Processo ophii.exe

[Dj Nico]

Salve ho un problema con il mio portatile hp con Win XP Home Edition. Ho notato con il Task Manager che un processo chiamato ophii.exe mi sovraccarica tantissimo la CPu rallentando notevolmente il pc....

Questo è il mio log di HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.01.28, on 10/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Programmi\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\PCMAMM~1\IMPOST~1\Temp\Rar$EX00.937\Hi jackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programmi\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugi n.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programmi\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Programmi\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ContentTransferWMDetector.exe] C:\Programmi\Sony\Content Transfer\ContentTransferWMDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programmi\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\PC mamma\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ophii] "c:\documents and settings\pc mamma\impostazioni locali\dati applicazioni\ophii.exe" ophii
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1197923644995
O20 - Winlogon Notify: OneCard - C:\Programmi\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7398 bytes

Ho fatto l'analisi con il sito del programma e sono venuti fuori un pò di file sospetti, però prima di cancellarli vorrei la vostra conferma

[Dj Nico]

Nessuno???

[darksoullight88]

ciao
fixa queste voci

codice:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

al termine scansiona su virustotal.com il file

codice:

c:\documents and settings\pc mamma\impostazioni locali\dati applicazioni\ophii.exe

cosa ti trova?

[Dj Nico]

Antivirus Versione Ultimo aggiornamento Risultato
a-squared 4.5.0.43 2009.12.10 Trojan-Downloader.Swizzor!IK
AhnLab-V3 5.0.0.2 2009.12.10 -
AntiVir 7.9.1.108 2009.12.10 -
Antiy-AVL 2.0.3.7 2009.12.10 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.10 -
AVG 8.5.0.426 2009.12.10 -
BitDefender 7.2 2009.12.10 Gen:Adware.Heur.smW@FgqSnxiid
CAT-QuickHeal 10.00 2009.12.10 -
ClamAV 0.94.1 2009.12.10 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.10 -
eSafe 7.0.17.0 2009.12.10 -
eTrust-Vet 35.1.7168 2009.12.10 -
F-Prot 4.5.1.85 2009.12.10 -
F-Secure 9.0.15370.0 2009.12.10 -
Fortinet 4.0.14.0 2009.12.10 -
GData 19 2009.12.10 Gen:Adware.Heur.smW@FgqSnxiid
Ikarus T3.1.1.74.0 2009.12.10 Trojan-Downloader.Swizzor
Jiangmin 13.0.900 2009.12.10 -
K7AntiVirus 7.10.917 2009.12.10 -
Kaspersky 7.0.0.125 2009.12.10 -
McAfee 5828 2009.12.10 -
McAfee+Artemis 5828 2009.12.10 -
McAfee-GW-Edition 6.8.5 2009.12.10 -
Microsoft 1.5302 2009.12.10 -
NOD32 4676 2009.12.10 -
Norman 6.04.03 2009.12.10 -
nProtect 2009.1.8.0 2009.12.10 -
Panda 10.0.2.2 2009.12.10 -
PCTools 7.0.3.5 2009.12.10 -
Prevx 3.0 2009.12.10 -
Rising 22.25.03.09 2009.12.10 -
Sophos 4.48.0 2009.12.10 -
Sunbelt 3.2.1858.2 2009.12.10 -
Symantec 1.4.4.12 2009.12.10 -
TheHacker 6.5.0.2.089 2009.12.10 -
TrendMicro 9.100.0.1001 2009.12.10 -
VBA32 3.12.12.0 2009.12.10 -
ViRobot 2009.12.10.2081 2009.12.10 -
VirusBuster 5.0.21.0 2009.12.09 -
Informazioni addizionali
File size: 307200 bytes
MD5...: bcf60997188637b3a809473a0999eada
SHA1..: 6afc2a145454a94f20de5a876a14eb0a46c65f9e
SHA256: 6e11933d516b84a62e811fbaa2f84dbc71c8629201d3f3a2b1 9850507a176d10
ssdeep: 6144:7r4eXvCBwnQOOtxylFfxF+KyGHFX7iw93FX2SrXIpV8lV NUSZygGaS:/4Ym
wnLgyHpgGh7J3X2STIpVuvya
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3320
timedatestamp.....: 0x424f72bf (Sun Apr 03 04:36:15 2005)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x252c 0x3000 5.27 e731313734a8042ad66770554e2b92b5
.data 0x4000 0x4527e 0x46000 7.02 df85b7f60aa0f3f6e78cff2d808e23db
.rsrc 0x4a000 0xa08 0x1000 2.34 8f330b99e379be8ccc1efee258d449d3

( 2 imports )
> KERNEL32.dll: LoadLibraryExA, WriteConsoleW, GetACP, VirtualAlloc, LeaveCriticalSection, GetModuleFileNameA, GetVersionExA, GetFileType, HeapDestroy, GetCurrentProcess, DeleteFileA, GetConsoleMode, GetModuleHandleA, GetCurrentProcessId, GetLocaleInfoA, InterlockedDecrement, GetConsoleOutputCP, GetStdHandle, HeapFree, lstrlenA, GetLastError, GetVersion, GetTickCount, GetCurrentThread, GetCurrentThreadId, GetCommandLineA, HeapAlloc, GetProcessHeap, GetStartupInfoA
> MSVCRT.dll: _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, __dllonexit, _onexit, _exit, _strcmpi

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Eccolo qua...

Ho visto di quel file, il sito di hijackthis mi dava file sospetto

[darksoullight88]

ok.allora fixa quella voce.
poi scarica ed istalla ccleaner e fai una puliza dei file temporanei,dei cookie e delle vecchie chiavi di registro.

scarica e istalla spybot search & destroy . aggiornalo ed esegui una scansione

scarica e istalla mbam, aggiornalo ed esegui una scansione.

facci sapere come va

[Dj Nico]

Ho fatto la scansione con ccleaner.... Spybot mi ha eliminato un chiave di registro del file ophii che la segnalava come trojan, invece mbam mi ha eliminato questa chiave di registro: HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue)

Ho notato però che il file ophii è ancora presente nel mio computer... inoltre nel sito di Hijackthis mi segnalava anche il file askBar come sospetto.... cosa devo fare adesso??? Ho notato che non viene più caricato come processo però vorrei essere sicuro che si sia sistemato definitivamente

[darksoullight88]

credo tu debba eliminarlo manualmente.
askbar è un file della toolbar ask..l'hai istallata?

[Dj Nico]

No, quindi posso elimiarla???

[darksoullight88]

sì allora sì...
la situazione è mmigliorata?

[Dj Nico]

Ora va benissimo