Eseguendo una verifica di sicurezza con HitmanPro in modalità Scansione predefinita ( consigliato ) non a rilevato nulla mentre in modalità Early Warning Scoring ( EWS ) a rilevato delle possibili minacce, vedi screenshot:
Questo il log:
http://www.hitmanpro.com
Computer name . . . . : USER-PC
Windows . . . . . . . : 6.1.1.7601.X64/12
User name . . . . . . : User-PC\User
UAC . . . . . . . . . : Enabled
License . . . . . . . : Paid (1087 days left)
Scan date . . . . . . : 2013-08-14 18:27:33
Scan mode . . . . . . : EWS
Scan duration . . . . : 50s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 0
Traces . . . . . . . : 156
Objects scanned . . . : 1.207.094
Files scanned . . . . : 7.988
Remnants scanned . . : 254.226 files / 944.880 keys
Early Warning Scoring _______________________________________________________
C:\Windows\system32\cryptsvc.dll
Size . . . . . . . : 184.320 bytes
Age . . . . . . . : 0.4 days (2013-08-14 08:06:56)
Entropy . . . . . : 6.2
SHA-256 . . . . . : 2F27C6FA96A1C8CBDA467846DA57E63949A7EA37DB094B13397DDD30114295BD
Product . . . . . : Microsoft® Windows® Operating System
Publisher . . . . : Microsoft Corporation
Description . . . : Cryptographic Services
Version . . . . . : 6.1.7601.18205
Copyright . . . . : © Microsoft Corporation. All rights reserved.
Service . . . . . : CryptSvc
Fuzzy . . . . . . : 11.0
Starts automatically as a service during system bootup.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
Startup
HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc\
C:\Windows\system32\drivers\AtihdW76.sys
Size . . . . . . . : 96.768 bytes
Age . . . . . . . : 7.4 days (2013-08-07 08:33:07)
Entropy . . . . . : 6.1
SHA-256 . . . . . : 00B5943AF9C3C0EF57BF0FDCC94EBBEE354082EB5E187CC067F6E735B304D45E
Product . . . . . : AMD HD Audio Driver
Publisher . . . . : Advanced Micro Devices
Description . . . : AMD High Definition Audio Function Driver
Version . . . . . : 9.0.0.9900
Copyright . . . . : © Advanced Micro Devices. All rights reserved.
Service . . . . . : AtiHDAudioService
Fuzzy . . . . . . : 6.0
Starts automatically as a service during system bootup.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Time indicates that the file appeared recently on this computer.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Startup
HKLM\SYSTEM\CurrentControlSet\Services\AtiHDAudioService\
Forensic Cluster
0.0s C:\Windows\System32\DriverStore\FileRepository\atihdw76.inf_amd64_neutral_64987d2caee24a62\AtihdW76.cat
0.0s C:\Windows\System32\DriverStore\FileRepository\atihdw76.inf_amd64_neutral_64987d2caee24a62\atihdw76.INF
0.0s C:\Windows\System32\DriverStore\FileRepository\atihdw76.inf_amd64_neutral_64987d2caee24a62\AtihdW76.sys
0.0s C:\Windows\System32\drivers\AtihdW76.sys
0.0s C:\Windows\System32\drivers\AtihdW76.sys
0.0s C:\Windows\System32\DelayAPO.dll
0.0s C:\Windows\System32\DriverStore\FileRepository\atihdw76.inf_amd64_neutral_64987d2caee24a62\DelayAPO.dll
0.6s C:\Windows\System32\DriverStore\FileRepository\atihdw76.inf_amd64_neutral_64987d2caee24a62\
0.6s C:\Windows\inf\oem105.inf
0.6s C:\Windows\System32\DriverStore\FileRepository\atihdw76.inf_amd64_neutral_64987d2caee24a62\atihdw76.PNF
0.7s C:\Windows\System32\DriverStore\INFCACHE.1
0.7s C:\Windows\System32\DriverStore\INFCACHE.1
0.7s C:\Windows\System32\DriverStore\INFCACHE.1
0.8s C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem105.CAT
0.8s C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem105.CAT
1.0s C:\Windows\inf\oem105.PNF
C:\Windows\system32\DRIVERS\tssecsrv.sys
Size . . . . . . . : 39.936 bytes
Age . . . . . . . : 0.4 days (2013-08-14 08:06:44)
Entropy . . . . . : 5.8
SHA-256 . . . . . : CBE501436696E32A3701B9F377B823AC36647B6626595F76CC63E2396AD7D300
Product . . . . . : Microsoft® Windows® Operating System
Publisher . . . . : Microsoft Corporation
Description . . . : TS Security Filter Driver
Version . . . . . : 6.1.7601.18186
Copyright . . . . : © Microsoft Corporation. All rights reserved.
Service . . . . . : tssecsrv
Fuzzy . . . . . . : 7.0
Starts automatically as a service during system bootup.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
Startup
HKLM\SYSTEM\CurrentControlSet\Services\tssecsrv\
C:\Windows\system32\ie4uinit.exe
Size . . . . . . . : 51.712 bytes
Age . . . . . . . : 0.4 days (2013-08-14 08:09:44)
Entropy . . . . . : 5.7
SHA-256 . . . . . : DF9996D437B2551AAB1250F33F42E62B51C07733CBFE925DC255D429664C9735
Product . . . . . : Windows® Internet Explorer
Publisher . . . . : Microsoft Corporation
Description . . . : IE Per-User Initialization Utility
Version . . . . . : 10.00.9200.16660
Copyright . . . . : © Microsoft Corporation. All rights reserved.
Fuzzy . . . . . . : 6.0
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
Startup
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2D46B6DC-2207-486B-B523-A557E6D54B47}\
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\Windows\System32\ieframe.dll
Size . . . . . . . : 15.405.056 bytes
Age . . . . . . . : 0.4 days (2013-08-14 08:09:38)
Entropy . . . . . : 6.1
SHA-256 . . . . . : 14B5F0CE85FA81C24EE5C1F9F737A882A08DC232CC46C63A3BDCA74A8D113C7E
Product . . . . . : Windows® Internet Explorer
Publisher . . . . : Microsoft Corporation
Description . . . : Internet Browser
Version . . . . . : 10.00.9200.16660
Copyright . . . . : © Microsoft Corporation. All rights reserved.
Fuzzy . . . . . . : 8.0
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
Startup
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-21-39307052-1950774526-1520951239-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
References
HKLM\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
C:\Windows\SysWOW64\ieframe.dll
Size . . . . . . . : 13.761.024 bytes
Age . . . . . . . : 0.4 days (2013-08-14 08:09:39)
Entropy . . . . . : 6.1
SHA-256 . . . . . : 2211B0C80E24F5D976F0F613A35E86F95120555F9820EF626D298776E27A10B2
Product . . . . . : Windows® Internet Explorer
Publisher . . . . : Microsoft Corporation
Description . . . : Internet Browser
Version . . . . . : 10.00.9200.16660
Copyright . . . . : © Microsoft Corporation. All rights reserved.
Fuzzy . . . . . . : 12.0
Program is running but currently exposes no human-computer interface (GUI).
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
Startup
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-21-39307052-1950774526-1520951239-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
References
HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
C:\Windows\system32\cryptsvc.dll
https://www.virustotal.com/it/file/e3ab ... /analysis/
C:\Windows\System32\ieframe.dll
https://www.virustotal.com/it/file/2211 ... /analysis/
C:\Windows\SysWOW64\ieframe.dll
https://www.virustotal.com/it/file/2211 ... /analysis/
ATTENZIONE!!!
In modalità Early Warning Scoring ( EWS ) può generare falsi positivi.
Verificando in Internet, i file sembrano regolari:
http://www.processlibrary.com/it/direct ... svc/28877/
http://www.processlibrary.com/it/direct ... ame/75361/
Fino a ieri HitmanPro rilevava solo il file:
C:\Windows\system32\drivers\AtihdW76.sys
è un falso positivo.
Tengo a precisare che ho eseguito una verifica di sicurezza con Eset Smart Security nessuna minaccia rilevata, Emsisoft Anti-Malware nessuna minaccia rilevata,
Dr.Web CureIt! nessuna minaccia rilevata, Kaspersky TDSSKiller in modalità avanzata non a rilevato i file, solo un falso positivo riguardante Samsung Magician
vedi screenshot:
Cortesemente vi chiedo come mi devo comportare?
Un grazie in anticipo per il vostro aiuto.