Condividi:        

File strani nelle cartella Document and Settings

Risolvi qui i tuoi problemi legati a Windows '95, '98, ME, NT, 2000, XP, 2003, Vista...

Moderatori: m.paolo, antoo69, -> EleKtrA <-

File strani nelle cartella Document and Settings

Postdi 19checco80 » 17/04/09 21:07

Salve, non so se l'ho sempre avuto, ma nella cartella
C:\Documents and Settings\Checco\
ci sono 451 cartelle vuote chiamate:
74.exe, 274.exe, 318.exe, 379.exe, 575.exe, 622.exe, 694.exe, 716.exe etc etc etc.....
poi seguono 1188 file da 1kb ciascuno che si chiamano:
39.exe, 60.exe, 87.exe, 106.exe, 176.exe, 18.exe... etc etc etc...
Che cos'è? Virus, spyware o altro? :undecided:
19checco80
Newbie
 
Post: 4
Iscritto il: 17/04/09 21:01

Sponsor
 

Re: File strani nelle cartella Document and Settings

Postdi Frate Aurelio » 17/04/09 23:28

@19checco80
Ciao e benvenuto nel Forum.

E' necessario che tu esegua questa procedura:

Hijackthis

Esegui il download da:
http://www.trendsecure.com/portal/en-US ... s/download
- Scaricare cliccando su:
Download Hijackthis Installer (consigliato)
Il file scaricato è: Hjtinstall.exe
L’installazione non installa nulla se non il solo file eseguibile.
- Attivare, cliccando, il file exe scaricato che proporrà un percorso di installazione:
- C:\Programmi\Trend Micro\HijackThis (lo puoi anche cambiare a piacimento)
- Confermare premendo il pulsante Install
- Verrà creata, sul desktop, l’icona di collegamento a Hijackthis.

Consiglio Generale
Tutte le operazioni devono essere eseguite:
- Avvio PC in modalità normale
- Con il minor numero possibile di programmi in attività

Creazione file Hijackthis.log:
- Cliccare sulla icona Hijackthis sul Desktop
- Premere il pulsante:
- Do System scan and save a logfile
Si aprirà il file Hijackthis.log con Blocco Note e nel contempo lo salverà in C:\Programmi\Trend Micro\HijackThis dove lo si potrà sempre rintracciare.
Con Bocco Note eseguire:
- Modifica►Seleziona tutto►Tasto Destro del mouse►copia
- Postarlo nel Topic seguendo la seguente procedura citata dal Moderatore aurelio37:
viewtopic.php?f=4&t=79679

Frate Aurelio
:oops:
Ora et Labora
Avatar utente
Frate Aurelio
Moderatore
 
Post: 251
Iscritto il: 16/01/09 00:01

Re: File strani nelle cartella Document and Settings

Postdi 19checco80 » 18/04/09 08:59

Codice: Seleziona tutto
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9.57.11, on 18/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Programmi\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Programmi\LogMeIn\x86\LMIGuardian.exe
C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEAE.EXE
C:\Programmi\TurboNote\tbnote.exe
C:\Programmi\DigitalPeers\CamTrack\camtrack.exe
C:\Programmi\vghd\vghd.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmi\vghd\VirtuaGirl_downloader.exe
C:\Programmi\Outlook Express\msimn.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programmi\LogMeIn\x86\RaMaint.exe
C:\Programmi\LogMeIn\x86\LogMeIn.exe
C:\Programmi\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programmi\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Avant Browser\avant.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ig
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Programmi\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Programmi\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EA Core] "C:\Programmi\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [EPSON Stylus S20 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEAE.EXE /FU "C:\DOCUME~1\Checco\IMPOST~1\Temp\E_S10.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: CamTrack.lnk = C:\Programmi\DigitalPeers\CamTrack\camtrack.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: CamTrack.lnk = C:\Programmi\DigitalPeers\CamTrack\camtrack.exe (User 'Default user')
O4 - .DEFAULT User Startup: CamTrack.lnk = C:\Programmi\DigitalPeers\CamTrack\camtrack.exe (User 'Default user')
O4 - Startup: CamTrack.lnk = C:\Programmi\DigitalPeers\CamTrack\camtrack.exe
O4 - Startup: DesktopVideoPlayer.LNK = C:\Programmi\vghd\vghd.exe
O4 - Global Startup: TurboNote.lnk = C:\Programmi\TurboNote\tbnote.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234433617515
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Programmi\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Programmi\LogMeIn\x86\LogMeIn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 9245 bytes
19checco80
Newbie
 
Post: 4
Iscritto il: 17/04/09 21:01

Re: File strani nelle cartella Document and Settings

Postdi Frate Aurelio » 19/04/09 16:06

@19checco80
Ciao

Il file Hijackthis che hai postato evidenzia un file molto discusso in rete:
C:\WINDOWS\wt\updater\wcmdmgr.exe
Prima di decidere per la rimozione, effettua una verifica online con Virustotal:

Virus Total
http://www.virustotal.com/it/
- Clicca, nella parte centrale della pagina, il pulsante:
- Sfoglia…
- Seleziona il percorso:
C:\WINDOWS\wt\updater
- Seleziona il file:
- wcmdmgr.exe
- Premi il tasto sotto a Sfoglia:
- Invia file
- Al termine della scansione mandaci, per quanto possibile, i risultati positivi che individuano la natura virale del file.

Per alleggerire l'avvio del PC puoi eseguire:

Correzione degli elementi trovati nelle "aree-chiave" del sistema da Hijackthis:
- Cliccare sulla icona Hijackthis sul Desktop
- Premere il pulsante:
- Do System scan only
- Fixare (premere il tasto Fix Checked di Hijackthis) dopo avere spuntato le seguenti voci:

Codice: Seleziona tutto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background


Eseguita la procedura, posta un nuovo file di log di Hijackthis.

Frate Aurelio
:oops:
Ora et Labora
Avatar utente
Frate Aurelio
Moderatore
 
Post: 251
Iscritto il: 16/01/09 00:01

Re: File strani nelle cartella Document and Settings

Postdi 19checco80 » 19/04/09 23:51

Codice: Seleziona tutto
File wcmdmgr_exe_1043.mem ricevuto il 2009.02.14 15:14:16 (CET)
Stato corrente: finito

Risultato: 2/39 (5.13%)
 Formattato Stampa risultati 
Antivirus Versione Ultimo aggiornamento Risultato
a-squared 4.0.0.93 2009.02.14 AdWare.WildTangent!IK
AhnLab-V3 5.0.0.2 2009.02.13 -
AntiVir 7.9.0.79 2009.02.13 -
Authentium 5.1.0.4 2009.02.14 -
Avast 4.8.1335.0 2009.02.14 -
AVG 8.0.0.237 2009.02.14 -
BitDefender 7.2 2009.02.14 -
CAT-QuickHeal 10.00 2009.02.13 -
ClamAV 0.94.1 2009.02.14 -
Comodo 977 2009.02.14 -
DrWeb 4.44.0.09170 2009.02.14 -
eSafe 7.0.17.0 2009.02.12 -
eTrust-Vet 31.6.6358 2009.02.14 -
F-Prot 4.4.4.56 2009.02.13 -
F-Secure 8.0.14470.0 2009.02.14 -
Fortinet 3.117.0.0 2009.02.14 -
GData 19 2009.02.14 -
Ikarus T3.1.1.45.0 2009.02.14 AdWare.WildTangent
K7AntiVirus 7.10.630 2009.02.14 -
Kaspersky 7.0.0.125 2009.02.14 -
McAfee 5525 2009.02.13 -
McAfee+Artemis 5525 2009.02.14 -
Microsoft 1.4306 2009.02.14 -
NOD32 3852 2009.02.13 -
Norman 6.00.02 2009.02.13 -
nProtect 2009.1.8.0 2009.02.14 -
Panda 10.0.0.10 2009.02.14 -
PCTools 4.4.2.0 2009.02.14 -
Prevx1 V2 2009.02.14 -
Rising 21.16.52.00 2009.02.14 -
SecureWeb-Gateway 6.7.6 2009.02.14 -
Sophos 4.38.0 2009.02.14 -
Sunbelt 3.2.1851.2 2009.02.12 -
Symantec 10 2009.02.14 -
TheHacker 6.3.2.1.256 2009.02.14 -
TrendMicro 8.700.0.1004 2009.02.14 -
VBA32 3.12.8.12 2009.02.14 -
ViRobot 2009.2.14.1607 2009.02.14 -
VirusBuster 4.5.11.0 2009.02.13 -
Informazioni addizionali
Tamano archivo: 131072 bytes
MD5...: 81b5da6c335dd951d1f0f12192b4b419
SHA1..: 26d23b5aa1319e7694f6ce8dfa32d5be0b049ab0
SHA256: 0bec6079b5e0a97d1aa5af37eb0c18fa9bbc01b010612f46f1672f09bc101b44
SHA512: 13a4581bf2124a60f9bf1f91bf9706a4392336ff8394cc48e3ea11b3cc0832e6
fa76983aa00e7b0052bad90b61e58a3115de9fa16d4c997ee35df54368b87d72
 
ssdeep: 3072:w0ZvxxspZAc7MCxc4Nt/iOuWoEx/ZM33JBn+js6AnUMnKuB:7GZAc7LxPH/
nuWoElZM37+DMK
 
PEiD..: Armadillo v1.71
TrID..: File type identification
Win64 Executable Generic (54.6%)
Win32 Executable MS Visual C++ (generic) (24.0%)
Windows Screen Saver (8.3%)
Win32 Executable Generic (5.4%)
Win32 Dynamic Link Library (generic) (4.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10b4a
timedatestamp.....: 0x3aba80b5 (Thu Mar 22 22:46:13 2001)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x16352 0x17000 6.31 2e2a6cb34f1011a3e1af1696832ec82a
.rdata 0x18000 0x13e6 0x2000 4.06 d78ea30a7dfeb1d08d547d0341a025b3
.data 0x1a000 0x5d64 0x4000 4.68 520a626bfaac8aeddad596be101118f4
.rsrc 0x20000 0x1300 0x2000 3.03 1b098577b354697ef811f314984b5533

( 10 imports )
> WININET.dll: InternetCloseHandle, HttpOpenRequestA, HttpQueryInfoA, HttpSendRequestA, InternetOpenA, InternetConnectA, InternetReadFile
> VERSION.dll: GetFileVersionInfoSizeA, VerQueryValueA, GetFileVersionInfoA
> KERNEL32.dll: lstrcmpiA, GetTickCount, lstrcatA, GetPrivateProfileSectionNamesA, OutputDebugStringA, lstrcmpA, DeleteFileA, CreateEventA, InitializeCriticalSection, LeaveCriticalSection, SetEvent, EnterCriticalSection, WaitForSingleObject, GetLastError, Sleep, CloseHandle, FreeLibrary, GetProcAddress, LoadLibraryA, DeleteCriticalSection, GetLocalTime, WriteFile, SetFilePointer, CreateFileA, SetFileAttributesA, ReadFile, GetFileSize, CreateDirectoryA, CopyFileA, RemoveDirectoryA, FindClose, FindNextFileA, FindFirstFileA, GetModuleHandleA, lstrcpynA, GetPrivateProfileStringA, GetWindowsDirectoryA, UnmapViewOfFile, MapViewOfFile, OpenFileMappingA, MoveFileA, GetCurrentProcessId, SetPriorityClass, SetThreadPriority, DuplicateHandle, GetCurrentThread, GetCurrentProcess, GetCommandLineA, GetSystemTimeAsFileTime, CompareStringA, GetPrivateProfileIntA, WritePrivateProfileStringA, GetStdHandle, OpenProcess, SystemTimeToFileTime, FileTimeToSystemTime, WritePrivateProfileSectionA, GetSystemDirectoryA, GetExitCodeProcess, CreateProcessA, SetCurrentDirectoryA, GetCurrentDirectoryA, GetACP, GetOEMCP, GetUserDefaultLangID, GetShortPathNameA, MoveFileExA, GetFullPathNameA, CreateMutexA, ReleaseMutex, GetVersionExA, SetFileTime, LocalFileTimeToFileTime, GetFileAttributesA, CreateFileMappingA, GetSystemInfo, GlobalMemoryStatus, lstrcpyA, lstrlenA, GetFileTime, DosDateTimeToFileTime, GetStartupInfoA
> USER32.dll: GetDC, CreateWindowExA, TranslateMessage, wsprintfA, MessageBoxA, PostMessageA, IsWindow, DispatchMessageA, ReleaseDC, GetSystemMetrics, ExitWindowsEx, CharLowerA, SendMessageA, DefWindowProcA, PostQuitMessage, RegisterClassA, GetMessageA
> GDI32.dll: GetDeviceCaps
> ADVAPI32.dll: RegQueryValueExA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegDeleteValueA, RegOpenKeyExA, RegSetValueExA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegCreateKeyExA, GetUserNameA, RegCloseKey
> SHELL32.dll: FindExecutableA, ShellExecuteExA
> ole32.dll: CoCreateGuid, CoInitialize, CoUninitialize
> WSOCK32.dll: -, -, -, -, -
> MSVCRT.dll: __set_app_type, __p__fmode, __getmainargs, __p___argc, __p___argv, _beginthreadex, _except_handler3, strrchr, sscanf, strtok, memcpy, strstr, memset, __2@YAPAXI@Z, __3@YAXPAX@Z, strcmp, atoi, _adjust_fdiv, __setusermatherr, _initterm, malloc, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, strncmp, free, sprintf, __p__commode, strchr, _controlfp
 
19checco80
Newbie
 
Post: 4
Iscritto il: 17/04/09 21:01

Re: File strani nelle cartella Document and Settings

Postdi 19checco80 » 19/04/09 23:55

Codice: Seleziona tutto
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0.54.54, on 20/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Programmi\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programmi\LogMeIn\x86\LMIGuardian.exe
C:\Programmi\Winamp\winampa.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEAE.EXE
C:\Programmi\TurboNote\tbnote.exe
C:\Programmi\DigitalPeers\CamTrack\camtrack.exe
C:\Programmi\vghd\vghd.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmi\vghd\VirtuaGirl_downloader.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\LogMeIn\x86\RaMaint.exe
C:\Programmi\LogMeIn\x86\LogMeIn.exe
C:\Programmi\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programmi\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Avant Browser\avant.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ig
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Programmi\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Programmi\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Ad-Watch] C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EA Core] "C:\Programmi\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [EPSON Stylus S20 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEAE.EXE /FU "C:\DOCUME~1\Checco\IMPOST~1\Temp\E_S10.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: CamTrack.lnk = C:\Programmi\DigitalPeers\CamTrack\camtrack.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: CamTrack.lnk = C:\Programmi\DigitalPeers\CamTrack\camtrack.exe (User 'Default user')
O4 - .DEFAULT User Startup: CamTrack.lnk = C:\Programmi\DigitalPeers\CamTrack\camtrack.exe (User 'Default user')
O4 - Startup: CamTrack.lnk = C:\Programmi\DigitalPeers\CamTrack\camtrack.exe
O4 - Startup: DesktopVideoPlayer.LNK = C:\Programmi\vghd\vghd.exe
O4 - Global Startup: TurboNote.lnk = C:\Programmi\TurboNote\tbnote.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234433617515
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Programmi\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Programmi\LogMeIn\x86\LogMeIn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8804 bytes
19checco80
Newbie
 
Post: 4
Iscritto il: 17/04/09 21:01

Re: File strani nelle cartella Document and Settings

Postdi Frate Aurelio » 22/04/09 00:24

@19checco80
Ciao e scusami per il ritardo nella risposta.
Il file C:\WINDOWS\wt\updater\wcmdmgr.exe lascialo pure stare. La positività della scansione con Virustotal è praticamente insignificamente anche in considerazione che è alloggiato nelle cartelle corrette.

Il log va bene.
Esegui pero:

Scarica MalwareBytes
http://www.download.com/Malwarebytes-An ... d=10997763
● aggiornalo
Importante:
se non si riesce ad aggiornarlo:
● Scaricare l’Aggiornamento DataBase (mbanìm-rules.exe:) da:
http://www.gt500.org/malwarebytes/database.jsp
- cliccare sul programma scaricato
- eseguire una scansione completa .
Importante::
Al termine della scansione cliccare sul pulsante:
- Mostra Risultati:
- Selezionare tutti i file infetti eventualmente trovati ed eliminali.
- Postare nel topic, il log di fine scansione che crea, eseguendo la procedura:
viewtopic.php?f=4&t=79679

Per quanto riguarda le cartelle decidiamo dopo aver eseguito alcune procedure.

Frate Aurelio
:oops:
Ora et Labora
Avatar utente
Frate Aurelio
Moderatore
 
Post: 251
Iscritto il: 16/01/09 00:01


Torna a Sistemi Operativi Windows


Topic correlati a "File strani nelle cartella Document and Settings":


Chi c’è in linea

Visitano il forum: Nessuno e 44 ospiti