avviso sicurezza file winserv.exe all'avvio

**ceccomm** · 31-08-2012, 12:42

Salve, all'apertura mi si apre questo avviso, l'antivir non rileva niente, come le scansioni con antispyware etc. Come antivirus ho microsoft security essentials. Cosa posso fare? E' necessario formattare?
Ciao e grazie.

**menatwork** · 31-08-2012, 13:09

scarica hijackthis e mettilo nella directory C dove avrai preparato una cartella con il suo nome.
Lanci l'eseguibile e clicchi su " do a system scan and save a log" alla fine salvi questo file con estensione *.TXT e lo alleghi ad un post sul forum.

**ceccomm** · 31-08-2012, 14:19

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:16:22, on 31/08/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16448)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\SiS VGA Utilities\SiSTray.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Users\Daniele\AppData\Local\Akamai\netsession_w in.exe
C:\Users\Daniele\AppData\Local\Akamai\netsession_w in.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlug in_11_4_402_265.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlug in_11_4_402_265.exe
C:\Windows\system32\taskhost.exe
C:\hijackthis\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [Wireless Console 3] C:\Program Files\ASUS\Wireless Console 3\wcourier.exe
O4 - HKLM\..\Run: [OlStatusMon] "C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Policies] C:\Windows\system32\System32\dwm.exe
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\Daniele\AppData\Local\Akamai\netsession_ win.exe"
O4 - HKCU\..\Run: [winserv] C:\Users\Daniele\AppData\Local\Temp\Main\winserv.e xe
O4 - HKCU\..\Run: [Policies] C:\Windows\system32\System32\dwm.exe
O4 - HKLM\..\Policies\Explorer\Run: [Main] C:\Windows\system32\System32\dwm.exe
O4 - HKCU\..\Policies\Explorer\Run: [Main] C:\Windows\system32\System32\dwm.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-21-2793810084-359677253-427488758-1004\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'postgres')
O4 - HKUS\S-1-5-21-2793810084-359677253-427488758-1004\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'postgres')
O9 - Extra button: PokerStars.it - {C4046502-6524-4d87-896C-878F57D1FF07} - C:\Program Files\PokerStars.IT\PokerStarsUpdate.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpda teService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Olivetti Monitor Service (olMntrService) - Olivetti - C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: postgresql-8.4 - PostgreSQL Server 8.4 (postgresql-8.4) - PostgreSQL Global Development Group - C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe

--
End of file - 5527 bytes

**ceccomm** · 31-08-2012, 15:11

ho rifatto lo scan dopo aver cancellato i file temporanei con ccleaner e aver chiuso la connessione:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:09:18, on 31/08/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16448)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\SiS VGA Utilities\SiSTray.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Users\Daniele\AppData\Local\Akamai\netsession_w in.exe
C:\Users\Daniele\AppData\Local\Akamai\netsession_w in.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\hijackthis\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [Wireless Console 3] C:\Program Files\ASUS\Wireless Console 3\wcourier.exe
O4 - HKLM\..\Run: [OlStatusMon] "C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Policies] C:\Windows\system32\System32\dwm.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\Daniele\AppData\Local\Akamai\netsession_ win.exe"
O4 - HKCU\..\Run: [winserv] C:\Users\Daniele\AppData\Local\Temp\Main\winserv.e xe
O4 - HKCU\..\Run: [Policies] C:\Windows\system32\System32\dwm.exe
O4 - HKLM\..\Policies\Explorer\Run: [Main] C:\Windows\system32\System32\dwm.exe
O4 - HKCU\..\Policies\Explorer\Run: [Main] C:\Windows\system32\System32\dwm.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-21-2793810084-359677253-427488758-1004\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'postgres')
O4 - HKUS\S-1-5-21-2793810084-359677253-427488758-1004\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'postgres')
O9 - Extra button: PokerStars.it - {C4046502-6524-4d87-896C-878F57D1FF07} - C:\Program Files\PokerStars.IT\PokerStarsUpdate.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpda teService.exe
O23 - Service: Avira Pianificatore (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Olivetti Monitor Service (olMntrService) - Olivetti - C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: postgresql-8.4 - PostgreSQL Server 8.4 (postgresql-8.4) - PostgreSQL Global Development Group - C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe

--
End of file - 5708 bytes

**menatwork** · 31-08-2012, 17:25

hai dei residui di un'infezione fammi questo controllo

scarica combofix sul desktop

alla richiesta se vuoi installare la recovery console clicca su NO

esegui ComboFix.exe

segui le instruzioni

finita la scansione portati in C:\ e allega, nella tua prossima risposta, il contenuto del file di testo Combofix.txt

come usare correttamente combofix

**ceccomm** · 31-08-2012, 19:32

ok fatto ma ora non mi fa più aprire nessun programma ne mozilla, sto usando un altro pc. Non riesco nemmeno a disinstallarlo cercando combofix /uninstall

**ceccomm** · 31-08-2012, 19:45

ho riavviato il pc ed ora funziona tutto ma non ho potuto copia/incollare il report, che faccio?

**menatwork** · 31-08-2012, 19:48

vedi in C lo trovi come combofix.txt oppure da start esegui copia questo comando

cmd /c dir /a/s/b c:\qoobox >log2.txt & log2.txt

**ceccomm** · 31-08-2012, 20:13

c:\qoobox\Add-Remove Programs.txt
c:\qoobox\BackEnv
c:\qoobox\ComboFix-quarantined-files.txt
c:\qoobox\Quarantine
c:\qoobox\SnapShot@2012-08-31_16.49.20.dat
c:\qoobox\Quarantine\C
c:\qoobox\Quarantine\catchme.log
c:\qoobox\Quarantine\Registry_backups
c:\qoobox\Quarantine\C\install.exe.vir
c:\qoobox\Quarantine\C\Users
c:\qoobox\Quarantine\C\Windows
c:\qoobox\Quarantine\C\Users\Daniele
c:\qoobox\Quarantine\C\Users\Daniele\AppData
c:\qoobox\Quarantine\C\Users\Daniele\AppData\Local
c:\qoobox\Quarantine\C\Users\Daniele\AppData\Roami ng
c:\qoobox\Quarantine\C\Users\Daniele\AppData\Local \temp
c:\qoobox\Quarantine\C\Users\Daniele\AppData\Local \temp\Main
c:\qoobox\Quarantine\C\Users\Daniele\AppData\Roami ng\Danielelog.dat.vir
c:\qoobox\Quarantine\C\Windows\System32
c:\qoobox\Quarantine\C\Windows\System32\System32
c:\qoobox\Quarantine\C\Windows\System32\System32\d wm.exe.vir
c:\qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
c:\qoobox\Quarantine\Registry_backups\HKCU-Run-Policies.reg.dat
c:\qoobox\Quarantine\Registry_backups\HKLM-Run-Policies.reg.dat
c:\qoobox\Quarantine\Registry_backups\tcpip.reg

**menatwork** · 31-08-2012, 20:25

no no non e' quello devi vedere in C lo trovi come combofix.txt

Discussione: avviso sicurezza file winserv.exe all'avvio

Strumenti discussione

Ricerca discussione

Visualizza

avviso sicurezza file winserv.exe all'avvio

Permessi di invio