ciao a tutti.
da qualche giorno sul mio pc dell'ufficio nel task manager appare un'applicazione strana e sconosciuta con nome random (cambia di giorno in giorno - oggi è GKE7AF.EXE). ho rintracciato il file: è un file temporaneo nella cartella windows/temp.
Ho provato ad entrare come amministratore e a terminare il processo. ma riavviando il pc il file è stato rigenerato.
probabilmente c'è una istruzione maligna nel file di registro ma non so da dove partire per risolvere il problema.
mi dareste una mano?
Gragie anticipatamente
Y.
vi allego il report di HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 10.41.34, on 07/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmi\Garzanti Linguistica\Hazon clic\HAZON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Mozilla Thunderbird\thunderbird.exe
C:\Programmi\Internet Explorer\iexplore.exe
G:\Documenti Utente\ciaffi\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://config.****/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {E54DE325-1519-45AC-AE9F-DFCFC7E5F3CD} - C:\WINDOWS\System32\fofg.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PrevxRootkitRemovalTool] "C:\Documents and Settings\ciaffi\Desktop\PrevxFixGrom.exe" -scan
O4 - HKLM\..\Run: [Hazon clic] "C:\Programmi\Garzanti Linguistica\Hazon clic\HAZON.EXE" -I
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet
O15 - Trusted Zone: http://www.archiviosex.net
O15 - Trusted Zone: http://www.skymasters.biz
O15 - Trusted Zone: http://www.yeak.net
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pc.***.it
O17 - HKLM\Software\..\Telephony: DomainName = pc.****
O17 - HKLM\System\CCS\Services\Tcpip\..\{6333CD3E-E345-4F26-A39D-E5FF002EC493}: Domain = pc.*****.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{6333CD3E-E345-4F26-A39D-E5FF002EC493}: NameServer = 10.18.100.26,10.18.100.29,10.18.185.200
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pc.*****.it
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pc.*****.it,*****.it
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pc.*****.it,*****.it
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Programmi\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Programmi\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programmi\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
e quello di Gmer
GMER 1.0.12.11865 - http://www.gmer.net
Rootkit scan 2006-12-07 11:59:39
Windows 5.1.2600 Service Pack 2
---- Files - GMER 1.0.12 ----
ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE
ADS G:\RECYCLER\S-1-5-21-3870216755-816221577-1611797413-14738\Dg88.mdb:_SummaryInformation
ADS G:\RECYCLER\S-1-5-21-3870216755-816221577-1611797413-14738\Dg88.mdb:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
---- EOF - GMER 1.0.12 ----
GMER 1.0.12.11865 - http://www.gmer.net
Autostart scan 2006-12-07 12:00:21
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon@DLLName = C:\WINDOWS\System32\NavLogon.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
LogWatch /*Event Log Watch*/@ = C:\Programmi\CA\SharedComponents\CA_LIC\LogWatNT.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
ntrtscan /*OfficeScanNT RealTime Scan*/@ = "C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe"
OfcPfwSvc /*OfficeScanNT Personal Firewall*/@ = "C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe"
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
tmlisten /*OfficeScanNT Listener*/@ = "C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@OfficeScanNT Monitor"C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow = "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_02\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
@PrevxRootkitRemovalTool"C:\Documents and Settings\ciaffi\Desktop\PrevxFixGrom.exe" -scan /*file not found*/ = "C:\Documents and Settings\ciaffi\Desktop\PrevxFixGrom.exe" -scan /*file not found*/
@Hazon clic"C:\Programmi\Garzanti Linguistica\Hazon clic\HAZON.EXE" -I = "C:\Programmi\Garzanti Linguistica\Hazon clic\HAZON.EXE" -I
HKCU\Software\Microsoft\Windows\CurrentVersion\Run@CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{C169E5F0-E2B3-41F3-B81A-7BA529CBE193} /*ZipGenius Shell Extension*/(null) =
@{2E5AC2E0-406D-11D4-86B3-FA5861508E25} /*ZipGenius Zip InfoTip*/(null) =
@{310A0C95-EA11-42AE-A8E4-53E69E650310} /*ZipGenius Drop handler*/(null) =
@{DCED20BE-3645-11D4-BC95-00C04F0E0588} /*InoShell*/C:\Programmi\CA\eTrust Antivirus\InoShell.dll /*file not found*/ = C:\Programmi\CA\eTrust Antivirus\InoShell.dll /*file not found*/
@{BDA77241-42F6-11d0-85E2-00AA001FE28C} /*LDVP Shell Extensions*/(null) =
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
InoShell@{DCED20BE-3645-11D4-BC95-00C04F0E0588} = C:\Programmi\CA\eTrust Antivirus\InoShell.dll /*file not found*/
PowerArchiver@{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} = C:\Programmi\PowerArchiver\PASHLEXT.DLL
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\InoShell@{DCED20BE-3645-11D4-BC95-00C04F0E0588} = C:\Programmi\CA\eTrust Antivirus\InoShell.dll /*file not found*/
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\PowerArchiver@{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} = C:\Programmi\PowerArchiver\PASHLEXT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\Programmi\Spybot - Search & Destroy\SDHelper.dll = C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
@{E54DE325-1519-45AC-AE9F-DFCFC7E5F3CD}C:\WINDOWS\System32\fofg.dll /*file not found*/ = C:\WINDOWS\System32\fofg.dll /*file not found*/
HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\logon.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://intranet = http://intranet
@Start Pageabout:blank = about:blank
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.pcw.it = http://www.pcw.it
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = pc.*****.it
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6333CD3E-E345-4F26-A39D-E5FF002EC493} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress10.18.186.28 = 10.18.186.28
@NameServer10.18.100.26,10.18.100.29,10.18.185.200 = 10.18.100.26,10.18.100.29,10.18.185.200
@DefaultGateway10.18.186.254 = 10.18.186.254
@Domainpc.*****.it = pc.*****.it
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Microsoft Office.lnk = Microsoft Office.lnk
---- EOF - GMER 1.0.12 ----
Registrazione
