Log HijackThis

[michela.molinar]

Buongiorno a tutti !!
Lascio detto che il mio pc va un po' a rilento e ogni tanto Non rispondono piu' alcuni programmi in esecuzione (spybot). Ho letto dell'esistenza di questo HijackThis e sono stata
presa dall'euforia e mi scuso di non aver rispettato alcune Regole.
Spero vada bene Hijasck sotto Programmi.. o no? Ecculo qua..
Premetto che socksupp.exe è da tempo sul mio pc (non che mi ci sia affezionata) ma non mi ha creato problemi ho notato da qualche tempo che occupa la CPU al 30%/40% si disattiva tranquillamente con TaskManager ma vorrei toglierlo. qualcuno lo conosce?
Grazie, ancora Scusatemi!!

Logfile of HijackThis v1.99.1
Scan saved at 12.24.58, on 09/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\socksupp.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Programmi\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\Programmi\C6 Messenger\c6Messenger.exe
C:\WINDOWS\System32\mdm.exe
C:\Programmi\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programmi\Macrogaming\SweetIMBarForIE\toolbar.d ll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programmi\Macrogaming\SweetIMBarForIE\toolbar.d ll
O4 - HKLM\..\Run: [Internet SocketSupport] socksupp.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Programmi\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SweetIM] C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [Internet SocketSupport] socksupp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: C6 Messenger.lnk = C:\Programmi\C6 Messenger\c6Messenger.exe
O4 - Global Startup: DSLMON.lnk = C:\Programmi\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: LG SyncManager.lnk = C:\Programmi\LG PC Suite\LG PC Sync\LGSyncManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.it/kos/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1148909748222
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61} (DownloaderActiveX Control) - http://c6.community.virgilio.it/down...derActiveX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LogCrd - Unknown owner - C:\WINDOWS\TEMP\7.tmp
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Nightmare-1]

Prima di postare il log esegui i passi della guida a questo link.

Una volta eseguiti controlla il sistema: se hai ancora quel problema posta un nuovo log dopo esserti disconnessa da internet o lan ed aver chiuso ogni programma in esecuzione (leggo ad esempio c6, zone alarm...).

Saluti,
Nightmare

[amvinfe]

Grazie michela.molinar per aver aperto una nuova discussione ed aver inserito nella giusta directory l'eseguibile di HijackThis


Nightmare-1,
non capisco perchè mai ZoneAlarm dovrebbe essere chiuso prima della scansione con hijackthis, messengec6 parte in esecuzione automatica quindi non è un eseguibile aperto dopo l'avvio ed il caricamento del sistema operativo



Per cortesia inviami zippati ed all'indirizzo presente nella mia firma questi file, grazie:

socksupp.exe ===> molto sospetto
7.tmp ===> questo certamente infetto

[michela.molinar]

Kaspersky online scanner report
Cosa me ne faccio ora? ho il rapporto kosa me ne faccio ora?
Da online kaspersky ha trovato delle cose ma non le elimina lui..
ci devo pensare io ad eliminarle..?

[amvinfe]

se hai salvato il risultato del log postalo qui, nel frattempo se puoi iniziare ad inviarmi quei due file.
Grazie

[michela.molinar]

[2] Antispyware
Eseguite una scansione con tutti i seguenti programmi antispyware (sono tutti freeware).

- Ewido- (Qui trovate un tutorial)
(freeware contenente la versione plus in prova per 14gg).
[non funziona su sistemi 95/98/Me]
- Ad-Aware - (Qui trovate un Tutorial)
- SpyBot search and destroy
- CWShredder
questo punto della guida è gia stato fatto.

cosa me ne faccio del reporto di Kaspersky?

[michela.molinar]

quali sono i due file che ti devo mandare..??? Ps. li devo zippare?
ecco karspersky report:

Sunday, July 09, 2006 3:12:27 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/07/2006
Kaspersky Anti-Virus database records: 193629


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 47904
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 00:49:23

Infected Object Name Virus Name Last Action
C:\Documents and Settings\DEWFghiLNCwXC\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\DEWFghiLNCwXC\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\DEWFghiLNCwXC\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\michela\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\michela\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\michela\Impostazioni locali\Cronologia\History.IE5\MSHist01200607092006 0710\index.dat Object is locked skipped

C:\Documents and Settings\michela\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\michela\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\michela\Impostazioni locali\Temp\Perflib_Perfdata_774.dat Object is locked skipped

C:\Documents and Settings\michela\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\michela\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\michela\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Programmi\C6 Messenger\RASlog.log Object is locked skipped

C:\System Volume Information\_restore{0BDD0030-CE34-47E4-8508-6BD95DA07B54}\RP15\change.log Object is locked skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\MIKY.ldb Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped

C:\WINDOWS\Temp\7.tmp Object is locked skipped

C:\WINDOWS\Temp\ZLT006d8.TMP Object is locked skipped

C:\WINDOWS\Temp\ZLT006e5.TMP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[amvinfe]

la scansione con Kaspersky andava fatta con database esteso
"Scan using the following antivirus database standard"

Nel caso volessi ripetere la scansione online ricordati di loggarti come Admin


I file zippati che dovresti mandarmi sono:
C:\WINDOWS\System32\socksupp.exe
C:\WINDOWS\Temp\7.tmp

[michela.molinar]

amvinfe
7.tmp => è nascostissimo
socksupp.exe-0BF70CB4.pf c:\WINDOWS\Prefetch è lui quello che appare sul Task Manager? Lo zippo e telo invio!! ti avviso penso proprio non cel abbia nessuno al mondo !!

[michela.molinar]

1 attimo non avevo letto i percorsi !!