6e45986a/sklif/Hirwfee.class
03/06/2010 13.58.15 Deleted: Exploit.Java.Agent.f C:\Documents and Settings\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\61248b39-57be5613/sklif/Hieeyfc.class
03/06/2010 13.58.19 Deleted: Trojan-Downloader.Java.Agent.bu C:\Documents and Settings\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\5cb67b66-6e45986a/sklif/Hirwfee.class
03/06/2010 13.58.19 Detected: Trojan-Downloader.Java.Agent.bu C:\Documents and Settings\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\5cb67b66-6e45986a/sklif/Hiydcxed.class
03/06/2010 13.58.22 Deleted: Trojan-Downloader.Java.Agent.bu C:\Documents and Settings\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\5cb67b66-6e45986a/sklif/Hiydcxed.class
03/06/2010 17.15.26 Task completed
Avatar utente
markmoon
Utente Senior
 
Post: 437
Iscritto il: 28/04/06 19:03

Re: Processo all'avvio sospetto

Postdi markmoon » 03/06/10 16:27

ho un'altra cosa che non mi convince,c'è una cartella in c:\programmi\$NtUninstallWTF1012$\elUninstall.exe creata al momento dell'infezione ,come si può vedere anche dal log precedente di Combofix.
posso usare la stessa procedura del file di testo trascinato su Combofix per eliminarla?
Avatar utente
markmoon
Utente Senior
 
Post: 437
Iscritto il: 28/04/06 19:03

Re: Processo all'avvio sospetto

Postdi -> EleKtrA <- » 03/06/10 16:30

Perfetto, ora svuota la cache di Java e dovresti essere a posto.

Ti suggerisco un'applicazione che consente di risolvere le potenziali vulnerabilità del sistema.
PSI, l’ispettore personale di casa Secunia.
“Ieri è storia, domani è mistero, ma oggi è un dono... per questo si chiama presente!”.
Avatar utente
-> EleKtrA <-
Moderatore
 
Post: 436
Iscritto il: 11/12/08 12:50

Re: Processo all'avvio sospetto

Postdi -> EleKtrA <- » 03/06/10 16:33

markmoon ha scritto:ho un'altra cosa che non mi convince,c'è una cartella in c:\programmi\$NtUninstallWTF1012$\elUninstall.exe creata al momento dell'infezione ,come si può vedere anche dal log precedente di Combofix.
posso usare la stessa procedura del file di testo trascinato su Combofix per eliminarla?


Puoi usare Combofix

Codice: Seleziona tutto
File::
c:\programmi\$NtUninstallWTF1012$\elUninstall.exe
Folder::
c:\programmi\$NtUninstallWTF1012$


Oppure manualmente.
“Ieri è storia, domani è mistero, ma oggi è un dono... per questo si chiama presente!”.
Avatar utente
-> EleKtrA <-
Moderatore
 
Post: 436
Iscritto il: 11/12/08 12:50

Re: Processo all'avvio sospetto

Postdi markmoon » 03/06/10 16:51

Ti ringrazio,tutto risolto.
Avatar utente
markmoon
Utente Senior
 
Post: 437
Iscritto il: 28/04/06 19:03

Re: Processo all'avvio sospetto

Postdi -> EleKtrA <- » 03/06/10 17:00

Bene, alla prossima. ;)
“Ieri è storia, domani è mistero, ma oggi è un dono... per questo si chiama presente!”.
Avatar utente
-> EleKtrA <-
Moderatore
 
Post: 436
Iscritto il: 11/12/08 12:50


Torna a Sicurezza e Privacy


Topic correlati a "Processo all'avvio sospetto":


Chi c’è in linea

Visitano il forum: Nessuno e 7 ospiti