Le085 Posted March 24, 2010 Share Posted March 24, 2010 In questi giorni sto combattere con un ospite alquanto scomodo, non che abbia fatto chissà che danno, ma essendo il pc su cui lavoro all'università non ho assolutamente intenzione di rischiare di perdere qualcosa, odi propagare l'infezione. Il virus in questione era in un keygen che sono stato costretto ad utilizzare pur avvertito da antivir come sospetto. Mcafee, installato su tutti i pc dell'uni è sembrato non curarsi di cio' che c'era dentro. E il keygen seppur funzionante mi ha portato qualche bell'ospite che si è insediato nelal cartella c:\temp mandando in esecuzione diverse copie e diversi processi. (Tra cui Vg1.exe , Vg2.exe Vzorua.exe,Vzoruc.exe, Vzoruc.exe e altri che non ricordo) Ho eliminato un po' di roba, un po' di chiavi di registro a mano, e visto che mcafee sembrava del tutto impotente ho installato avast (non potendo pero' eliminare mcafee perché sono si' utente amministratore ma evidentemente non con pieni poteri, visto cha ad esempio non riesco ad accedere in modalità provvisoria a windows xp) Tra un po' di smanettamenti mi sembra di aver ripulito tutto. Solo che oggi non mi si apriva piu' firefox ed explorer (si chiudevano automaticamente dopo pochi secondi). Ho riavviato e ora funzionano pero' vorrei essere sicuro di aver ripulito il sistema (e disinstallare semmai avast) Posto un log di hijackthis: Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 13:53:22, on 24.03.2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:WINDOWSSystem32smss.exe C:WINDOWSsystem32winlogon.exe C:WINDOWSsystem32services.exe C:WINDOWSsystem32lsass.exe C:WINDOWSsystem32svchost.exe C:WINDOWSSystem32svchost.exe C:Program FilesAlwil SoftwareAvast5AvastSvc.exe C:WINDOWSsystem32spoolsv.exe c:program filesidtintelxpv_v103wdmSTacSV.exe C:WINDOWSExplorer.EXE C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe C:WINDOWSsystem32igfxtray.exe C:WINDOWSsystem32hkcmd.exe C:WINDOWSsystem32igfxpers.exe C:Program FilesIDTWDMsttray.exe C:Program FilesLogitechLogitech WebCam SoftwareLWS.exe C:Program FilesBOINCoincmgr.exe C:Program FilesBOINCoinctray.exe C:Program FilesMcAfeeCommon Frameworkudaterui.exe C:Program FilesJavajre6injusched.exe C:PROGRA~1ALWILS~1Avast5avastUI.exe C:Program FilesMcAfeeVirusScan EnterpriseSHSTAT.EXE C:WINDOWSsystem32ctfmon.exe C:Program FilesMessengermsmsgs.exe c:Program FilesCommon FilesLogishrdLQCVFXCOCIManager.exe C:Program FilesSkypePhoneSkype.exe C:Program FilesDAEMON Tools Litedaemon.exe C:Program FilesVoipStunt.comVoipStuntVoipStunt.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleUpdate1.2.183.23GoogleCrashHandler.exe C:SunSDKjdkinjavaw.exe C:Program FilesSkypePlugin ManagerskypePM.exe C:Program Filescvsntcvsservice.exe C:Program Filescvsntcvslock.exe C:Program FilesJavajre6injqs.exe c:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe C:Program FilesMcAfeeCommon FrameworkFrameworkService.exe C:Program FilesMcAfeeVirusScan Enterprisemcshield.exe C:Program FilesMcAfeeVirusScan Enterprisevstskmgr.exe C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGmdm.exe C:Program FilesOCS Inventory Agentocsservice.exe C:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe C:WINDOWSsystem32svchost.exe C:WINDOWSsystem32CCMCLICOMPRemCtrlWuser32.exe C:WINDOWSsystem32CCMCcmExec.exe C:Program FilesMcAfeeCommon FrameworkMcTray.exe C:Program FilesBOINCoinc.exe C:Documents and SettingsAll UsersApplication DataBOINCprojects[url=http://www.worldcommunitygrid.orgwcg_hfcc_autodock_6.11_windows_intelx86]OpenDNS[/url] C:Program FilesMicrosoft OfficeOffice12WINWORD.EXE C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:WINDOWSsystem32NOTEPAD.EXE C:Documents and SettingsAll UsersApplication DataBOINCprojects[url=http://www.worldcommunitygrid.orgwcg_hcc1_img_6.06_windows_intelx86]OpenDNS[/url] C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleChromeApplicationchrome.exe C:Program FilesMicrosoft Visual Studio 9.0Common7IDEdevenv.exe C:WINDOWSsystem32 askmgr.exe C:WINDOWSsystem32msiexec.exe C:Program FilesTrendMicroHiJackThisHiJackThis.exe R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = [url]http://www.eif.ch/[/url] R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = [url=http://go.microsoft.com/fwlink/?LinkId=69157]Messenger, Hotmail, MSN: benvenuti su MSN.it[/url] R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = [url=http://go.microsoft.com/fwlink/?LinkId=54896]Bing[/url] R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = [url=http://go.microsoft.com/fwlink/?LinkId=54896]Bing[/url] R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = [url=http://go.microsoft.com/fwlink/?LinkId=69157]Messenger, Hotmail, MSN: benvenuti su MSN.it[/url] O1 - Hosts: 91.121.140.213 thepiratebay.org O1 - Hosts: 91.121.140.213 [url=http://www.thepiratebay.org]Download music, movies, games, software! The Pirate Bay - The world's most resilient BitTorrent site[/url] O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:Program FilesMicrosoft OfficeOffice12GrooveShellExtensions.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:Program FilesMcAfeeVirusScan Enterprisescriptcl.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6injp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll O4 - HKLM..Run: [GrooveMonitor] "C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe" O4 - HKLM..Run: [igfxTray] C:WINDOWSsystem32igfxtray.exe O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe O4 - HKLM..Run: [Persistence] C:WINDOWSsystem32igfxpers.exe O4 - HKLM..Run: [sysTrayApp] %ProgramFiles%IDTWDMsttray.exe O4 - HKLM..Run: [LogitechQuickCamRibbon] "c:Program FilesLogitechLogitech WebCam SoftwareLWS.exe" /hide O4 - HKLM..Run: [boincmgr] "C:Program FilesBOINCoincmgr.exe" /a /s O4 - HKLM..Run: [boinctray] "C:Program FilesBOINCoinctray.exe" O4 - HKLM..Run: [McAfeeUpdaterUI] "C:Program FilesMcAfeeCommon Frameworkudaterui.exe" /StartedFromRunKey O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe" O4 - HKLM..Run: [Adobe ARM] "C:Program FilesCommon FilesAdobeARM1.0AdobeARM.exe" O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime O4 - HKLM..Run: [sunJavaUpdateSched] "C:Program FilesJavajre6injusched.exe" O4 - HKLM..Run: [avast5] C:PROGRA~1ALWILS~1Avast5avastUI.exe /nogui O4 - HKLM..Run: [shStatEXE] "C:Program FilesMcAfeeVirusScan EnterpriseSHSTAT.EXE" /STANDALONE O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background O4 - HKCU..Run: [skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized O4 - HKCU..Run: [DAEMON Tools Lite] "C:Program FilesDAEMON Tools Litedaemon.exe" -autorun O4 - HKCU..Run: [VoipStunt] "C:Program FilesVoipStunt.comVoipStuntVoipStunt.exe" -nosplash -minimized O4 - HKCU..Run: [COMMUNICATOR] "C:Program FilesMicrosoft Office CommunicatorCommunicator.exe" /silentRetrials /background O4 - HKCU..Run: [Google Update] "C:Documents and Settingsleonardo.angeliniLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe" /c O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUSS-1-5-19..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'SERVICE LOCAL') O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUSS-1-5-20..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'SERVICE RÉSEAU') O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM') O4 - HKUSS-1-5-18..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'SYSTEM') O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user') O4 - HKUS.DEFAULT..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'Default user') O4 - Startup: SDK Tray Menu.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000 O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.eia-fr.ch/ O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246631358958[/url] O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246884607997[/url] O17 - HKLMSystemCCSServicesTcpipParameters: Domain = sofr.hefr.lan O17 - HKLMSoftware..Telephony: DomainName = sofr.hefr.lan O17 - HKLMSystemCS1ServicesTcpipParameters: Domain = sofr.hefr.lan O17 - HKLMSystemCS2ServicesTcpipParameters: Domain = sofr.hefr.lan O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:Program FilesMicrosoft OfficeOffice12GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:WINDOWSsystem32rowseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:WINDOWSsystem32rowseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe O23 - Service: avast! Antivirus - ALWIL Software - C:Program FilesAlwil SoftwareAvast5AvastSvc.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:Program FilesAlwil SoftwareAvast5AvastSvc.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:Program FilesAlwil SoftwareAvast5AvastSvc.exe O23 - Service: CVSNT (CVS) - GNU - C:Program Filescvsntcvsservice.exe O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - C:Program Filescvsntcvslock.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:Program FilesCommon FilesInstallShieldDriver1150Intel 32IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6injqs.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe O23 - Service: Service McAfee Framework (McAfeeFramework) - McAfee, Inc. - C:Program FilesMcAfeeCommon FrameworkFrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:Program FilesMcAfeeVirusScan Enterprisemcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:Program FilesMcAfeeVirusScan Enterprisevstskmgr.exe O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - [url=http://www.ocsinventory-ng.org]OCS Inventory NG - Welcome to OCS Inventory NG web site ![/url] - C:Program FilesOCS Inventory Agentocsservice.exe O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:program filesidtintelxpv_v103wdmSTacSV.exe -- End of file - 13917 bytes Quei due host di piratebay li ho eliminati con hijack.... penso fossero un residuo del keygen O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - OCS Inventory NG - Welcome to OCS Inventory NG web site ! - C:Program FilesOCS Inventory Agentocsservice.exe questo è un programma preesistente. Penso che sia installato in tutti i pc dell'uni, evidentemente serve a tenerci sotto controllo Vedete qualcos'altro di inquietante? Quote Link to comment Share on other sites More sharing options...
megthebest Posted March 24, 2010 Share Posted March 24, 2010 questo? c:Program FilesCommon FilesLogishrdLQCVFXCOCIManager.exe ?? O4 - HKUSS-1-5-19..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'SERVICE LOCAL') O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUSS-1-5-20..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'SERVICE RÉSEAU') O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM') O4 - HKUSS-1-5-18..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'SYSTEM') O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user') O4 - HKUS.DEFAULT..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'Default user') O4 - Startup: SDK Tray Menu.lnk = ? Quote Link to comment Share on other sites More sharing options...
Le085 Posted March 24, 2010 Author Share Posted March 24, 2010 il primo è della webcam della logitech è ok l'altro dovrebbe essere roba di windows... sbaglio? Quote Link to comment Share on other sites More sharing options...
megthebest Posted March 24, 2010 Share Posted March 24, 2010 tutta quella roba su xp non l'ho mai vista.. c'è da dire cmq che è all'uni quindi ci possono stare diversi servizio ed applicazioni che ignoro.. Quote Link to comment Share on other sites More sharing options...
Totocellux Posted March 24, 2010 Share Posted March 24, 2010 Le0, il fatto che non abbia potuto disinstallare McAfee e l'impossibilità di accedere tramite la modalità provvisoria era certamente opera del virus. Purtroppo è alquanto tosto da debellare completamente. Quel NOTEPAD.exe nella cartella C:WindowsSystem32 è certamente ancora lui: il vero Notepad.exe lo puoi trovare nella cartella C:Windows. Cancellalo, e immediatamente dopo fai un reset hardware (col pulsantino). Al rientro in Windows, cerca nel registro notepad.exe e cancella ogni riferimento derivante dalla system32. Quote Link to comment Share on other sites More sharing options...
Le085 Posted March 24, 2010 Author Share Posted March 24, 2010 Le0, il fatto che non abbia potuto disinstallare McAfee e l'impossibilità di accedere tramite la modalità provvisoria era certamente opera del virus. Purtroppo è alquanto tosto da debellare completamente. Quel NOTEPAD.exe nella cartella C:WindowsSystem32 è certamente ancora lui: il vero Notepad.exe lo puoi trovare nella cartella C:Windows. Cancellalo, e immediatamente dopo fai un reset hardware (col pulsantino). Al rientro in Windows, cerca nel registro notepad.exe e cancella ogni riferimento derivante dalla system32. non credo sia degno di sospetto. il file non riporta modifiche recenti, ed è identico a quello dentro c:\windows (controllato con editor esadecimale) ho controllato dal mio collega e anche lui lo ha anche in system32 evidentemente qua hanno una copia di xp rimaneggiata (non viaggia neanche troppo male tutto sommato) ora vado su un pc abb vergine e posto un log da li' Quote Link to comment Share on other sites More sharing options...
Le085 Posted March 24, 2010 Author Share Posted March 24, 2010 Ecco dall'altro pc: usato quasi mai da nessuno Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:06:08, on 24.03.2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:WINDOWSSystem32smss.exe C:WINDOWSsystem32winlogon.exe C:WINDOWSsystem32services.exe C:WINDOWSsystem32lsass.exe C:WINDOWSsystem32svchost.exe C:WINDOWSSystem32svchost.exe C:WINDOWSsystem32spoolsv.exe c:program filesidtintelxpv_v103wdmSTacSV.exe C:Program FilesJavajre6injqs.exe C:Program FilesMcAfeeCommon FrameworkFrameworkService.exe C:Program FilesMcAfeeVirusScan Enterprisemcshield.exe C:Program FilesMcAfeeVirusScan Enterprisevstskmgr.exe C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGmdm.exe C:Program FilesOCS Inventory Agentocsservice.exe C:WINDOWSsystem32CCMCLICOMPRemCtrlWuser32.exe C:WINDOWSsystem32CCMCcmExec.exe C:WINDOWSsystem32wuauclt.exe C:WINDOWSsystem32msiexec.exe C:WINDOWSExplorer.EXE C:Program FilesMcAfeeVirusScan EnterpriseSHSTAT.EXE C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe C:WINDOWSsystem32igfxtray.exe C:WINDOWSsystem32hkcmd.exe C:WINDOWSsystem32igfxpers.exe C:Program FilesIDTWDMsttray.exe C:Program FilesJavajre6injusched.exe C:Program FilesMcAfeeCommon Frameworkudaterui.exe C:WINDOWSsystem32ctfmon.exe C:Program FilesMcAfeeCommon FrameworkMcTray.exe C:Program FilesMozilla Firefoxfirefox.exe C:Documents and Settingsleonardo.angeliniMy DocumentsDownloadsHiJackThis.exe R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.eif.ch/ R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:Program FilesMicrosoft OfficeOffice12GrooveShellExtensions.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:Program FilesMcAfeeVirusScan Enterprisescriptcl.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6injp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll O4 - HKLM..Run: [shStatEXE] "C:Program FilesMcAfeeVirusScan EnterpriseSHSTAT.EXE" /STANDALONE O4 - HKLM..Run: [GrooveMonitor] "C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe" O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe" O4 - HKLM..Run: [igfxTray] C:WINDOWSsystem32igfxtray.exe O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe O4 - HKLM..Run: [Persistence] C:WINDOWSsystem32igfxpers.exe O4 - HKLM..Run: [sysTrayApp] %ProgramFiles%IDTWDMsttray.exe O4 - HKLM..Run: [sunJavaUpdateSched] "C:Program FilesJavajre6injusched.exe" O4 - HKLM..Run: [McAfeeUpdaterUI] "C:Program FilesMcAfeeCommon Frameworkudaterui.exe" /StartedFromRunKey O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUSS-1-5-19..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'SERVICE LOCAL') O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUSS-1-5-20..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'SERVICE RÉSEAU') O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM') O4 - HKUSS-1-5-18..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'SYSTEM') O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user') O4 - HKUS.DEFAULT..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTrans scuinst.vbs" (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000 O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.eia-fr.ch/ O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246631358958 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258121167406 O17 - HKLMSystemCCSServicesTcpipParameters: Domain = sofr.hefr.lan O17 - HKLMSoftware..Telephony: DomainName = sofr.hefr.lan O17 - HKLMSystemCCSServicesTcpip..{27D1FE75-C3D6-4FB7-A0EE-0CF42B673208}: NameServer = 160.98.2.11,160.98.2.12 O17 - HKLMSystemCS1ServicesTcpipParameters: Domain = sofr.hefr.lan O17 - HKLMSystemCS2ServicesTcpipParameters: Domain = sofr.hefr.lan O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:Program FilesMicrosoft OfficeOffice12GrooveSystemServices.dll O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6injqs.exe O23 - Service: Service McAfee Framework (McAfeeFramework) - McAfee, Inc. - C:Program FilesMcAfeeCommon FrameworkFrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:Program FilesMcAfeeVirusScan Enterprisemcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:Program FilesMcAfeeVirusScan Enterprisevstskmgr.exe O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://www.ocsinventory-ng.org - C:Program FilesOCS Inventory Agentocsservice.exe O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:program filesidtintelxpv_v103wdmSTacSV.exe -- End of file - 7454 bytes ho provato anche di là in modalità provvisoria ma anche li' non mi fa accedere (cioè forse mi sono spiegato male, il sistema parte in modalità provvisoria ma con il mio account non mi ci fa accedere. Non è da attribuire ad un virus la cosa ) Quote Link to comment Share on other sites More sharing options...
Totocellux Posted March 24, 2010 Share Posted March 24, 2010 quindi se in provvisoria il tuo account non va, in modalità normale dovresti essere loggato al dominio interno, corretto?! Per quanto riguarda il notepad, è anche possibile che col SP3 o a seguito di qualche patch, Microsoft abbia deciso di inserirlo anche lì ...... sebbene questo abbia poco senso. Per quanto riguarda la rimozione del McAfee, prova questo tool che in teoria dovrebbe rimuovere sino all versione 2009 Quote Link to comment Share on other sites More sharing options...
Le085 Posted March 24, 2010 Author Share Posted March 24, 2010 si sono loggato con un dominio interno (almeno credo ) il mcafee penso di lasciarlo (anche se mi sono reso conto che fa abb cagare) e di togliere avast magari me lo tengo ancora qualche giorno nel caso dovessi avere problemi... giusto perchè è quello che usano su tutti i pc e hanno la licenza per quello... ma forse non farei grosso danno a togliermelo dal pc Quote Link to comment Share on other sites More sharing options...
SACD Posted March 24, 2010 Share Posted March 24, 2010 Installa Kaspersky, se non va in conflitto con quello che hai lo puoi usare per 30 gg senza limitazioni Quote Link to comment Share on other sites More sharing options...
MM Posted March 25, 2010 Share Posted March 25, 2010 A parte che il log di HiJack lo puoi far analizzare direttamente sul sito e ti vengono segnalati i processi infetti o dubbi HijackThis Logfileauswertung (copia > incolla) Comunque eventualmente puoi scaricarti il Kaspersky Rescue Disk che è una ISO da masterizzare, per avviare il PC da CD Se come immagino il PC è in rete, appena caricato la distro Linux ti viene segnalato che il data base è vecchio e puoi aggiornare l'antivirus (rete cablata, non wireless) Purtroppo è piuttosto lento, ma se c'è qualcosa lo scova di sicuro Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.