Dll sospetta

MugenXxX · 16-09-2008, 10:14

Ciao a tutti, ho un problema con windows... all'avvio mi compare sempre questa finestrella

e nei processi caricati all'avvio di windows trovo

Anche se elimino la voce poi si continua a ricreare... ho cercato info su internet su questa dll ma non ho trovato niente

... se riuscite a darmi voi 1 aiutino...

(Aggiungo che non sembro infetto da alcun tipo di virus, trojan o malware... ho fatto 1 scansione con lo symantec e con pc doctor)

Ciao,
Luca

Angelus88 · 16-09-2008, 10:34

Hai preso Vundo... ossia un virus

Scarica Combofix da qui.

Avvialo dalla modalità provvisoria, premi 1 quando richiesto e lascialo lavorare. Al termina verrà riavviato il pc.

Posta qui poi il file di testo che rilascia

P.S. Un grande consiglio: disinstalla quella porcheria di Norton e PC Doctor e installa al loro posto Avira e SuperAntiSpyware.
Per disinstallare Norton usa questo tool

MugenXxX · 16-09-2008, 12:09

Grazie ora faccio come mi hai detto... fosse x me disinstallerei al volo il norton x mettere avira (come sul pc di casa) purtoppo il problema ce l'ho sul pc da lavoro e non posso metterci troppo le mani

Angelus88 · 16-09-2008, 14:30

Ok allora usa solo Combofix in modalità provvisoria

MugenXxX · 17-09-2008, 09:48

Ehm sia con combofix che con avira non ho risolto il problema... tutto come prima purtoppo... sei sicuro che si tratta del virus vundo? perchè ho provato anche altri tool specifici e non rilevano un bel niente

Angelus88 · 17-09-2008, 10:01

Postami il log come ti avevo chiesto

MugenXxX · 17-09-2008, 10:09

eccolo:

Quote:

ComboFix 08-09-15.02 - l.consolaro 2008-09-16 22.28.22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1466 [GMT 2:00]
Running from: D:\Documents and Settings\l.consolaro\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMd7762e32.txt
C:\WINDOWS\BMd7762e32.xml
C:\WINDOWS\system32\grouppolicy\machine\scripts\scripts.ini
C:\WINDOWS\system32\iabvttrm.ini
C:\WINDOWS\system32\sxjxuwyn.ini
C:\WINDOWS\system32\uFgMnnmp.ini
C:\WINDOWS\system32\uFgMnnmp.ini2

.
((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
.

2008-09-21 08:06 . 2008-09-21 08:06 <DIR> d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Juniper Networks
2008-09-20 23:15 . 2008-09-20 23:15 <DIR> d--hs---- D:\Documents and Settings\NetworkService.NT AUTHORITY
2008-09-20 23:15 . 2008-09-20 23:15 <DIR> d--hs---- D:\Documents and Settings\LocalService.NT AUTHORITY
2008-09-20 23:12 . 2008-09-20 23:12 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\PC Tools
2008-09-20 23:12 . 2008-09-06 02:29 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-20 20:21 . 2008-09-20 20:22 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\Hot Keyboard
2008-09-20 20:21 . 2008-09-05 22:53 <DIR> d-------- C:\Program Files\Hot Keyboard Pro
2008-09-16 10:01 . 2008-09-16 10:01 <DIR> d-------- C:\Program Files\PrevxCSI
2008-09-16 10:01 . 2008-09-16 10:01 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-09-11 19:05 . 2008-09-11 19:05 <DIR> d-------- D:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Juniper Networks
2008-09-09 18:30 . 2008-09-09 18:30 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\SystemRequirementsLab
2008-09-09 18:30 . 2008-09-09 18:30 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-09-09 14:17 . 2008-09-11 10:20 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\Hamachi
2008-09-09 14:17 . 2008-09-09 14:17 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-09-07 03:36 . 2008-09-07 03:36 <DIR> d-------- C:\Program Files\Real Alternative
2008-09-07 00:27 . 2008-09-07 00:27 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-06 20:34 . 2008-09-06 20:34 <DIR> d-------- C:\Documents and Settings
2008-09-06 10:43 . 2008-09-06 10:43 <DIR> d-------- C:\Program Files\RealVNC
2008-09-06 10:43 . 2007-10-09 22:02 19,968 --a------ C:\WINDOWS\system32\vncmirror.dll
2008-09-06 10:43 . 2007-10-09 22:02 3,072 --a------ C:\WINDOWS\system32\drivers\vncmirror.sys
2008-09-06 02:45 . 2008-07-08 14:54 148,496 --a------ C:\WINDOWS\system32\drivers\34395264.sys
2008-09-06 01:37 . 2008-09-06 01:37 <DIR> d-------- C:\Program Files\BillP Studios
2008-09-06 01:27 . 2008-09-06 01:27 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\WinPatrol
2008-09-05 23:56 . 2008-09-05 23:57 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\SPORE
2008-09-05 22:40 . 2008-09-05 22:40 <DIR> d-------- C:\Program Files\Electronic Arts
2008-09-05 22:35 . 2008-09-05 22:35 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\Thinstall
2008-09-05 14:24 . 2008-09-05 14:24 <DIR> d-------- C:\Program Files\AIDA32 - Enterprise System Information
2008-09-05 09:59 . 2008-09-05 10:00 <DIR> d-------- C:\Program Files\DbVisualizer
2008-09-03 14:05 . 2008-09-03 14:05 <DIR> d-------- D:\Documents and Settings\LAF21~1~CON\LOCALS~1
2008-09-03 14:05 . 2008-09-03 14:05 <DIR> d-------- D:\Documents and Settings\LAF21~1~CON
2008-09-03 14:05 . 2008-09-03 14:05 <DIR> d-------- C:\Program Files\Microsoft Reader
2008-09-03 14:05 . 2003-06-05 17:15 57,436 --a------ C:\WINDOWS\DASShp.dll
2008-09-03 11:17 . 2008-09-03 15:24 <DIR> d-------- C:\Program Files\Opera
2008-09-02 01:17 . 2008-03-05 11:41 148,496 --a------ C:\WINDOWS\system32\drivers\14388658.sys
2008-08-31 15:10 . 2008-08-31 15:10 93 --a------ C:\tuxtxt.conf
2008-08-31 15:09 . 2008-09-04 11:15 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\FileZilla
2008-08-31 15:08 . 2008-08-31 15:08 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-08-31 15:02 . 2008-08-31 15:02 561,152 --a------ C:\WINDOWS\system32\libeay32.dll
2008-08-30 18:49 . 2008-08-30 18:49 <DIR> d-------- C:\Program Files\7-Zip
2008-08-30 11:02 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-08-30 11:02 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\dllcache\usbser.sys
2008-08-30 11:01 . 2008-08-30 11:01 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-08-29 10:01 . 2008-08-29 10:01 <DIR> d-------- C:\Program Files\Hot Keyboard
2008-08-28 12:02 . 2007-09-18 10:50 188,416 --a------ C:\WINDOWS\system32\igfxres.dll
2008-08-28 11:55 . 2007-09-18 11:15 147,456 --a------ C:\WINDOWS\system32\igfxCoIn_v4873.dll
2008-08-28 11:55 . 2007-09-18 11:08 104,636 --a------ C:\WINDOWS\system32\igmedcompkrn.dll
2008-08-27 00:12 . 2008-03-05 11:41 148,496 --a------ C:\WINDOWS\system32\drivers\23294809.sys
2008-08-26 14:06 . 2008-03-05 11:41 148,496 --a------ C:\WINDOWS\system32\drivers\16241113.sys
2008-08-26 12:59 . 2008-09-16 22:41 152,834,080 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-26 12:59 . 2008-09-16 22:38 1,795,676 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-26 11:41 . 2008-09-12 09:45 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\ntr
2008-08-26 01:29 . 2008-08-26 01:29 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\Apple Computer
2008-08-26 01:27 . 2008-08-26 01:27 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-26 01:27 . 2008-08-26 01:28 <DIR> d-------- C:\Program Files\QuickTime
2008-08-26 01:21 . 2008-08-26 01:21 <DIR> d-------- C:\Program Files\Real
2008-08-25 00:53 . 2008-08-25 22:42 <DIR> d-------- C:\Program Files\Unlocker
2008-08-25 00:43 . 2008-08-25 09:46 <DIR> d-------- C:\Program Files\Anti Trojan Elite
2008-08-25 00:40 . 2008-09-16 19:10 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\SUPERAntiSpyware.com
2008-08-25 00:40 . 2008-08-25 00:40 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-25 00:40 . 2008-09-16 19:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-25 00:12 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-25 00:12 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-25 00:12 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-25 00:12 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-24 19:40 . 2008-09-16 11:07 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-24 18:57 . 2008-08-24 18:57 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\EFSoftware
2008-08-24 18:57 . 2008-08-25 09:50 <DIR> d-------- C:\Program Files\EF Commander Free
2008-08-24 18:33 . 2008-08-24 18:33 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-24 18:22 . 2008-08-24 18:22 <DIR> d-------- C:\WINDOWS\Sun
2008-08-24 17:49 . 2008-08-24 17:49 262,144 --a------ C:\ntuser.dat
2008-08-24 17:45 . 2008-09-12 11:20 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 17:45 . 2004-02-23 20:42 1,386,496 --a------ C:\WINDOWS\system32\msvbvm60.dll
2008-08-24 09:53 . 2008-08-25 00:32 <DIR> d-------- C:\Program Files\Switlle
2008-08-24 01:51 . 2008-08-24 01:51 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-24 01:50 . 2008-09-10 02:50 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-24 01:50 . 2008-08-24 01:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-23 22:07 . 2008-09-16 19:07 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-08-23 21:57 . 2008-08-23 21:57 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\Nero
2008-08-23 21:53 . 2008-08-23 21:53 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Nero
2008-08-23 21:53 . 2008-08-23 21:53 <DIR> d-------- C:\Program Files\Nero
2008-08-23 21:53 . 2008-08-23 21:54 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-08-21 22:45 . 2008-08-21 22:45 <DIR> d--h----- D:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2008-08-21 22:45 . 2008-08-21 22:45 <DIR> d-------- C:\Program Files\Eraser
2008-08-21 18:44 . 2008-08-21 18:44 <DIR> d-------- C:\Program Files\CCleaner
2008-08-21 18:43 . 2008-08-21 18:43 <DIR> d-------- C:\Program Files\CodeStuff
2008-08-21 12:36 . 2005-02-19 14:51 315,422 --a------ C:\WINDOWS\architec016.jpg
2008-08-21 12:25 . 2008-09-07 14:41 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\vlc
2008-08-21 12:24 . 2008-08-21 12:24 <DIR> d-------- C:\Program Files\VideoLAN
2008-08-21 10:51 . 2008-09-09 16:22 8,766 --a------ C:\WINDOWS\hh.dat
2008-08-20 23:18 . 2008-08-20 23:18 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
2008-08-20 21:18 . 2008-09-15 01:03 <DIR> d-------- C:\Program Files\FlashGet
2008-08-20 16:17 . 2008-08-20 16:17 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\Media Player Classic
2008-08-20 16:16 . 2008-08-20 16:18 <DIR> d-------- C:\Program Files\NetMeter
2008-08-20 16:15 . 2008-08-20 16:15 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\HTNetMeter
2008-08-20 14:25 . 2008-08-20 14:25 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Nokia
2008-08-20 14:25 . 2008-05-07 07:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-08-20 14:25 . 2008-05-07 07:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-08-20 14:25 . 2008-05-07 07:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-08-20 14:25 . 2008-05-07 07:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys
2008-08-20 14:25 . 2008-05-07 07:38 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys
2008-08-20 14:25 . 2008-06-06 09:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-08-20 11:19 . 2008-08-20 11:19 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\Roxio
2008-08-20 11:19 . 2008-08-20 11:28 <DIR> d-------- D:\Documents and Settings\l.consolaro\.dbvis
2008-08-20 11:17 . 2008-08-20 11:17 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-08-20 11:10 . 2008-08-20 11:10 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\Winamp
2008-08-20 11:10 . 2008-08-20 11:13 <DIR> d-------- C:\Program Files\Winamp
2008-08-20 11:10 . 2007-03-08 01:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-08-20 11:10 . 2007-03-08 01:51 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-08-20 11:04 . 2008-08-20 11:04 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-08-20 11:00 . 2006-10-06 08:37 3,846 --a------ C:\WINDOWS\system32\sideinfo
2008-08-20 11:00 . 2007-07-04 14:39 1,755 --a------ C:\WINDOWS\system32\saprfc.ini
2008-08-20 10:59 . 2008-08-20 10:59 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-20 10:58 . 2008-09-09 14:16 <DIR> d-------- C:\temp
2008-08-20 10:58 . 2008-09-04 10:57 <DIR> d--h----- C:\Program Files\Zero G Registry
2008-08-20 10:58 . 2008-09-04 10:43 <DIR> d-------- C:\Informatica
2008-08-20 10:57 . 2008-08-20 10:57 <DIR> d--h----- D:\Documents and Settings\l.consolaro\InstallAnywhere
2008-08-20 10:56 . 2003-05-01 13:26 5,220 -ra------ C:\WINDOWS\system32\drivers\CVirtA.sys
2008-08-20 10:55 . 2008-08-20 10:55 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2008-08-20 10:55 . 2008-08-20 10:55 <DIR> d-------- C:\Program Files\Cisco Systems
2008-08-20 10:55 . 2004-02-02 12:29 139,604 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2008-08-20 10:55 . 2004-02-02 12:29 113,596 --a------ C:\WINDOWS\system32\dneinobj.dll
2008-08-20 10:51 . 2008-08-20 10:52 <DIR> d-------- D:\Documents and Settings\l.consolaro\Contacts
2008-08-19 11:54 . 2008-08-19 11:54 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Juniper Networks
2008-08-19 11:52 . 2008-08-19 11:52 7,449 --a------ C:\l.consolaro19082008.rtf
2008-08-19 11:48 . 2008-08-19 11:48 <DIR> d-------- D:\Documents and Settings\l.consolaro\Application Data\iPassConnect

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 20:38 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-05 20:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-28 08:37 --------- d-----w C:\Program Files\notes
2008-08-25 23:26 --------- d-----w C:\Program Files\Common Files\Real
2008-08-20 09:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-20 09:23 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-08-18 14:23 --------- d-----w C:\Program Files\Nortel Networks
2007-07-26 17:02 305,688 ----a-w C:\WINDOWS\inf\IaStor.sys
2006-09-12 13:21 319 ----a-w C:\Program Files\VersionMarker.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Simp"="C:\PROGRA~1\Secway\SimpPro\SimpPro.exe" [2007-10-25 2347008]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"Hot Keyboard"="C:\Program Files\Hot Keyboard\HotKeyb.exe" [2008-01-23 606208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-10-07 125368]
"AccelerometerSysTrayApplet"="C:\WINDOWS\system32\AccelerometerSt.exe" [2007-01-24 124928]
"Pointsec Tray"="C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe" [2007-02-06 941424]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-20 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-20 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-20 137752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Proventia Desktop Agent.lnk - C:\Program Files\ISS\Proventia Desktop\blackice.exe [2008-08-18 2179072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=sernum.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\1]
"Script"=admincln.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Accenture Connection\\9341989\\Program\\Accenture Connection.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 prot_2k;prot_2k;C:\WINDOWS\system32\drivers\prot_2k.sys [2007-02-06 238496]
R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-09-16 17408]
R1 is-MDTP1drv;is-MDTP1drv;C:\WINDOWS\system32\drivers\14388658.sys [2008-03-05 148496]
R1 is-P5HAQdrv;is-P5HAQdrv;C:\WINDOWS\system32\drivers\23294809.sys [2008-03-05 148496]
R1 is-U389Gdrv;is-U389Gdrv;C:\WINDOWS\system32\DRIVERS\34395264.sys [2008-07-08 148496]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-09-16 618040]
R2 Neoteris Setup Service;Neoteris Setup Service;C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe [2006-02-01 36864]
R2 Pointsec;Pointsec;C:\WINDOWS\system32\Prot_srv.exe [2007-02-06 146720]
R2 Pointsec_start;Pointsec Service Start;C:\WINDOWS\system32\pstartSr.exe [2007-02-06 109856]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-04-11 23552]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2007-01-23 36608]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-05-01 114016]
R3 rismc32;RICOH Smart Card Reader;C:\WINDOWS\system32\DRIVERS\rismc32.sys [2006-12-20 47616]
R4 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2007-10-23 205938]
S1 is-8IRRGdrv;is-8IRRGdrv;C:\WINDOWS\system32\drivers\16241113.sys [2008-03-05 148496]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-05-01 114016]
S2 is-8IRRG;is-8IRRG;D:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-8IRRG\is-8IRRG.exe [ ]
S2 is-MDTP1;is-MDTP1;D:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-MDTP1\is-MDTP1.exe [ ]
S2 is-P5HAQ;is-P5HAQ;D:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-P5HAQ\is-P5HAQ.exe [ ]
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys [ ]
S3 IgniteService;IgniteService;C:\Program Files\Accenture Connection\9341989\Program\IgniteService.exe [2008-08-18 86016]
S3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\isskboep.sys [2007-10-23 80512]
S3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2007-10-23 50163]
S3 VPatch;ISS Buffer Overflow Exploit Prevention;C:\Program Files\ISS\Proventia Desktop\vpatch.exe [2007-10-23 405770]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a878f27c-6d2d-11dd-8732-444553544200}]
\Shell\AutoRun\command - qyq826j2.com
\Shell\explore\Command - qyq826j2.com
\Shell\open\Command - qyq826j2.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d03afd0e-70f2-11dd-8743-444553544200}]
\Shell\AutoRun\command - G:\qx.bat
\Shell\explore\Command - G:\qx.bat
\Shell\open\Command - G:\qx.bat

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmactedp.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{BFF7A068-7671-4F25-B381-99686352D116} - (no file)
HKLM-Run-d4451dae - C:\WINDOWS\system32\mrttvbai.dll
HKLM-Explorer_Run-PxNs0OF6dg - D:\Documents and Settings\All Users\Application Data\kvmtuvwn\unenopkb.exe
Notify-hgGVNecy - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\l.consolaro\Application Data\Mozilla\Firefox\Profiles\shhbxz4b.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.it
FF -: plugin - D:\Documents and Settings\l.consolaro\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 22:40:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\ATL.DLL
-> C:\Program Files\Hot Keyboard\hkhook21.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ipass\ipassconnect\iPassPeriodicUpdateService.exe
C:\Program Files\ipass\ipassconnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-09-16 22:43:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-16 20:43:49

Pre-Run: 18,271,604,736 bytes free
Post-Run: 18,158,911,488 bytes free

294

Angelus88 · 17-09-2008, 12:06

A me risulta che non sia tutto come prima! Combofix ha fatto pulizia e nelle voci in autorun non c'è più quella voce. Qual'è ancora il problema allora?

MugenXxX · 17-09-2008, 12:58

Il problema è che la voce si ricrea come prima... combofix l'ha si cancellato ma al riavvio successivo del pc si è ricreata e la finestra e comparsa di nuovo!

Angelus88 · 17-09-2008, 14:25

Posta un log di hijackthis

MugenXxX · 17-09-2008, 14:47

Pronto:

Quote:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.45.26, on 17/09/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\WINDOWS\system32\Prot_srv.exe
C:\WINDOWS\system32\pstartSr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Secway\SimpPro\SimpPro.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hot Keyboard\HotKeyb.exe
C:\Program Files\ISS\Proventia Desktop\blackice.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
C:\Program Files\Avira\Avira Premium Security Suite\avgnt.exe
C:\Program Files\Avira\Avira Premium Security Suite\sched.exe
C:\Program Files\Avira\Avira Premium Security Suite\avmailc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CodeStuff\Starter\Starter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://portal.acn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.75.35.211:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BFF7A068-7671-4F25-B381-99686352D116} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [d4451dae] rundll32.exe "C:\WINDOWS\system32\mrttvbai.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\Avira Premium Security Suite\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Simp] C:\PROGRA~1\Secway\SimpPro\SimpPro.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Hot Keyboard] C:\Program Files\Hot Keyboard\HotKeyb.exe -minimized
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Gwpl] E:\gwpl\gwpl63.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Proventia Desktop Agent.lnk = C:\Program Files\ISS\Proventia Desktop\blackice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Scarica con FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Scarica tutto con FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Assign &hot key - C:\Program Files\Hot Keyboard\IEScript.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=https://portal.acn.com/
O15 - Trusted Zone: *.acn.com
O15 - Trusted Zone: *.acn.com (HKLM)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://amr1-extranet.acn.com/dana-c...erSetupSP1.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - https://www.ntrconnect.com/main/mod/...ivex118_24.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acn.com
O17 - HKLM\Software\..\Telephony: DomainName = acn.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acn.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = acn.com,dir.svc.acn.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = acn.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = acn.com,dir.svc.acn.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = acn.com,dir.svc.acn.com
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: hgGVNecy - C:\WINDOWS\
O23 - Service: Avira Premium Security Suite MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avmailc.exe
O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\sched.exe
O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
O23 - Service: Avira Premium Security Suite WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: IgniteService - Ignite Technologies - C:\Program Files\acn Connection\9341989\Program\IgniteService.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: is-8IRRG - Unknown owner - D:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-8IRRG\is-8IRRG.exe (file missing)
O23 - Service: is-MDTP1 - Unknown owner - D:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-MDTP1\is-MDTP1.exe (file missing)
O23 - Service: is-P5HAQ - Unknown owner - D:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-P5HAQ\is-P5HAQ.exe (file missing)
O23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\Prot_srv.exe
O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\pstartSr.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 11960 bytes

Angelus88 · 17-09-2008, 14:58

Disinstalla tutto ciò che hai di Java e installa l'ultima versione dal sito.

Riavvia in modalità provvisoria, apri HijackThis, clicca su Do a system scan only, seleziona queste voci e clicca su Fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://portal.acn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.75.35.211:80 (fixalo se non hai impostato tu il proxy)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BFF7A068-7671-4F25-B381-99686352D116} - (no file)
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [d4451dae] rundll32.exe "C:\WINDOWS\system32\mrttvbai.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Gwpl] E:\gwpl\gwpl63.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" (User 'LOCAL SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=https://portal.acn.com/
O15 - Trusted Zone: *.acn.com
O15 - Trusted Zone: *.acn.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acn.com
O17 - HKLM\Software\..\Telephony: DomainName = acn.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acn.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = acn.com,dir.svc.acn.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = acn.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = acn.com,dir.svc.acn.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = acn.com,dir.svc.acn.com
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: hgGVNecy - C:\WINDOWS\

Riclicca nuovamente su Do a system scan only e assicurati che queste voci non ci siano. Fatto ciò riapri nuovamente Combofix. Al termine riavvia.

16-09-2008, 10:14	#1
MugenXxX Member Iscritto dal: Nov 2005 Messaggi: 49	Dll sospetta Ciao a tutti, ho un problema con windows... all'avvio mi compare sempre questa finestrella e nei processi caricati all'avvio di windows trovo Anche se elimino la voce poi si continua a ricreare... ho cercato info su internet su questa dll ma non ho trovato niente ... se riuscite a darmi voi 1 aiutino... (Aggiungo che non sembro infetto da alcun tipo di virus, trojan o malware... ho fatto 1 scansione con lo symantec e con pc doctor) Ciao, Luca

16-09-2008, 10:34	#2
Angelus88 Bannato Iscritto dal: Feb 2007 Città: Palermo Messaggi: 13587	Hai preso Vundo... ossia un virus Scarica Combofix da qui. Avvialo dalla modalità provvisoria, premi 1 quando richiesto e lascialo lavorare. Al termina verrà riavviato il pc. Posta qui poi il file di testo che rilascia P.S. Un grande consiglio: disinstalla quella porcheria di Norton e PC Doctor e installa al loro posto Avira e SuperAntiSpyware. Per disinstallare Norton usa questo tool Ultima modifica di Angelus88 : 16-09-2008 alle 10:39.

16-09-2008, 12:09	#3
MugenXxX Member Iscritto dal: Nov 2005 Messaggi: 49	Grazie ora faccio come mi hai detto... fosse x me disinstallerei al volo il norton x mettere avira (come sul pc di casa) purtoppo il problema ce l'ho sul pc da lavoro e non posso metterci troppo le mani

16-09-2008, 14:30	#4
Angelus88 Bannato Iscritto dal: Feb 2007 Città: Palermo Messaggi: 13587	Ok allora usa solo Combofix in modalità provvisoria

17-09-2008, 09:48	#5
MugenXxX Member Iscritto dal: Nov 2005 Messaggi: 49	Ehm sia con combofix che con avira non ho risolto il problema... tutto come prima purtoppo... sei sicuro che si tratta del virus vundo? perchè ho provato anche altri tool specifici e non rilevano un bel niente

17-09-2008, 10:01	#6
Angelus88 Bannato Iscritto dal: Feb 2007 Città: Palermo Messaggi: 13587	Postami il log come ti avevo chiesto

17-09-2008, 12:06	#8
Angelus88 Bannato Iscritto dal: Feb 2007 Città: Palermo Messaggi: 13587	A me risulta che non sia tutto come prima! Combofix ha fatto pulizia e nelle voci in autorun non c'è più quella voce. Qual'è ancora il problema allora?

17-09-2008, 12:58	#9
MugenXxX Member Iscritto dal: Nov 2005 Messaggi: 49	Il problema è che la voce si ricrea come prima... combofix l'ha si cancellato ma al riavvio successivo del pc si è ricreata e la finestra e comparsa di nuovo!

17-09-2008, 14:25	#10
Angelus88 Bannato Iscritto dal: Feb 2007 Città: Palermo Messaggi: 13587	Posta un log di hijackthis

17-09-2008, 14:58	#12
Angelus88 Bannato Iscritto dal: Feb 2007 Città: Palermo Messaggi: 13587	Disinstalla tutto ciò che hai di Java e installa l'ultima versione dal sito. Riavvia in modalità provvisoria, apri HijackThis, clicca su Do a system scan only, seleziona queste voci e clicca su Fix checked. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://portal.acn.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.75.35.211:80 (fixalo se non hai impostato tu il proxy) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {BFF7A068-7671-4F25-B381-99686352D116} - (no file) O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [d4451dae] rundll32.exe "C:\WINDOWS\system32\mrttvbai.dll",b O4 - HKUS\S-1-5-19\..\Run: [Gwpl] E:\gwpl\gwpl63.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" (User 'LOCAL SERVICE') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O14 - IERESET.INF: START_PAGE_URL=https://portal.acn.com/ O15 - Trusted Zone: .acn.com O15 - Trusted Zone: .acn.com (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acn.com O17 - HKLM\Software\..\Telephony: DomainName = acn.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acn.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = acn.com,dir.svc.acn.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = acn.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = acn.com,dir.svc.acn.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = acn.com,dir.svc.acn.com O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\ O20 - Winlogon Notify: hgGVNecy - C:\WINDOWS\ Riclicca nuovamente su Do a system scan only e assicurati che queste voci non ci siano. Fatto ciò riapri nuovamente Combofix. Al termine riavvia.

Strumenti
Mostra una versione stampabile Invia questa pagina per email