Problema firewall - Log hijackthis

**matsim** · 12-03-2006, 20:44

Ciao a tutti,
vi illustro il problema: Da qualche giorno non riesco più ad attivare il firewall di windows ed a condividere la connessione ad internet con il portatile connesso via wireless. Ho già seguito la guida in rilievo, facendo lo scan con tutti i programmi elencati ma senza risolvere il problema, vi posto quindi il log di hijackthis con la speranza che sappiate aiutarmi!

Vi ringrazio!

Logfile of HijackThis v1.99.1
Scan saved at 11.43.23, on 03/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Programmi\Creative\ShareDLL\CtNotify.exe
D:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\system32\rundll32.exe
D:\Programmi\MessengerPlus! 3\MsgPlus.exe
D:\Programmi\File comuni\Nokia\Tools\NclTray.exe
D:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
D:\WINDOWS\gtwatch.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Programmi\Messenger\msmsgs.exe
D:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
D:\Programmi\Creative\ShareDLL\MediaDet.Exe
D:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
D:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
D:\Programmi\FreeLan 802.11g Wireless 125 Mbps PCI Card\WlanUtl.exe
D:\Programmi\3M\PSNLite\PsnLite.exe
D:\WINDOWS\twain_32\Trust\Direct Webscan\WATCH.exe
D:\Programmi\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\System32\CTsvcCDA.EXE
D:\PROGRA~1\3M\PSNLite\PSNGive.exe
D:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
D:\Programmi\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O4 - HKLM\..\Run: [Disc Detector] D:\Programmi\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] D:\Programmi\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] D:\Programmi\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Programmi\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Nokia Tray Application] D:\Programmi\File comuni\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] D:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Gtwatch] D:\WINDOWS\gtwatch.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Shell] "D:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = D:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FreeLan 802.11g WLAN Utility.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Programmi\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Watch.lnk = D:\WINDOWS\twain_32\Trust\Direct Webscan\WATCH.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con FlashGet - D:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - D:\Programmi\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - D:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - d:\Programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

**thomas_anderson** · 12-03-2006, 20:50

http://www.sysinternals.com/Utilitie...tRevealer.html

Scarica il programma, parti dalla provvisoria dopo aver disabilitato ripristino configurazione di sistema. fai uno scan e salva il risultato (save as). posta qui il risultato. ciao

ps. la prossima volta che posti il log usa <quote> e non <code>. è un casino leggere così!

**thomas_anderson** · 12-03-2006, 20:52

Altra discussione utile:
http://forum.html.it/forum/showthrea...wall+disattiva

**matsim** · 12-03-2006, 21:01

Ho modificato il messaggio ora provo quello che mi hai detto.. ti ringrazio !

**matsim** · 12-03-2006, 21:49

Purtroppo non me lo fa partire in modalità provvisoria.. faccio lo stesso il log?

**holifay** · 13-03-2006, 00:09

Originariamente inviato da matsim
Purtroppo non me lo fa partire in modalità provvisoria.. faccio lo stesso il log?

intanto che posti il log per i rootkit, rimuovi anche questo trojan:
http://www.sophos.com/virusinfo/anal...ojtorpigc.html

Da hijackthis, seleziona questa voce mettendo un segno di spunta accanto sulla sinistra e poi premi "Fix".

O4 - HKCU\..\Run: [Shell] "D:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00001.exe"

Poi elimina il file ibm00001.exe

**matsim** · 13-03-2006, 17:24

HKLM\S-1-5-21-299502267-1336601894-839522115-1003\Software\Microsoft\MSNMessenger\SQM\SessionTi me 03/02/2006 16.35 4 bytes Data mismatch between Windows API and raw hive data.

Ecco qua.. eliminato anche quel trojan
Non guardate la data perchè ho l'orologio sballato.. dovrei cambiare la pila..

**thomas_anderson** · 13-03-2006, 18:06

ok, ma adesso il firewall funziona? il log del rootkit è pulito.

**thomas_anderson** · 13-03-2006, 20:32

Hai eliminato anche gli altri file infetti? leggi qui:

Troj/Torpig-L is a Trojan for the Windows platform.

When Troj/Torpig-L is run some or all of the following files are created either in the folder C:\Program Files\Common Files\Microsoft Shared\Web Folders or in the folder <System>\..\temp:

ibm00000.exe
ibm00001.dll
ibm00001.exe
ibm00002.dll
tmp.tmp

All files with names starting with 'ibm' are detected as Troj/Torpig-L.
tmp.tmp is a clean data file.

Troj/Torpig-L may attempt to delete files with the same name if they already exist.

The following registry entry is created to run ibm00001.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shell
<path to ibm00001.exe>

The following registry entry may be created to run ibm00001.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe "<path to ibm00001.exe>"

An entry may be added to the file SYSTEM.INI in the "boot" section with a key name of "shell" to attempt to run ibm00001.exe on startup.

The Trojan attempts to steal passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected information to a remote user via HTTP.

The Trojan downloads and executes additional files from a remote site. Configuration files may also be downloaded which define further behaviors.

Troj/Torpig-L automatically closes security warning messages displayed by common anti-virus and security-related applications.

Cercali ed eliminali.

**matsim** · 15-03-2006, 22:05

Pulito tutto ma il firewall non va e non riesco nemmeno a condividere internet..

Discussione: Problema firewall - Log hijackthis

Strumenti discussione

Ricerca discussione

Visualizza

Problema firewall - Log hijackthis

Permessi di invio