HijackThis Logfileauswertung (copia > incolla)

Comunque eventualmente puoi scaricarti il Kaspersky Rescue Disk che è una ISO da masterizzare, per avviare il PC da CD

Se come immagino il PC è in rete, appena caricato la distro Linux ti viene segnalato che il data base è vecchio e puoi aggiornare l'antivirus (rete cablata, non wireless)

Purtroppo è piuttosto lento, ma se c'è qualcosa lo scova di sicuro

il mcafee penso di lasciarlo (anche se mi sono reso conto che fa abb cagare) e di togliere avast magari me lo tengo ancora qualche giorno nel caso dovessi avere problemi...

giusto perchè è quello che usano su tutti i pc e hanno la licenza per quello... ma forse non farei grosso danno a togliermelo dal pc

Per quanto riguarda il notepad, è anche possibile che col SP3 o a seguito di qualche patch, Microsoft abbia deciso di inserirlo anche lì ...... sebbene questo abbia poco senso.

Per quanto riguarda la rimozione del McAfee, prova questo tool che in teoria dovrebbe rimuovere sino all versione 2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:06:08, on 24.03.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
c:program filesidtintelxpv_v103wdmSTacSV.exe
C:Program FilesJavajre6injqs.exe
C:Program FilesMcAfeeCommon FrameworkFrameworkService.exe
C:Program FilesMcAfeeVirusScan Enterprisemcshield.exe
C:Program FilesMcAfeeVirusScan Enterprisevstskmgr.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGmdm.exe
C:Program FilesOCS Inventory Agentocsservice.exe
C:WINDOWSsystem32CCMCLICOMPRemCtrlWuser32.exe
C:WINDOWSsystem32CCMCcmExec.exe
C:WINDOWSsystem32wuauclt.exe
C:WINDOWSsystem32msiexec.exe
C:WINDOWSExplorer.EXE
C:Program FilesMcAfeeVirusScan EnterpriseSHSTAT.EXE
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:WINDOWSsystem32igfxtray.exe
C:WINDOWSsystem32hkcmd.exe
C:WINDOWSsystem32igfxpers.exe
C:Program FilesIDTWDMsttray.exe
C:Program FilesJavajre6injusched.exe
C:Program FilesMcAfeeCommon Frameworkudaterui.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMcAfeeCommon FrameworkMcTray.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and Settingsleonardo.angeliniMy DocumentsDownloadsHiJackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.eif.ch/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:Program FilesMicrosoft OfficeOffice12GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:Program FilesMcAfeeVirusScan Enterprisescriptcl.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6injp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O4 - HKLM..Run: [shStatEXE] "C:Program FilesMcAfeeVirusScan EnterpriseSHSTAT.EXE" /STANDALONE
O4 - HKLM..Run: [GrooveMonitor] "C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe"
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [igfxTray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [Persistence] C:WINDOWSsystem32igfxpers.exe
O4 - HKLM..Run: [sysTrayApp] %ProgramFiles%IDTWDMsttray.exe
O4 - HKLM..Run: [sunJavaUpdateSched] "C:Program FilesJavajre6injusched.exe"
O4 - HKLM..Run: [McAfeeUpdaterUI] "C:Program FilesMcAfeeCommon Frameworkudaterui.exe" /StartedFromRunKey
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUSS-1-5-19..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans	scuinst.vbs" (User 'SERVICE LOCAL')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUSS-1-5-20..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans	scuinst.vbs" (User 'SERVICE RÉSEAU')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUSS-1-5-18..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans	scuinst.vbs" (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')
O4 - HKUS.DEFAULT..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans	scuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eia-fr.ch/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246631358958
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258121167406
O17 - HKLMSystemCCSServicesTcpipParameters: Domain = sofr.hefr.lan
O17 - HKLMSoftware..Telephony: DomainName = sofr.hefr.lan
O17 - HKLMSystemCCSServicesTcpip..{27D1FE75-C3D6-4FB7-A0EE-0CF42B673208}: NameServer = 160.98.2.11,160.98.2.12
O17 - HKLMSystemCS1ServicesTcpipParameters: Domain = sofr.hefr.lan
O17 - HKLMSystemCS2ServicesTcpipParameters: Domain = sofr.hefr.lan
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:Program FilesMicrosoft OfficeOffice12GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6injqs.exe
O23 - Service: Service McAfee Framework (McAfeeFramework) - McAfee, Inc. - C:Program FilesMcAfeeCommon FrameworkFrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:Program FilesMcAfeeVirusScan Enterprisemcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:Program FilesMcAfeeVirusScan Enterprisevstskmgr.exe
O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://www.ocsinventory-ng.org - C:Program FilesOCS Inventory Agentocsservice.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:program filesidtintelxpv_v103wdmSTacSV.exe

--
End of file - 7454 bytes

ho provato anche di là in modalità provvisoria ma anche li' non mi fa accedere (cioè forse mi sono spiegato male, il sistema parte in modalità provvisoria ma con il mio account non mi ci fa accedere. Non è da attribuire ad un virus la cosa )

Totocellux ha scritto:

non credo sia degno di sospetto.

il file non riporta modifiche recenti, ed è identico a quello dentro c:\windows (controllato con editor esadecimale)

ho controllato dal mio collega e anche lui lo ha anche in system32

evidentemente qua hanno una copia di xp rimaneggiata (non viaggia neanche troppo male tutto sommato)

ora vado su un pc abb vergine e posto un log da li'

Purtroppo è alquanto tosto da debellare completamente.

Quel NOTEPAD.exe nella cartella C:WindowsSystem32 è certamente ancora lui: il vero Notepad.exe lo puoi trovare nella cartella C:Windows.

Cancellalo, e immediatamente dopo fai un reset hardware (col pulsantino).

Al rientro in Windows, cerca nel registro notepad.exe e cancella ogni riferimento derivante dalla system32.

c'è da dire cmq che è all'uni quindi ci possono stare diversi servizio ed applicazioni che ignoro..

l'altro dovrebbe essere roba di windows... sbaglio?

c:Program FilesCommon FilesLogishrdLQCVFXCOCIManager.exe

??

O4 - HKUSS-1-5-19..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'SERVICE LOCAL') O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUSS-1-5-20..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'SERVICE RÉSEAU') O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM') O4 - HKUSS-1-5-18..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'SYSTEM') O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user') O4 - HKUS.DEFAULT..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'Default user') O4 - Startup: SDK Tray Menu.lnk = ?

Il virus in questione era in un keygen che sono stato costretto ad utilizzare pur avvertito da antivir come sospetto.

Mcafee, installato su tutti i pc dell'uni è sembrato non curarsi di cio' che c'era dentro. E il keygen seppur funzionante mi ha portato qualche bell'ospite che si è insediato nelal cartella c:\temp mandando in esecuzione diverse copie e diversi processi. (Tra cui Vg1.exe , Vg2.exe Vzorua.exe,Vzoruc.exe, Vzoruc.exe e altri che non ricordo)

Ho eliminato un po' di roba, un po' di chiavi di registro a mano, e visto che mcafee sembrava del tutto impotente ho installato avast (non potendo pero' eliminare mcafee perché sono si' utente amministratore ma evidentemente non con pieni poteri, visto cha ad esempio non riesco ad accedere in modalità provvisoria a windows xp)

Tra un po' di smanettamenti mi sembra di aver ripulito tutto. Solo che oggi non mi si apriva piu' firefox ed explorer (si chiudevano automaticamente dopo pochi secondi). Ho riavviato e ora funzionano pero' vorrei essere sicuro di aver ripulito il sistema (e disinstallare semmai avast)

Posto un log di hijackthis:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 13:53:22, on 24.03.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesAlwil SoftwareAvast5AvastSvc.exe
C:WINDOWSsystem32spoolsv.exe
c:program filesidtintelxpv_v103wdmSTacSV.exe
C:WINDOWSExplorer.EXE
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:WINDOWSsystem32igfxtray.exe
C:WINDOWSsystem32hkcmd.exe
C:WINDOWSsystem32igfxpers.exe
C:Program FilesIDTWDMsttray.exe
C:Program FilesLogitechLogitech WebCam SoftwareLWS.exe
C:Program FilesBOINCoincmgr.exe
C:Program FilesBOINCoinctray.exe
C:Program FilesMcAfeeCommon Frameworkudaterui.exe
C:Program FilesJavajre6injusched.exe
C:PROGRA~1ALWILS~1Avast5avastUI.exe
C:Program FilesMcAfeeVirusScan EnterpriseSHSTAT.EXE
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMessengermsmsgs.exe
c:Program FilesCommon FilesLogishrdLQCVFXCOCIManager.exe
C:Program FilesSkypePhoneSkype.exe
C:Program FilesDAEMON Tools Litedaemon.exe
C:Program FilesVoipStunt.comVoipStuntVoipStunt.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleUpdate1.2.183.23GoogleCrashHandler.exe
C:SunSDKjdkinjavaw.exe
C:Program FilesSkypePlugin ManagerskypePM.exe
C:Program Filescvsntcvsservice.exe
C:Program Filescvsntcvslock.exe
C:Program FilesJavajre6injqs.exe
c:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
C:Program FilesMcAfeeCommon FrameworkFrameworkService.exe
C:Program FilesMcAfeeVirusScan Enterprisemcshield.exe
C:Program FilesMcAfeeVirusScan Enterprisevstskmgr.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGmdm.exe
C:Program FilesOCS Inventory Agentocsservice.exe
C:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32CCMCLICOMPRemCtrlWuser32.exe
C:WINDOWSsystem32CCMCcmExec.exe
C:Program FilesMcAfeeCommon FrameworkMcTray.exe
C:Program FilesBOINCoinc.exe
C:Documents and SettingsAll UsersApplication DataBOINCprojects[url=http://www.worldcommunitygrid.orgwcg_hfcc_autodock_6.11_windows_intelx86]OpenDNS[/url]
C:Program FilesMicrosoft OfficeOffice12WINWORD.EXE
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:Documents and SettingsAll UsersApplication DataBOINCprojects[url=http://www.worldcommunitygrid.orgwcg_hcc1_img_6.06_windows_intelx86]OpenDNS[/url]
C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Program FilesMicrosoft Visual Studio 9.0Common7IDEdevenv.exe
C:WINDOWSsystem32	askmgr.exe
C:WINDOWSsystem32msiexec.exe
C:Program FilesTrendMicroHiJackThisHiJackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = [url]http://www.eif.ch/[/url]
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = [url=http://go.microsoft.com/fwlink/?LinkId=69157]Messenger, Hotmail, MSN: benvenuti su MSN.it[/url]
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = [url=http://go.microsoft.com/fwlink/?LinkId=54896]Bing[/url]
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = [url=http://go.microsoft.com/fwlink/?LinkId=54896]Bing[/url]
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = [url=http://go.microsoft.com/fwlink/?LinkId=69157]Messenger, Hotmail, MSN: benvenuti su MSN.it[/url]
O1 - Hosts: 91.121.140.213 thepiratebay.org
O1 - Hosts: 91.121.140.213 [url=http://www.thepiratebay.org]Download music, movies, games, software! The Pirate Bay - The world's most resilient BitTorrent site[/url]
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:Program FilesMicrosoft OfficeOffice12GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:Program FilesMcAfeeVirusScan Enterprisescriptcl.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6injp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O4 - HKLM..Run: [GrooveMonitor] "C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe"
O4 - HKLM..Run: [igfxTray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [Persistence] C:WINDOWSsystem32igfxpers.exe
O4 - HKLM..Run: [sysTrayApp] %ProgramFiles%IDTWDMsttray.exe
O4 - HKLM..Run: [LogitechQuickCamRibbon] "c:Program FilesLogitechLogitech WebCam SoftwareLWS.exe" /hide
O4 - HKLM..Run: [boincmgr] "C:Program FilesBOINCoincmgr.exe" /a /s
O4 - HKLM..Run: [boinctray] "C:Program FilesBOINCoinctray.exe"
O4 - HKLM..Run: [McAfeeUpdaterUI] "C:Program FilesMcAfeeCommon Frameworkudaterui.exe" /StartedFromRunKey
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [Adobe ARM] "C:Program FilesCommon FilesAdobeARM1.0AdobeARM.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [sunJavaUpdateSched] "C:Program FilesJavajre6injusched.exe"
O4 - HKLM..Run: [avast5] C:PROGRA~1ALWILS~1Avast5avastUI.exe /nogui
O4 - HKLM..Run: [shStatEXE] "C:Program FilesMcAfeeVirusScan EnterpriseSHSTAT.EXE" /STANDALONE
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized
O4 - HKCU..Run: [DAEMON Tools Lite] "C:Program FilesDAEMON Tools Litedaemon.exe" -autorun
O4 - HKCU..Run: [VoipStunt] "C:Program FilesVoipStunt.comVoipStuntVoipStunt.exe" -nosplash -minimized
O4 - HKCU..Run: [COMMUNICATOR] "C:Program FilesMicrosoft Office CommunicatorCommunicator.exe" /silentRetrials /background
O4 - HKCU..Run: [Google Update] "C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe" /c
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUSS-1-5-19..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans	scuinst.vbs" (User 'SERVICE LOCAL')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUSS-1-5-20..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans	scuinst.vbs" (User 'SERVICE RÉSEAU')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUSS-1-5-18..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans	scuinst.vbs" (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')
O4 - HKUS.DEFAULT..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans	scuinst.vbs" (User 'Default user')
O4 - Startup: SDK Tray Menu.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eia-fr.ch/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246631358958[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246884607997[/url]
O17 - HKLMSystemCCSServicesTcpipParameters: Domain = sofr.hefr.lan
O17 - HKLMSoftware..Telephony: DomainName = sofr.hefr.lan
O17 - HKLMSystemCS1ServicesTcpipParameters: Domain = sofr.hefr.lan
O17 - HKLMSystemCS2ServicesTcpipParameters: Domain = sofr.hefr.lan
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:Program FilesMicrosoft OfficeOffice12GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:WINDOWSsystem32rowseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:WINDOWSsystem32rowseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:Program FilesAlwil SoftwareAvast5AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:Program FilesAlwil SoftwareAvast5AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:Program FilesAlwil SoftwareAvast5AvastSvc.exe
O23 - Service: CVSNT (CVS) - GNU - C:Program Filescvsntcvsservice.exe
O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - C:Program Filescvsntcvslock.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:Program FilesCommon FilesInstallShieldDriver1150Intel 32IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6injqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
O23 - Service: Service McAfee Framework (McAfeeFramework) - McAfee, Inc. - C:Program FilesMcAfeeCommon FrameworkFrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:Program FilesMcAfeeVirusScan Enterprisemcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:Program FilesMcAfeeVirusScan Enterprisevstskmgr.exe
O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - [url=http://www.ocsinventory-ng.org]OCS Inventory NG - Welcome to OCS Inventory NG web site ![/url] - C:Program FilesOCS Inventory Agentocsservice.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:program filesidtintelxpv_v103wdmSTacSV.exe

--
End of file - 13917 bytes

Quei due host di piratebay li ho eliminati con hijack.... penso fossero un residuo del keygen

O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - OCS Inventory NG - Welcome to OCS Inventory NG web site ! - C:Program FilesOCS Inventory Agentocsservice.exe

questo è un programma preesistente. Penso che sia installato in tutti i pc dell'uni, evidentemente serve a tenerci sotto controllo

Vedete qualcos'altro di inquietante?