Condividi:        

Reindirizzamenti e Phising

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Reindirizzamenti e Phising

Postdi Zenit » 01/09/08 11:47

Buongiorno :)

Era troppo bello essere esente da malaware e virus da tempo.
Da un paio di giorni sia con Firefox (2) che Explorer vengo a casaccio nel tempo sono reindirizzato su nuove finestre in genere pseudo istituzionali (ebay o pseudo ebay, MS, Skype etc...).
Questo capita sia cliccando su un link qualsiasi, sia facendo ricerche con google. Ho a sensazione che il reindirizzamento sia effettuato o a tempo o premendo chiavi particolari (ma a anche ruotando la rotella del mouse).
Anzi la sensazione e' che il reindirizzamento sia doppio: prima su un sito , che poi reindirizza ad un altro e hanno tutta la faccia di essere dei siti di Phising.

Spybot, Ad-ware, AVG non rivelano nulla di nulla. CC cleaner pulisce ma il problema persiste.CSWHreddere rdice va tutto bene.
Ma non è cosi'.

Vi invio il il log di Hijeck, non e' che sapete dirmi che devo fare ?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.40.08, on 01/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\apps\ABoard\ABoard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Dexpot\dexpot.exe
C:\documents and settings\pc city\impostazioni locali\dati applicazioni\ushgtahg.exe
C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\WService.EXE
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Dexpot 1.4] C:\Programmi\Dexpot\dexpot.exe
O4 - HKCU\..\Run: [ushgtahg] "c:\documents and settings\pc city\impostazioni locali\dati applicazioni\ushgtahg.exe" ushgtahg
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk.disabled
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WiziWYG XP Startup.lnk.disabled
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Programmi\Opanda\IExif 2.26\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Programmi\Opanda\IExif 2.26\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PubSub Sidebar - {31D63640-E9A3-4161-B147-EA26F7D2ACEB} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\it.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{C487E0EA-FD6F-4052-A0FB-517755DDD635}: NameServer = 62.211.69.150 212.48.4.15
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: GKVS - GlobeSpan Inc. - (no file)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: QNNSAIIJY - QLogic Corporation - (no file)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe
O24 - Desktop Component 1: Anfy ANFY3D LIGHT - (no file)
Zenit
Newbie
 
Post: 2
Iscritto il: 01/09/08 11:33

Sponsor
 

Re: Reindirizzamenti e Phising

Postdi Luke57 » 01/09/08 16:12

Ciao, prova in questo modo:
apri hijackthis, premi "config", "misctools", "open process manager", se tra i processi trovi:
C:\documents and settings\pc city\impostazioni locali\dati applicazioni\ushgtahg.exe
lo evidenzi e premi kill process.
Torni al menu principale con back, premi "scan", spunta la voce seguente:
O4 - HKCU\..\Run: [ushgtahg] "c:\documents and settings\pc city\impostazioni locali\dati applicazioni\ushgtahg.exe" ushgtahg

premi fix checked.

Da risorse del computer premi strumenti>opzioni cartella>visualizzazione, metti la spunta a "visualizza file e cartelle nascosti"premi OK.
Cerca ed elimina il seguente file:
C:\documents and settings\omar\impostazioni locali\dati applicazioni\uygooea.exe

Poi, scarica combofix da qui:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Per eseguirlo,doppio click su Combofix.exe
Si aprirà una finestra blu....Attendere....
Dopo qualche attimo apparirà l'avviso che declina l'autore da ogni problema legato ad una errata utilizzazione del tool.
A questo punto selezionate 1 quindi ENTER per lanciare lo scan..
Attendere.....(non fare altre manovre duante lo scan, se spariscono le icone dal desktop è del tutto normale)
Un avviso ti segnalerà la fine dell'operazione e dopo qualche attimo apparirà il log con i dettagli dello scan.
IL log verrà memorizzato in C:\Combofix.txt
Allegalo o incollalo a un post
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: Reindirizzamenti e Phising

Postdi Zenit » 01/09/08 17:17

Luke57 ha scritto:C:\documents and settings\omar\impostazioni locali\dati applicazioni\uygooea.exe



Ciao Luke57 , un vero razzo ! :)
L'indirizzo quotato non l'ho trovato, ma il programma uygooea.exe si', l'ho estirpato dopo la prima parte della procedura che mi hai suggerito.
Allego l'opera omnia di ComboFix.
Spero la cosa si sia risolta e quindi ti ringrazio molto per i suggerimenti da ora.
Anche nel caso positivo , visto che hai notevole esperienza, mi piacerebbe sapere che accidenti di infezione è stata contratta. Giusto per il futuro.
Ancora grazie :)

__________________________
ComboFix 08-08-31.01 - pc city 2008-09-01 17.59.36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.390 [GMT 2:00]
Eseguito da: C:\Documents and Settings\pc city\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Autorun.inf

.
((((((((((((((((((((((((( Files Creati Da 2008-08-01 al 2008-09-01 )))))))))))))))))))))))))))))))))))
.

2008-09-01 17:25 . 2008-09-01 17:37 <DIR> d-------- C:\Programmi\Navilog1
2008-09-01 12:25 . 2008-09-01 12:25 <DIR> d-------- C:\Documents and Settings\pc city\DoctorWeb
2008-09-01 10:00 . 2008-09-01 10:00 <DIR> d-------- C:\Programmi\Trend Micro
2008-08-30 02:51 . 2008-08-30 02:51 704 --a------ C:\WINDOWS\system32\history.aaw
2008-08-24 15:06 . 2008-08-24 15:06 <DIR> d-------- C:\Programmi\IVCsoft
2008-08-24 14:27 . 2008-06-08 23:58 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-08-24 14:27 . 2008-06-12 20:36 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-08-24 14:27 . 2007-07-10 18:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-08-22 15:08 . 2008-08-26 20:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-22 15:08 . 2008-08-22 15:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-20 13:22 . 2008-08-20 13:22 26,624 --a------ C:\WINDOWS\system32\aaaamon.dll
2008-08-12 12:21 . 2008-08-12 12:32 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-08 21:11 . 2008-09-01 18:04 1,503,264 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-08 21:11 . 2008-08-31 10:26 16,052 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-08 12:43 . 2008-08-08 12:43 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-08 12:43 . 2008-08-08 12:43 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-08 12:42 . 2007-05-31 00:03 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2008-08-01 23:03 . 2008-08-01 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Macrovision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 09:08 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-08-31 23:59 --------- d-----w C:\Programmi\Java
2008-08-31 23:33 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Google Updater
2008-08-31 17:49 1,461,760 ----a-w C:\WINDOWS\Internet Logs\xDB2A.tmp
2008-08-31 07:52 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\avg7
2008-08-31 07:40 --------- d-----w C:\Documents and Settings\pc city\Dati applicazioni\AVG7
2008-08-30 10:47 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-08-28 16:54 1,695,232 ----a-w C:\WINDOWS\Internet Logs\xDB29.tmp
2008-08-27 23:19 --------- d-----w C:\Programmi\eMule
2008-08-26 04:20 662,016 ----a-w C:\WINDOWS\Internet Logs\xDB28.tmp
2008-08-25 00:44 629,760 ----a-w C:\WINDOWS\Internet Logs\xDB27.tmp
2008-08-23 17:01 869,888 ----a-w C:\WINDOWS\Internet Logs\xDB26.tmp
2008-08-20 23:44 464,384 ----a-w C:\WINDOWS\Internet Logs\xDB25.tmp
2008-08-19 14:23 743,936 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp
2008-08-17 23:02 323,072 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp
2008-08-16 15:06 132,096 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp
2008-08-16 00:32 475,136 ----a-w C:\WINDOWS\Internet Logs\xDB21.tmp
2008-08-15 20:05 --------- d-----w C:\Documents and Settings\pc city\Dati applicazioni\gtk-2.0
2008-08-14 16:11 182,784 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp
2008-08-13 20:05 532,992 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2008-08-11 21:40 121,344 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp
2008-08-11 12:43 93,696 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2008-08-10 19:42 338,944 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2008-08-10 00:35 273,408 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2008-08-08 16:27 267,264 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2008-08-07 23:39 411,136 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-08-05 23:31 556,544 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-08-04 22:42 742,400 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-08-02 17:11 77,312 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-08-02 13:10 367,104 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-08-01 21:01 --------- d-----w C:\Programmi\File comuni\Adobe
2008-07-31 22:57 2,840,064 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-07-31 02:04 --------- d---a-w C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-07-30 22:59 --------- d-----w C:\Programmi\Opanda
2008-07-30 22:55 --------- d-----w C:\Programmi\IrfanView
2008-07-30 11:08 --------- d-----w C:\Programmi\Artweaver 0.5
2008-07-30 11:08 --------- d-----w C:\Documents and Settings\pc city\Dati applicazioni\Artweaver
2008-07-29 22:11 2,861,056 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-07-26 08:13 17,414,470 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-07-24 10:24 --------- d-----w C:\Documents and Settings\pc city\Dati applicazioni\StarOffice8
2008-07-22 18:01 3,136,000 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-07-18 12:34 --------- d-----w C:\Programmi\Google
2008-07-18 11:56 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-07-18 11:54 --------- d-----w C:\Programmi\Lavasoft
2008-07-18 11:53 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2008-07-18 11:52 --------- d-----w C:\Documents and Settings\pc city\Dati applicazioni\Lavasoft
2008-07-07 06:19 --------- d-----w C:\Documents and Settings\pc city\Dati applicazioni\OpenOffice.org2
2008-07-01 11:12 --------- d-----w C:\Programmi\AKVIS
2008-03-11 21:37 920 ----a-w C:\Programmi\setup.ssc
2008-03-11 21:36 0 ----a-w C:\Programmi\_small.jpg
2006-01-07 12:44 317,092 ----a-w C:\Programmi\_INST32I.EX_
2005-10-13 17:04 2,349,051 ----a-w C:\Programmi\openofficeorg4.cab
2005-10-13 17:03 49,350,117 ----a-w C:\Programmi\openofficeorg3.cab
2005-10-13 16:59 6,040,213 ----a-w C:\Programmi\openofficeorg2.cab
2005-10-13 16:59 17,229,996 ----a-w C:\Programmi\openofficeorg1.cab
2005-10-13 16:57 217 ----a-w C:\Programmi\setup.ini
2005-10-13 16:57 2,730,496 ----a-w C:\Programmi\openofficeorg20.msi
2005-10-05 11:18 241,664 ----a-w C:\Programmi\setup.exe
2005-10-02 04:30 158 ----a-w C:\Programmi\Compression.ini
2005-05-25 14:06 47 ----a-w C:\Programmi\setup.lid
2005-05-25 14:06 334 ----a-w C:\Programmi\layout.bin
2005-05-25 14:06 26,682,872 ----a-w C:\Programmi\data1.cab
2005-05-25 14:05 91 ----a-w C:\Programmi\DATA.TAG
2005-05-25 14:05 205,135 ----a-w C:\Programmi\_sys1.cab
2005-05-25 14:05 140,053 ----a-w C:\Programmi\_user1.cab
2005-04-14 11:10 98,373 ----a-w C:\Programmi\setup.ins
1997-06-02 10:17 8,192 ----a-w C:\Programmi\_ISDEL.EXE
1997-06-02 10:17 11,264 ----a-w C:\Programmi\_SETUP.DLL
1997-05-30 10:31 4,557 ----a-w C:\Programmi\lang.dat
1997-05-06 13:15 417 ----a-w C:\Programmi\os.dat
2003-06-27 20:24 6,144 --sha-w C:\WINDOWS\system\ss.drv
2007-11-09 18:27 88 --sh--r C:\WINDOWS\system32\973DC589EB.sys
2007-11-09 18:39 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:39 15360]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"Dexpot 1.4"="C:\Programmi\Dexpot\dexpot.exe" [2006-05-09 23:25 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-10 02:04 118837]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 11:31 24576]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-06-28 10:14 580096]
"ZoneAlarm Client"="C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54 919016]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2006-09-01 16:57 282624]
"DSLAGENTEXE"="dslagent.exe" [2001-08-21 19:50 16384 C:\WINDOWS\system32\dslagent.exe]
"WService"="WService.EXE" [2002-09-07 12:23 28672 C:\WINDOWS\system32\WService.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:39 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 10:10 219136]
"Picasa Media Detector"="C:\Programmi\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]

C:\Documents and Settings\pc city\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk.disabled [2005-05-29 20:25:59 956]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acrobat Assistant.lnk - C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-10-06 20:43:50 82026]
Adobe Gamma Loader.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
WiziWYG XP Startup.lnk.disabled [2005-12-04 23:27:33 824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\FILECO~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ac3acm"= C:\PROGRA~1\K-LITE~1\codecs\ac3acm.acm
"vidc.mxmc"= MimicICM.DLL
"SENTINEL"= snti386.dll
"VIDC.3iv2"= C:\PROGRA~1\K-LITE~1\codecs\3IVXVF~1.DLL
"VIDC.VP60"= C:\PROGRA~1\K-LITE~1\codecs\vp6vfw.dll
"VIDC.VP61"= C:\PROGRA~1\K-LITE~1\codecs\vp6vfw.dll
"VIDC.VP62"= C:\PROGRA~1\K-LITE~1\codecs\vp6vfw.dll
"VIDC.VP70"= C:\PROGRA~1\K-LITE~1\codecs\vp7vfw.dll
"VIDC.VP31"= C:\PROGRA~1\K-LITE~1\codecs\vp31vfw.dll
"msacm.l3fhg"= C:\PROGRA~1\K-LITE~1\codecs\l3codecp.acm
"VIDC.MJPG"= pvmjpg21.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Sonic RecordNow! Deluxe"=xŸ

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" -atboottime
"UpdateManager"="C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\bullbear\\Caricdat.exe"=
"C:\\Programmi\\Namo\\WebEditor 5 Trial\\bin\\WebEditor.exe"=
"C:\\Programmi\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Programmi\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Programmi\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Programmi\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:tcp emule

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-08-06 09:48]
R3 uscsc108;uscsc108;C:\WINDOWS\system32\DRIVERS\uscsc108.sys [2003-03-09 18:41]
S2 gafwload;IPM Datacom USB ADSL Loader;C:\WINDOWS\system32\DRIVERS\gafwload.sys [2001-08-21 20:04]
S3 Cap7134;Empire SERIE 3000 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys []
S3 OlyUsbCam;OLYMPUS USB Camera;C:\WINDOWS\system32\DRIVERS\OlyUsbCam.sys []
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 07:58]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 08:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f49e30b2-313b-11dd-9360-00024f300101}]
\Shell\AutoRun\command - G:\AutoTransfer.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - MBR
*Newly Created Service* - PROCEXP90
.
- - - - ORFÃOS REMOVIDOS - - - -

MSConfigStartUp-ushgtahg - c:\documents and settings\pc city\impostazioni locali\dati applicazioni\ushgtahg.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\pc city\Dati applicazioni\Mozilla\Firefox\Profiles\uy0pkd21.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://it.start.mozilla.com/firefox?cli ... t:official
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 18:03:23
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Programmi\Dexpot\hooxpot.dll
.
Ora fine scansione: 2008-09-01 18:07:09
ComboFix-quarantined-files.txt 2008-09-01 16:06:34

Pre-Run: 57,816,838,144 byte disponibili
Post-Run: 57,855,369,216 byte disponibili

211 --- E O F --- 2007-10-10 11:47:27
Zenit
Newbie
 
Post: 2
Iscritto il: 01/09/08 11:33

Re: Reindirizzamenti e Phising

Postdi Luke57 » 01/09/08 18:54

Ciao, sorry, nel fare copia e incolla mi è rimasto un file relativo a un altro utente ;)
Il report sembra ok, dovrebbe essere un'infezione da adware lop.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10


Torna a Sicurezza e Privacy


Topic correlati a "Reindirizzamenti e Phising":


Chi c’è in linea

Visitano il forum: Nessuno e 68 ospiti

cron