Ciao, da alcuni giorni mi sono accorto di avere nella cartella temp di windows (2000 sp4) un file impossibile da rimuovere, il cui nome cambia ad ogni avvio. Entrando in modalità provvisoria con prompt dei comandi riesco a rimuovere il file, ma poi questo ricompare all'avvio successivo. L'icona del file rappresenta un simpatico cagnolino
Ho eseguito avast, ad-aware, spybot, CWShredder, Trojan Remover, Stinger ma niente, nessuno di questi è riuscito a dirmi cosa sia quel file...
posto un log di HijackThis, dove in grassetto compare il file anomalo:
codice:Logfile of HijackThis v1.99.1 Scan saved at 11.14.18, on 12/07/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\drivers\CDAC11BA.EXE C:\WINNT\System32\svchost.exe C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\TEMP\WED69D.EXE C:\WINNT\Explorer.EXE C:\WINNT\system32\RunDll32.exe C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe C:\WINNT\system32\wuauclt.exe C:\WINNT\explorer.exe C:\Programmi\Mozilla Firefox\firefox.exe C:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.apv/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.msn.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxyapv:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.apv;10.*.*.*;<local> R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O14 - IERESET.INF: START_PAGE_URL=http://it.msn.com O14 - IERESET.INF: MS_START_PAGE_URL=http://it.msn.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINNT\System32\drivers\CDAC11BA.EXE O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
Rispondi quotando
