Toggle sidebar Toggle sidebar

RISOLTO Virus Winlogon.exe

S

Surolol

Nuovo Utente
13
0
Salve a tutti, da un po' di giorni il computer mi inizia ad andare molto lento e la causa, secondo me, potrebbe essere un virus in winlogon.exe.
Premettendo che non ho un antivirus e che lo sto installando adesso, vi chiederete, ma come fai a sapere che c'e un virus?
Beh, secondo me c'e un virus perchè andando in C:\Windows\System32 c'e il file winlogon.exe con un'icona strana, tipica dei trojan.
Ultimamente mi succede anche spesso che il computer si "blocca" ma nel senso che Internet si disconnette, il suono non va più, e non posso aprire nessuna cartella uscendo un messaggio di errore del tipo: Impossibile trovare il file ecc.. o qualcosa del genere e dopo 1 minuto circa si riavvia il computer.
Ho provato anche a scaricare ComboFix leggendo qualche guida ma appena lo apro, dopo circa 20 secondi, succede il fatto che ho appena spiegato (si spegne internet, si blocca tutto e si spegne il pc).
Ho appena provato con HiJackThis e funziona, qua c'e il log.

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 21:35:47, on 28/11/2012
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal


Running processes:
C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Users\Utente\Desktop\HiJackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = SearchCompletion Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchamong.com/searchview.php?query={searchTerms}&cat=webs&bar=true
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchamong.com/searchview.php?query={searchTerms}&cat=webs&bar=true
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = SearchAmong
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Analysis of program downloads scanned for viruses and spyware.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchamong.com/searchview.php?query={searchTerms}&cat=webs&bar=true
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchamong.com/searchview.php?query={searchTerms}&cat=webs&bar=true
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 65.54.239.80 messenger.hotmail.com
O1 - Hosts: 65.54.239.80 dp.msnmessenger.akadns.net
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchAmong Toolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\Program Files\SearchAmong Toolbar\SearchAmongToolbar.dll (file missing)
O2 - BHO: PriceGong - {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files\PriceGong\2.6.8\PriceGongIE.dll (file missing)
O2 - BHO: Ironsource LTD Helper Object - {25927741-5E5B-4D27-8D8B-9188FE64373F} - C:\Program Files\Ironsource\searchya\1.5.13.0\bh\searchya.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: wxdfast - {E8E4F971-D737-40a1-8046-16EAD6D806E1} - C:\Program Files\wxdfast\wxdfast.dll (file missing)
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll (file missing)
O3 - Toolbar: (no name) - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - (no file)
O3 - Toolbar: (no name) - !{33AA308B-B565-4376-AC66-59EE9B6AD13E} - (no file)
O3 - Toolbar: (no name) - !{4619105f-8f56-4dc3-bb47-ede6e2993355} - (no file)
O3 - Toolbar: (no name) - !{F053C368-5458-45B2-9B4D-D8914BDDDBFF} - (no file)
O3 - Toolbar: (no name) - !{F9639E4A-801B-4843-AEE3-03D9DA199E77} - (no file)
O3 - Toolbar: SearchAmong Toolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\Program Files\SearchAmong Toolbar\SearchAmongToolbar.dll (file missing)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/it.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYAMgBHADMASwAtADgANwBXAFUAVQAtADIAVABWAEgAQQAtAFgANgBEAEYAOAAtAEwANgBQAEEATgA"&"inst=NwA3AC0ANQA2ADAAOAAxADgANgAyADcALQBGAEwAKwA5AC0AWABPADMANgArADEA"&"prod=90"&"ver=9.0.894
O4 - Startup: IMVU.lnk = Utente\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe
O4 - Global Startup: TP-LINK Wireless Configuration Utility.lnk = C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &SearchAmong - res://C:\Program Files\SearchAmong Toolbar\SearchAmongToolbar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube Download - C:\Users\Utente\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\Utente\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.alipay.com
O15 - Trusted Zone: http://*.alisoft.com
O15 - Trusted Zone: http://*.taobao.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03C5666A-F566-43C0-BFF5-A9260800183E}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{166D347A-694F-4503-887D-E770729F85C1}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AA12349-84FD-42CA-91A3-3DD78DBF0DAD}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F1A25DC-C3E4-4B32-936E-15CFBA14E2E9}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FED18E3-0D70-4A0D-8E93-85210F632078}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{27E93BF5-C0E2-4C16-AA9C-8945BA89B71F}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{285A7BDD-AFB2-4456-882B-5E2B233684CF}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DB4E794-3DC7-448B-BA87-7409157A4C59}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DB50052-D2A7-44B9-8F8A-D29A3BDEB4A6}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CFC68D0-1888-4F25-840B-38BC5B4E10EA}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{56CA45F6-AD1B-4B16-ADDE-09586BA0996F}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{5770B8F5-159E-4825-B924-C0EBE90F6133}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F94FAD6-2592-45AE-844F-C2F3422B6450}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{915272A6-D645-42CF-8E37-099F638C18B4}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA1DB305-60DA-4E86-8183-F2F841D51848}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB2E1628-3860-4D4B-8090-E649A443F9D1}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5F07A8D-C386-4457-A431-FC7FB25B0B04}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{D94C9BF3-7DD9-4B41-89E2-ABB4CD945D9B}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{e29ac6c2-7037-11de-816d-806e6f6e6963}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{03C5666A-F566-43C0-BFF5-A9260800183E}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CS2\Services\Tcpip\..\{03C5666A-F566-43C0-BFF5-A9260800183E}: NameServer = 176.31.229.24,176.31.229.25
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgwdsvc.exe
O23 - Service: Servizio Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HyperDesk's Custom Theme Enabler (HyperDeskCustomThemeEnabler) - Unknown owner - C:\Windows\Installer\MSI1E09.tmp
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Pos Service (PowerOffer Service) - PowerOfferService - C:\Users\Utente\AppData\Local\PosService\Pos.exe
O23 - Service: RelevantKnowledge - TMRG, Inc. - C:\Program Files\RelevantKnowledge\rlservice.exe
O23 - Service: Serv Updater (ServUpdater) - ServiceUpd - C:\Users\Utente\AppData\Local\ServUpdater\ServiceUpd.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Sony PC Companion - Unknown owner - C:\Program Files\Sony\Sony PC Companion\PCCService.exe (file missing)
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe


--
End of file - 12332 bytes
Clicca per espandere...

Adesso sto facendo la scansione con AVG, vediamo se esce fuori qualcosa.
 
tecnico24

tecnico24

Utente Èlite
10,706
1,072
Ciao.
Il pc è molto infetto , di modifiche relative a winlogon non ne vedo.
Apri OTL
sotto il box "custom scans/fixes"
copia ed incolla questo codice in grassetto:

:Services

:OTL
PRC - C:\Windows\Installer\MSI1E09.tmp ()
SRV - (PowerOffer Service) -- C:\Users\Utente\AppData\Local\PosService\Pos.exe (PowerOfferService)
SRV - (ServUpdater) -- C:\Users\Utente\AppData\Local\ServUpdater\ServiceUpd.exe (ServiceUpd)
DRV - (XDva400) -- C:\Windows\system32\XDva400.sys File not found
DRV - (XDva399) -- C:\Windows\system32\XDva399.sys File not found
DRV - (XDva397) -- C:\Windows\system32\XDva397.sys File not found
DRV - (XDva396) -- C:\Windows\system32\XDva396.sys File not found
DRV - (XDva391) -- C:\Windows\system32\XDva391.sys File not found
DRV - (XDva385) -- C:\Windows\system32\XDva385.sys File not found
DRV - (EagleXNt) -- C:\Windows\system32\drivers\EagleXNt.sys File not found
DRV - (a0nt6nln) -- File not found
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = Analysis of program downloads scanned for viruses and spyware.
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Search
IE - HKLM\..\URLSearchHook: - No CLSID value found
IE - HKLM\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - No CLSID value found
IE - HKLM\..\SearchScopes\{154d339e-ccaa-49a5-9b38-6878ad4220bc}: "URL" = http://www.searchamong.com/searchview.php?query={searchTerms}&cat=webs&bar=true
IE - HKLM\..\SearchScopes\{7EB916EB-D280-4D3F-A7DC-1FC8988461CA}: "URL" = Analysis of program downloads scanned for viruses and spyware.
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69}: "URL" = http://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2905319
IE - HKLM\..\SearchScopes\{D93529AB-73EE-4AF5-BD50-BD46B70B27EA}: "URL" = Analysis of program downloads scanned for viruses and spyware.
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&q={searchTerms}
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Search
IE - HKU\.DEFAULT\..\URLSearchHook: - No CLSID value found
IE - HKU\.DEFAULT\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - No CLSID value found
IE - HKU\.DEFAULT\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - No CLSID value found
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Search
IE - HKU\S-1-5-18\..\URLSearchHook: - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - No CLSID value found
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Search
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Search
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = SearchCompletion Search
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchamong.com/searchview.php?query={searchTerms}&cat=webs&bar=true
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.searchamong.com/searchview.php?query={searchTerms}&cat=webs&bar=true
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Default_Page_URL = SearchCompletion Search
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = SearchAmong
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchamong.com/searchview.php?query={searchTerms}&cat=webs&bar=true
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Search Page = SearchCompletion Search
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchamong.com/searchview.php?query={searchTerms}&cat=webs&bar=true
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}: "URL" = http://start.facemoods.com/?a=stonicit&s={searchTerms}&f=4
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=101293&mntrId=48c87aef0000000000000800270080eb
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\SearchScopes\{154d339e-ccaa-49a5-9b38-6878ad4220bc}: "URL" = http://www.searchamong.com/searchview.php?query={searchTerms}&cat=webs&bar=true
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\SearchScopes\{1F096B29-E9DA-4D64-8D63-936BE7762CC5}: "URL" = http://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=48c87aef000000000000001e2acd9d48&tlver=1.4.19.19&ss=1&affID=17982
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\SearchScopes\{592C3BA8-D414-4AB9-B502-8F56C94FAF07}: "URL" = http://searchya.com/?chnl=dcom-100&s=1&cr=885407883&cd=2XzutAtN2Y1L1QzutN0D0TzutBtDtCtBtDyDtDtC&q={searchTerms}
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\SearchScopes\{6552C7DD-90A4-4387-B795-F8F96747DE19}: "URL" = http://search.icq.com/search/results.php?q={searchTerms}&ch_id=osd
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\SearchScopes\{686409BA-9136-47F6-8CC3-77C97B0507F5}: "URL" = http://it.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\SearchScopes\{7EB916EB-D280-4D3F-A7DC-1FC8988461CA}: "URL" = Analysis of program downloads scanned for viruses and spyware.
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69}: "URL" = http://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms}
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb119/?search={searchTerms}&loc=IB_DS&a=1&i=26
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\SearchScopes\{D7FF1B48-AF1F-4489-A5B4-AA7E2D874DAF}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ATU2&o=14670&src=kw&q={searchTerms}&locale=&apn_ptnrs=T8&apn_dtid=YYYYYYYYIT&apn_uid=4a9ca586-8d3c-4431-8df5-a1a9bae1793a&apn_sauid=128EF640-E676-4A4A-92D9-58C715AF8A19
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\SearchScopes\{D93529AB-73EE-4AF5-BD50-BD46B70B27EA}: "URL" = Analysis of program downloads scanned for viruses and spyware.
IE - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&q={searchTerms}
FF - prefs.js..CT3199230.browser.search.defaultthis.engineName: true
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=17982"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&ilc=12&type=937811"
FF - prefs.js..browser.search.selectedEngine: "Web Search"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: false
FF - prefs.js..browser.startup.homepage: "http://www.searchamong.com/"
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {3C5F0F00-683D-4847-89C8-E7AF64FD1CFB}:1.3.331.6
FF - prefs.js..keyword.URL: "http://www.searchamong.com/searchview.php?cat=webs&bar=true&query="
FF - prefs.js..network.proxy.http: "138.207.8.77"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.socks_version: 4
FF - prefs.js..network.proxy.type: 0
[2012/07/22 13:39:36 | 000,000,000 | ---D | M] (cacaoweb) -- C:\Users\Utente\AppData\Roaming\mozilla\Firefox\Profiles\v4vu98ec.default\extensions\cacaoweb@cacaoweb.org
[2011/04/06 13:16:49 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Utente\AppData\Roaming\mozilla\Firefox\Profiles\v4vu98ec.default\extensions\engine@conduit.com
[2011/03/19 16:30:28 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\Utente\AppData\Roaming\mozilla\Firefox\Profiles\v4vu98ec.default\extensions\ffxtlbr@babylon.com
[2012/02/21 18:39:08 | 000,000,000 | ---D | M] (Incredibar Toolbar) -- C:\Users\Utente\AppData\Roaming\mozilla\Firefox\Profiles\v4vu98ec.default\extensions\ffxtlbr@incredibar.com
[2012/05/01 19:46:26 | 000,000,000 | ---D | M] (searchya.com) -- C:\Users\Utente\AppData\Roaming\mozilla\Firefox\Profiles\v4vu98ec.default\extensions\ffxtlbr@searchya.com
[2012/08/11 00:23:43 | 000,000,000 | ---D | M] ("ICQ Toolbar") -- C:\Users\Utente\AppData\Roaming\mozilla\Firefox\Profiles\v4vu98ec.default\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
[2012/11/01 15:10:11 | 000,000,000 | ---D | M] (PriceGong) -- C:\Users\Utente\AppData\Roaming\mozilla\Firefox\Profiles\v4vu98ec.default\extensions\{8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}
[2011/07/04 14:54:25 | 000,000,000 | ---D | M] (IMinent Toolbar) -- C:\Users\Utente\AppData\Roaming\mozilla\Firefox\Profiles\v4vu98ec.default\extensions\{C9B68337-E93A-44EA-94DC-CB300EC06444}
[2012/10/22 20:42:43 | 000,000,000 | ---D | M] (TextAloud 3 Toolbar) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{99A0337C-6303-4879-B72E-500FD9AACA8C}
O3 - HKLM\..\Toolbar: (no name) - !{33AA308B-B565-4376-AC66-59EE9B6AD13E} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{4619105f-8f56-4dc3-bb47-ede6e2993355} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{F053C368-5458-45B2-9B4D-D8914BDDDBFF} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{F9639E4A-801B-4843-AEE3-03D9DA199E77} - No CLSID value found.
O3 - HKLM\..\Toolbar: (SearchAmong Toolbar) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\Program Files\SearchAmong Toolbar\SearchAmongToolbar.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {1D03A978-AC0C-4004-B9FD-9CF361C7BD3F} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2C965F3F-8EFD-4BFC-A2C5-1672845FDBBF} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {1D03A978-AC0C-4004-B9FD-9CF361C7BD3F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2C965F3F-8EFD-4BFC-A2C5-1672845FDBBF} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O3 - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\Toolbar\WebBrowser: (no name) - {1D03A978-AC0C-4004-B9FD-9CF361C7BD3F} - No CLSID value found.
O3 - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\Toolbar\WebBrowser: (no name) - {2C965F3F-8EFD-4BFC-A2C5-1672845FDBBF} - No CLSID value found.
O3 - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\Toolbar\WebBrowser: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O3 - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O15 - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..Trusted Domains: alipay.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..Trusted Domains: alipay.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..Trusted Domains: alisoft.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..Trusted Domains: alisoft.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..Trusted Domains: taobao.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1859739992-960128393-2123001086-1000\..Trusted Domains: taobao.com ([]https in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{03C5666A-F566-43C0-BFF5-A9260800183E}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{166D347A-694F-4503-887D-E770729F85C1}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1AA12349-84FD-42CA-91A3-3DD78DBF0DAD}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1F1A25DC-C3E4-4B32-936E-15CFBA14E2E9}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1FED18E3-0D70-4A0D-8E93-85210F632078}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{27E93BF5-C0E2-4C16-AA9C-8945BA89B71F}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{285A7BDD-AFB2-4456-882B-5E2B233684CF}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2DB4E794-3DC7-448B-BA87-7409157A4C59}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2DB50052-D2A7-44B9-8F8A-D29A3BDEB4A6}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3CFC68D0-1888-4F25-840B-38BC5B4E10EA}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{56CA45F6-AD1B-4B16-ADDE-09586BA0996F}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5770B8F5-159E-4825-B924-C0EBE90F6133}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8F94FAD6-2592-45AE-844F-C2F3422B6450}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{915272A6-D645-42CF-8E37-099F638C18B4}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AA1DB305-60DA-4E86-8183-F2F841D51848}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BB2E1628-3860-4D4B-8090-E649A443F9D1}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C5F07A8D-C386-4457-A431-FC7FB25B0B04}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D94C9BF3-7DD9-4B41-89E2-ABB4CD945D9B}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{e29ac6c2-7037-11de-816d-806e6f6e6963}: NameServer = 176.31.229.24,176.31.229.25
O33 - MountPoints2\{a248c949-b9f3-11e1-ab86-bca3246deebe}\Shell - "" = AutoRun
O33 - MountPoints2\{a248c949-b9f3-11e1-ab86-bca3246deebe}\Shell\AutoRun\command - "" = E:\Startme.exe
O33 - MountPoints2\{b10837ab-b869-11e1-a6c9-b28f473a2ccc}\Shell - "" = AutoRun
O33 - MountPoints2\{b10837ab-b869-11e1-a6c9-b28f473a2ccc}\Shell\AutoRun\command - "" = E:\Startme.exe
O4 - HKLM..\Run: [PosService] C:\Users\Public\Documents\AppData\PoApp\PLauncher.exe File not found
[2012/11/19 21:41:26 | 000,000,000 | ---D | C] -- C:\ProgramData\AMMYY
[2012/11/01 15:11:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SearchAmong Toolbar
[2012/11/01 15:10:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PriceGong
[2012/09/16 21:20:28 | 000,000,000 | ---D | C] -- C:\Users\Utente\AppData\Local\Alibaba
[2012/07/22 20:31:40 | 000,000,000 | ---D | C] -- C:\Users\Utente\AppData\Roaming\ICQ Search
[2012/07/22 20:31:23 | 000,000,000 | ---D | C] -- C:\ProgramData\ICQ
[2012/07/22 20:29:57 | 000,000,000 | ---D | C] -- C:\Users\Utente\AppData\Roaming\ICQ
[2012/11/28 23:33:28 | 000,103,140 | RHS- | M] () -- C:\jaked.exe
[2012/11/28 23:33:00 | 000,103,140 | RHS- | M] () -- C:\sfts.exe
[2012/11/28 23:32:12 | 000,103,140 | RHS- | M] () -- C:\rygyrt.pif
[2012/11/28 23:31:44 | 000,103,140 | RHS- | M] () -- C:\nroafs.exe
[2012/11/28 23:31:05 | 000,103,140 | RHS- | M] () -- C:\orvgvt.exe
[2012/11/28 23:30:21 | 000,103,140 | RHS- | M] () -- C:\sggmdk.pif
[2012/11/28 23:29:52 | 000,103,140 | RHS- | M] () -- C:\efackj.exe
[2012/11/28 23:29:24 | 000,103,140 | RHS- | M] () -- C:\dmqpa.exe
[2012/11/28 23:28:50 | 000,103,140 | RHS- | M] () -- C:\hvqpeq.exe
[2012/11/28 23:28:16 | 000,103,140 | RHS- | M] () -- C:\pxpw.exe
[2012/11/28 23:27:48 | 000,103,140 | RHS- | M] () -- C:\cfgs.exe
[2012/11/28 23:27:15 | 000,103,140 | RHS- | M] () -- C:\nkqlnu.pif
[2012/11/28 23:26:47 | 000,103,140 | RHS- | M] () -- C:\masgu.pif
[2012/11/28 23:26:16 | 000,103,140 | RHS- | M] () -- C:\ivwlyi.pif
[2012/11/28 23:25:48 | 000,103,140 | RHS- | M] () -- C:\cydga.pif
[2012/11/28 23:25:20 | 000,103,140 | RHS- | M] () -- C:\qbquq.exe
[2012/11/28 23:24:31 | 000,103,140 | RHS- | M] () -- C:\dilx.exe
[2012/11/28 23:24:03 | 000,103,140 | RHS- | M] () -- C:\vggki.pif
[2012/11/28 23:23:27 | 000,103,140 | RHS- | M] () -- C:\faqb.exe
[2012/11/28 23:22:59 | 000,103,140 | RHS- | M] () -- C:\mhband.exe
[2012/11/28 23:22:22 | 000,103,140 | RHS- | M] () -- C:\xewk.exe
[2012/11/28 23:21:52 | 000,103,140 | RHS- | M] () -- C:\frvpc.pif
[2012/11/28 23:21:24 | 000,103,140 | RHS- | M] () -- C:\kxvpy.pif
[2012/11/28 23:20:45 | 000,103,140 | RHS- | M] () -- C:\fkyh.exe
[2012/11/28 23:20:17 | 000,103,140 | RHS- | M] () -- C:\jceka.pif
[2012/11/28 23:19:48 | 000,103,140 | RHS- | M] () -- C:\dggks.pif
[2012/11/28 23:19:20 | 000,103,140 | RHS- | M] () -- C:\ghcnx.exe
[2012/11/28 23:18:48 | 000,103,140 | RHS- | M] () -- C:\suhl.pif
[2012/11/28 23:18:19 | 000,103,140 | RHS- | M] () -- C:\cvagn.exe
[2012/11/28 23:17:48 | 000,103,140 | RHS- | M] () -- C:\nrue.exe
[2012/11/28 23:17:06 | 000,103,140 | RHS- | M] () -- C:\qaql.exe
[2012/11/28 23:16:38 | 000,103,140 | RHS- | M] () -- C:\jolr.pif
[2012/11/28 23:15:55 | 000,103,140 | RHS- | M] () -- C:\vthjn.exe
[2012/11/28 23:15:26 | 000,103,140 | RHS- | M] () -- C:\yvkjj.exe
[2012/11/28 23:14:57 | 000,103,140 | RHS- | M] () -- C:\mnehf.exe
[2012/11/28 23:14:29 | 000,103,140 | RHS- | M] () -- C:\equdp.exe
[2012/11/28 23:14:00 | 000,103,140 | RHS- | M] () -- C:\yoeoa.exe
[2012/11/28 23:13:28 | 000,103,140 | RHS- | M] () -- C:\uyojv.exe
[2012/11/28 23:12:57 | 000,103,140 | RHS- | M] () -- C:\wxxsgy.exe
[2012/11/28 23:12:29 | 000,103,140 | RHS- | M] () -- C:\dnnho.pif
[2012/11/28 23:12:00 | 000,103,140 | RHS- | M] () -- C:\olva.exe
[2012/11/28 23:11:32 | 000,103,140 | RHS- | M] () -- C:\csdge.exe
[2012/11/28 23:11:04 | 000,103,140 | RHS- | M] () -- C:\rcrg.exe
[2012/11/28 23:10:36 | 000,103,140 | RHS- | M] () -- C:\ofgcgt.exe
[2012/11/28 23:09:42 | 000,103,140 | RHS- | M] () -- C:\lgydau.exe
[2012/11/28 23:09:04 | 000,103,140 | RHS- | M] () -- C:\xxwdb.pif
[2012/11/28 23:08:35 | 000,103,140 | RHS- | M] () -- C:\cerys.exe
[2012/11/28 23:08:07 | 000,103,140 | RHS- | M] () -- C:\dhtuyo.exe
[2012/11/28 23:07:38 | 000,103,140 | RHS- | M] () -- C:\dmme.exe
[2012/11/28 23:07:10 | 000,103,140 | RHS- | M] () -- C:\rfkkpd.pif
[2012/11/28 23:06:42 | 000,103,140 | RHS- | M] () -- C:\rapt.pif
[2012/11/28 23:06:14 | 000,103,140 | RHS- | M] () -- C:\vfafqh.exe
[2012/11/28 23:05:42 | 000,103,140 | RHS- | M] () -- C:\oxefpr.exe
[2012/11/28 23:05:13 | 000,103,140 | RHS- | M] () -- C:\xrhy.exe
[2012/11/28 23:04:45 | 000,103,140 | RHS- | M] () -- C:\oaqr.pif
[2012/11/28 23:04:15 | 000,103,140 | RHS- | M] () -- C:\aolfx.exe
[2012/11/28 23:03:38 | 000,103,140 | RHS- | M] () -- C:\wvsaqi.pif
[2012/11/28 23:02:58 | 000,103,140 | RHS- | M] () -- C:\fmtn.exe
[2012/11/28 23:02:29 | 000,103,140 | RHS- | M] () -- C:\odorty.pif
[2012/11/28 23:02:00 | 000,103,140 | RHS- | M] () -- C:\quwqs.pif
[2012/11/28 23:01:27 | 000,103,140 | RHS- | M] () -- C:\pknxcg.pif
[2012/11/28 23:00:57 | 000,103,140 | RHS- | M] () -- C:\wslni.exe
[2012/11/28 23:00:12 | 000,103,140 | RHS- | M] () -- C:\stfqix.exe
[2012/11/28 22:59:44 | 000,103,140 | RHS- | M] () -- C:\umfbq.exe
[2012/11/28 22:59:16 | 000,103,140 | RHS- | M] () -- C:\xsyyms.pif
[2012/11/28 22:58:45 | 000,103,140 | RHS- | M] () -- C:\vkir.pif
[2012/11/28 22:58:15 | 000,103,140 | RHS- | M] () -- C:\rhxrya.pif
[2012/11/28 22:57:47 | 000,103,140 | RHS- | M] () -- C:\mwtrsm.pif
[2012/11/28 22:57:19 | 000,103,140 | RHS- | M] () -- C:\jmbnj.pif
[2012/11/28 22:56:50 | 000,103,140 | RHS- | M] () -- C:\cxtkw.exe
[2012/11/28 22:56:13 | 000,103,140 | RHS- | M] () -- C:\suui.exe
[2012/11/28 22:55:44 | 000,103,140 | RHS- | M] () -- C:\dwcgjs.pif
[2012/11/28 22:55:16 | 000,103,140 | RHS- | M] () -- C:\vugrc.exe
[2012/11/28 22:54:47 | 000,103,140 | RHS- | M] () -- C:\xkhfi.exe
[2012/11/28 22:54:19 | 000,103,140 | RHS- | M] () -- C:\ykduy.exe
[2012/11/28 22:53:51 | 000,103,140 | RHS- | M] () -- C:\rdggmc.pif
[2012/11/28 22:53:23 | 000,103,140 | RHS- | M] () -- C:\bwrnh.exe
[2012/11/28 22:52:55 | 000,103,140 | RHS- | M] () -- C:\jthrrs.exe
[2012/11/28 22:52:27 | 000,103,140 | RHS- | M] () -- C:\rmgb.pif
[2012/11/28 22:51:58 | 000,103,140 | RHS- | M] () -- C:\vfnq.exe
[2012/11/28 22:51:30 | 000,103,140 | RHS- | M] () -- C:\fiton.pif
[2012/11/28 22:51:02 | 000,103,140 | RHS- | M] () -- C:\khfmk.exe
[2012/11/28 22:50:34 | 000,103,140 | RHS- | M] () -- C:\amnsh.pif
[2012/11/28 22:50:06 | 000,103,140 | RHS- | M] () -- C:\utljg.pif
[2012/11/28 22:49:38 | 000,103,140 | RHS- | M] () -- C:\xmdms.exe
[2012/11/28 22:49:09 | 000,103,140 | RHS- | M] () -- C:\dsgwfv.exe
[2012/11/28 22:48:41 | 000,103,140 | RHS- | M] () -- C:\efwf.exe
[2012/11/28 22:48:13 | 000,103,140 | RHS- | M] () -- C:\kwvwdr.pif
[2012/11/28 22:47:45 | 000,103,140 | RHS- | M] () -- C:\wjdhu.exe
[2012/11/28 22:47:17 | 000,103,140 | RHS- | M] () -- C:\emxnk.exe
[2012/11/28 22:46:48 | 000,103,140 | RHS- | M] () -- C:\odkrm.pif
[2012/11/28 22:46:20 | 000,103,140 | RHS- | M] () -- C:\flqg.pif
[2012/11/28 22:45:52 | 000,103,140 | RHS- | M] () -- C:\lsnf.pif
[2012/11/28 22:45:23 | 000,103,140 | RHS- | M] () -- C:\mpmpx.pif
[2012/11/28 22:44:54 | 000,103,140 | RHS- | M] () -- C:\ujmgqy.exe
[2012/11/28 22:44:25 | 000,103,140 | RHS- | M] () -- C:\xawark.pif
[2012/11/28 22:43:56 | 000,103,140 | RHS- | M] () -- C:\mpaa.exe
[2012/11/28 22:43:28 | 000,103,140 | RHS- | M] () -- C:\tlsmcw.exe
[2012/11/28 22:42:58 | 000,103,140 | RHS- | M] () -- C:\gufjj.pif
[2012/11/28 22:42:29 | 000,103,140 | RHS- | M] () -- C:\fdpi.exe
[2012/11/28 22:42:00 | 000,103,140 | RHS- | M] () -- C:\ahjx.pif
[2012/11/28 22:41:31 | 000,103,140 | RHS- | M] () -- C:\hpoyns.exe
[2012/11/28 22:41:01 | 000,103,140 | RHS- | M] () -- C:\avvjpt.exe
[2012/11/28 22:40:32 | 000,103,140 | RHS- | M] () -- C:\xboemr.exe
[2012/11/28 22:40:02 | 000,103,140 | RHS- | M] () -- C:\vvyfx.pif
[2012/11/28 22:39:33 | 000,103,140 | RHS- | M] () -- C:\wlwd.pif
[2012/11/28 23:14:29 | 000,000,253 | RHS- | C] () -- C:\autorun.inf
[2012/11/21 15:54:11 | 000,103,140 | RHS- | C] () -- C:\ngli.exe
[2012/01/05 12:49:03 | 000,075,776 | ---- | C] () -- C:\Windows\cadkasdeinst01i.exe
@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:890CC2F3
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:05EE1EEF
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:E8BE05FA
[2012/02/10 14:41:31 | 000,000,000 | ---D | M] -- C:\Users\Utente\AppData\Roaming\OfferBox

:Files
C:\$Recycle.bin\S-1-5-21-1859739992-960128393-2123001086-1000\$R4NWHLK\gameloft\hos\l
ipconfig /flushdns /c

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"

:commands
[purity]
[emptytemp]
[RESETHOSTS]
[EMPTYFLASH]
[start explorer]
[CLEARALLRESTOREPOINTS]
[Reboot]
Clicca per espandere...

Clicca sul bottone
2eejtxj.jpg

Aspetta le operazioni senza interferire
Il pc si riavvierà
Al ritorno posta il report in allegato.
 
Ultima modifica:
S

Surolol

Nuovo Utente
13
0
Ecco il Log in allegato.
Un'altra cosa, continua a comparire questo messaggio tante volte con numeri diversi di IP e porte quando è aperto Malwarebytes :
Immagine.png
 

Allegati

  • mbam-log-2012-11-29 (21-15-00).txt
    24.1 KB · Visualizzazioni: 243
tecnico24

tecnico24

Utente Èlite
10,706
1,072
Disattiva il ripristino configurazione di sistema:


● Pannello di controllo
● Sistema e sicurezza
● Sistema
● Protezione sistema a sinistra
● clicca su configura e spunta su Disattiva protezione , Applica e ok.


Rimuovi tutte le minaccie che ha trovato Malwarebytes con il tasto Rimuovi elementi selezionati.
Posta il report.
 
tecnico24

tecnico24

Utente Èlite
10,706
1,072
Surolol ha detto:
Ho già fatto prima la rimozione degli elementi e adesso non so come trovare il report.
Clicca per espandere...
C'è la scheda Log in malwarebytes che contiene i report delle operazioni.
Dopo la rimozione continua a segnalare l'accesso di quei indirizzi?
Visto che le infezioni si ripristinano , è sufficiente disattivare il ripristino configurazione e procedere alla rimozione.
 
S

Surolol

Nuovo Utente
13
0
No, adesso non compaiono più le finestre degli indirizzi.
In allegato ci sono 2 logs.
 

Allegati

  • mbam-log-2012-11-29 (18-30-14).txt
    15.1 KB · Visualizzazioni: 167
  • protection-log-2012-11-29.txt
    605.4 KB · Visualizzazioni: 152
tecnico24

tecnico24

Utente Èlite
10,706
1,072
Bene , se te la senti rifai una nuova scansione con OTL (configurato come in precedenza) e posta i due report.
Voglio assicurarmi che tutto sia ok.
 
S

Surolol

Nuovo Utente
13
0
Domani faccio di nuovo la scansione con OTL.
Si nota comunque un grandissimo miglioramento nelle prestazioni.
Grazie mille per l'aiuto. :thanks:
 
Devi accedere o registrarti per rispondere qui.

Entra

Hai dimenticato la password?
oppure Accedi utilizzando
Discord Ufficiale Entra ora!