services.exe e svchost.exe

**viviana76** · 21-07-2008, 13:51

Ciao a tutte e tutti,
da qualche giorno il mio pc (un hp con S.O xp) mi dai dei problemi di connessione. Il firewall (Comodo) rileva dei tentativi di connessione da parte di questi processi:
spoolsv.exe
services.exe
mgsvc.exe
wmpnetwk.exe
alg.exe
svchost.exe

non sono sicura che le cose siano collegate ma facendo un giro sui vari forum ho visto che sia services.exe che svchost.exe potrebbero essere pericolosi.

Vi allego il log hijackthis che fatto sperando che qualcuno possa darmi dei consigli!
Grazie
Viv

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.05.25, on 21/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CE.EXE
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Comodo\Firewall\CPF.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Windows Media Player\WMPNSCFG.exe
C:\Programmi\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Programmi\Skype\Plugin Manager\SkypePM.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\viv\IMPOST~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://italian.ircfast2.com/index.php?rvs=hompag
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programmi\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programmi\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Programmi\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Avvio veloce di Microsoft Office OneNote 2003.lnk = C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Programmi\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=64&bd=pavilion &pf=laptop
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programmi\Comodo\Firewall\cmdagent.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
O23 - Service: Distributed Link Tracking Servers (TrkNetsSvcs) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

**hell's bells** · 21-07-2008, 21:49

Dal log si vede questo C:\WINDOWS\svchost.exe il file di per se puo' sembrare legittimo ma la posizione non è corretta, quindi per prudenza fixiamo la voce, poi eseguiamo un controllo sul file

verifica che hijackthis sia installato in una cartella apposita c:\programmi\hijackthis

rilancia hijackthis, clicca su "do a system scan only", poi a destra in basso clicca su config, assicurati che ci sia il segno di spunta sulla casella "make backups before fixing items" clicca su back e metti il segno di spunta o flag in corrispondenza di questa

O23 - Service: Distributed Link Tracking Servers (TrkNetsSvcs) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Poi fai una ricerca nella cartella c:\windows e verifica se il file è ancora presente visto che viene segnalato come missing.

Per la mia scarsa conoscenza non rilevo altro dal tuo log.

Discussione: services.exe e svchost.exe

Strumenti discussione

Ricerca discussione

Visualizza

services.exe e svchost.exe

Permessi di invio