S.O. infetto! posto hijackthis.log

**lecceste** · 09-06-2011, 09:11

ciao a tutti il pc sono 2 giorni che fa il pazzo. tutto è cominciato con dei programmi scaricati che eranoo probabilmente deii virus, poi il pc andava in crash (schermata blu con scritte varie), poi oggi all'avvio mi dava solo una finestra "è stata apportata una modifica non autorizzata a windows" e quindi mi potevo solo collegare a internet. Non riuscendo a risolvere ho avviato il pc con F8 "ultima impostazione funzionante". Avast continua ha trovare (ma non ha debellare ". physicaldrive0 mbr tdl4").

grazie in anticipo!

Ecco il file log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8.56.37, on 09/06/2011
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/home?AF=88888
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ARIO&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ARIO&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: PXCIEaddin - {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - C:\Program Files\Tracker Software\PDF-XChange 4\PXCIEAddin4.dll
O2 - BHO: LEC - {4A241D35-F7EB-401b-8C5B-A904A50F280E} - C:\Program Files\Power Translator 11\Applications\LEC IE Translation Extension.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: PDFXChange 4.0 - {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - C:\Program Files\Tracker Software\PDF-XChange 4\PXCIEAddin4.dll
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator 11\Applications\LEC IE Translation Extension.dll
O3 - Toolbar: (no name) - {627522C4-DD3F-4577-8EF8-C3305DFA2445} - (no file)
O3 - Toolbar: SYSTRAN Web Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [{61EA6A5F-E183-3D93-3BDB-0EFFF21513AB}] C:\Users\Lucia\AppData\Roaming\Byci\nuha.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - .DEFAULT User Startup: zaep.exe (User 'Default user')
O4 - Startup: HDDlife.lnk = C:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Esporta nel DataBank - file://C:\Program Files\Interactive Medicine\exp2db.htm
O8 - Extra context menu item: Translate this web page with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
O8 - Extra context menu item: Translate with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
O9 - Extra button: Visualizza o nasconde HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Servizio Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FsUsbExService - Teruten - C:\Windows\system32\FsUsbExService.Exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator 11\LogoMedia TranslateDotNet Server.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8017 bytes

**darkkik** · 09-06-2011, 09:37

Se hai il PC infetto, perchè non postare in "Sicurezza Informatica e VIRUS"?

Sposto.

**lecceste** · 09-06-2011, 10:38

ok grazie

**marcosx86** · 09-06-2011, 12:58

intanto togli questi:

O4 - HKCU\..\Run: [{61EA6A5F-E183-3D93-3BDB-0EFFF21513AB}] C:\Users\Lucia\AppData\Roaming\Byci\nuha.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

poi riavvia la macchina in modalità provvisoria, entra con l'utente administrator (non con il tuo), fai partire dr.web e fai una scansione completa.

hai la possibilità di staccare l'hd e metterlo su un altro pc?

voglio vedere se c'è un virus nell'mbr.. quelli se entrano l'av non li toglie, forse in modalità provvisoria, ma non è sicuro

**lecceste** · 09-06-2011, 17:21

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Versione database: 6817

Windows 6.0.6000
Internet Explorer 7.0.6000.16386

09/06/2011 14.56.57
mbam-log-2011-06-09 (14-56-57).txt

Tipo di scansione: Scansione completa (C:\|D:\|E:\|F:\|H:\|I:\|)
Elementi esaminati: 281747
Tempo impiegato: 1 ore, 10 minuti, 22 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 3
Valori di registro infetti: 1
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 13

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_CURRENT_USER\SOFTWARE\KOQMLYTPE7 (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\YDZ1QVAGOJ (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\idgbn5xehg (Malware.Trace) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\{61EA6A5F-E183-3D93-3BDB-0EFFF21513AB} (Spyware.Passwords.XGen) -> Value: {61EA6A5F-E183-3D93-3BDB-0EFFF21513AB} -> Quarantined and deleted successfully.

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
c:\Users\Lucia\AppData\Roaming\Byci\nuha.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Lucia\AppData\Local\msLereui.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\Lucia\AppData\Local\Temp\Nxf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Lucia\AppData\Local\Temp\Nxg.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Lucia\AppData\Local\Temp\Nxh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Lucia\AppData\Local\Temp\Nxi.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Lucia\AppData\Local\Temp\Nxj.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Lucia\AppData\Local\Temp\Nxk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Lucia\AppData\Local\Temp\Nxl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Lucia\AppData\Local\Temp\Nxm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Lucia\AppData\Local\Temp\ecnaormxws.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\Lucia\AppData\Local\Temp\sshnas21.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Nbabia.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

**POCHO22** · 10-06-2011, 20:53

se non aggiorni internet explorer
e il service pack
avrai sempre infezioni

Discussione: S.O. infetto! posto hijackthis.log

Strumenti discussione

Ricerca discussione

Visualizza

S.O. infetto! posto hijackthis.log

Permessi di invio