• User Newbie

    Aiuto - Virus Vundo SSQQQ.DLL

    Ho avuto la bruttissima sorpresa di trovarmi un alert di virus VUNDO sul laptop di casa; sintomi riscontrati
    a) pc lentissimo
    b) si spegneva in automatico dopo un countdown su una finestra di pop up
    c) in fase di riavvio caricava solo il wallpaper e non le barre strumenti.

    Il laptop è "vecchiotto" (anno 2004), con Win XP Professional

    Leggendo i vari forum ho messo in atto le seguenti pratiche

    1. lanciato VUNDOFIX che ha eliminato un certo numero di file infetti
    2. riavviato il pc
    3. rilanciato VUNDOFIX per verificare che tutto fosse stato eliminato (non ha trovato nulla)
    4. lanciato - per sicurezza - anche il FIXVUNDO di Symantec (non ha trovato nulla)
    5. lanciato HJackThis ed ho provato a fare fix su SYSTEM32\ssqqq.dll ma mi sembra senza successo

    Riaccendendo il pc ho trovato ancora l'alert del Norton che mi davi ancora presente il VUNDO VIRUS in system32, ma comunque potevo tranquillamente lavorare.
    Stamane invece l'alert dice che la quarantena è fallita e carica solo il wallpaper (non ho instito oltre per motivi di tempo).

    Potete aiutarmi? In serata provo a postare HJThis, sempre che il pc si accenda

    NOTA: non riesco a far partire il pc in modalità recovery in quanto ha password (ex pc aziendale riscattato)

    grazie mille
    :arrabbiato:


  • User Attivo

    Prova come dicono in questo post (in inglese però)

    forums.techguy.org/3029073-post4.html

    Facci sapere 😉


  • User Newbie

    Ok stasera ci provo. Domanda - forse banale - ma il file che debbo fissare è quello che mi da problemi ssqqq.dll oppure pmkhi.dll????
    grazie, sono un pò novizio di queste cose


  • User Attivo

    Possono essere entrambi o nessuno ...chissà 🙂
    In queste cose NIENTE è sicuro 😉


  • Consiglio Direttivo

    Ciao mattia0712 e benvenuto nel Forum GT! 🙂

    @mattia0712 said:

    Potete aiutarmi? In serata provo a postare HJThis, sempre che il pc si accenda

    Vedi se riesci a postare un log con Hijackthis! 😉


  • User Newbie

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 09.08.05, on 22/01/08
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\WIDCOMM\Software Bluetooth\bin\btwdins.exe
    C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\svnwvunl.exe
    C:\WINDOWS\system32\acstp\icserv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$GCPM\Binn\sqlservr.exe
    C:\WINDOWS\system32\acstp\wake_up.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Atheros\ACU\Utility\ACU.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\WINDOWS\System32\hotpnsrw.exe
    C:\WINDOWS\System32\spoolsvc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
    C:\Documents and Settings\germano.paganelli\Desktop\HiJackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {3902B501-4F85-405D-BB3D-F3FAE52D7DCA} - C:\WINDOWS\System32\ssqqq.dll
    O2 - BHO: (no name) - {89AF1DCA-6355-4465-94B0-E3D49FD2896B} - C:\WINDOWS\system32\tuvvuuv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM..\Run: [ACU_QSB] C:\Program Files\Atheros\ACU\Utility\ACU.exe
    O4 - HKLM..\Run: [Accenture Connection] "C:\Program Files\Accenture Connection\9341989\Program\Accenture Connection.exe"
    O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
    O4 - HKLM..\Run: [Local Security Authority Service] C:\WINDOWS\System32\Isass.exe
    O4 - HKLM..\Run: [Advanced DHTML Enable] C:\WINDOWS\System32\hotpnsrw.exe
    O4 - HKLM..\Run: [Client Server Runtime Process] C:\WINDOWS\System32\csrs.exe
    O4 - HKLM..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
    O4 - HKLM..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
    O4 - HKLM..\Run: [b88cc48d] rundll32.exe "C:\WINDOWS\System32\ywbchiun.dll",b
    O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
    O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: runchk.lnk = C:\WINDOWS\source\Utilities\runchk.EXE (User 'SYSTEM')
    O4 - S-1-5-18 Startup: W6Intro.lnk = C:\Program Files\Performance Support\W6Intro.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: runchk.lnk = C:\WINDOWS\source\Utilities\runchk.EXE (User 'Default user')
    O4 - .DEFAULT Startup: W6Intro.lnk = C:\Program Files\Performance Support\W6Intro.exe (User 'Default user')
    O4 - .DEFAULT User Startup: runchk.lnk = C:\WINDOWS\source\Utilities\runchk.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: W6Intro.lnk = C:\Program Files\Performance Support\W6Intro.exe (User 'Default user')
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Invia a &Bluetooth - C:\Program Files\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Software Bluetooth\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Software Bluetooth\btsendto_ie.htm
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.accenture.com
    O15 - Trusted Zone: *.accenture.com (HKLM)
    O16 - DPF: {2F175895-5819-4014-83BF-385FA6833677} (IObjSafety.eSupportWS) -
    O16 - DPF: {ADC3EA10-8A28-41A9-96B4-534ADFC3CA0A} (Configuratore Auto Control) - (pagina web).buyatlancia.com/components/ocx/autopricer/configuratoreauto.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\Software..\Telephony: DomainName = Accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O20 - Winlogon Notify: tuvvuuv - C:\WINDOWS\SYSTEM32\tuvvuuv.dll
    O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - \Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Software Bluetooth\bin\btwdins.exe
    O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
    O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\svnwvunl.exe
    O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

    End of file - 9282 bytes


  • User Newbie

    Ho provato a lanciare CleanUp ed ora posto un nuovo HJachThis


  • User Newbie

    Ecco il nuovo file di post.

    Continua a comparire sempre la pop up di Symantec Virus Notification sul file ssqqq.dll, inoltre in fase di avvio tenta di collegarsi ad internet per una pagina web, chiedendo di lavorare in modalità off line o di riprovare

    Grazie per tutto l'aiuto!!!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10.34.31, on 22/01/08
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\WIDCOMM\Software Bluetooth\bin\btwdins.exe
    C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\svnwvunl.exe
    C:\WINDOWS\system32\acstp\icserv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$GCPM\Binn\sqlservr.exe
    C:\WINDOWS\system32\acstp\wake_up.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Documents and Settings\germano.paganelli\Desktop\HiJackThis.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Atheros\ACU\Utility\ACU.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\WINDOWS\System32\spoolsvc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {89AF1DCA-6355-4465-94B0-E3D49FD2896B} - C:\WINDOWS\system32\tuvvuuv.dll
    O2 - BHO: (no name) - {B8AAE34E-B9F3-4DD8-997D-11B5DC9C373D} - C:\WINDOWS\System32\ssqqq.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM..\Run: [ACU_QSB] C:\Program Files\Atheros\ACU\Utility\ACU.exe
    O4 - HKLM..\Run: [Accenture Connection] "C:\Program Files\Accenture Connection\9341989\Program\Accenture Connection.exe"
    O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
    O4 - HKLM..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
    O4 - HKLM..\Run: [b88cc48d] rundll32.exe "C:\WINDOWS\System32\ywbchiun.dll",b
    O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
    O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: runchk.lnk = C:\WINDOWS\source\Utilities\runchk.EXE (User 'SYSTEM')
    O4 - S-1-5-18 Startup: W6Intro.lnk = C:\Program Files\Performance Support\W6Intro.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: runchk.lnk = C:\WINDOWS\source\Utilities\runchk.EXE (User 'Default user')
    O4 - .DEFAULT Startup: W6Intro.lnk = C:\Program Files\Performance Support\W6Intro.exe (User 'Default user')
    O4 - .DEFAULT User Startup: runchk.lnk = C:\WINDOWS\source\Utilities\runchk.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: W6Intro.lnk = C:\Program Files\Performance Support\W6Intro.exe (User 'Default user')
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Invia a &Bluetooth - C:\Program Files\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Software Bluetooth\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Software Bluetooth\btsendto_ie.htm
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.accenture.com
    O15 - Trusted Zone: *.accenture.com (HKLM)
    O16 - DPF: {2F175895-5819-4014-83BF-385FA6833677} (IObjSafety.eSupportWS) -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\Software..\Telephony: DomainName = Accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O20 - Winlogon Notify: tuvvuuv - C:\WINDOWS\SYSTEM32\tuvvuuv.dll
    O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - \Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Software Bluetooth\bin\btwdins.exe
    O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
    O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\svnwvunl.exe
    O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

    End of file - 8771 bytes


  • Consiglio Direttivo

    Ciao mattia0712,

    fixa con hijackthis queste voci:

    O2 - BHO: (no name) - {89AF1DCA-6355-4465-94B0-E3D49FD2896B} - C:\WINDOWS\system32\tuvvuuv.dll

    O2 - BHO: (no name) - {B8AAE34E-B9F3-4DD8-997D-11B5DC9C373D} - C:\WINDOWS\System32\ssqqq.dll

    O4 - HKLM..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe

    O4 - HKLM..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe

    O4 - S-1-5-18 Startup: W6Intro.lnk = C:\Program Files\Performance Support\W6Intro.exe (User 'SYSTEM')

    O4 - .DEFAULT Startup: W6Intro.lnk = C:\Program Files\Performance Support\W6Intro.exe (User 'Default user')

    O4 - .DEFAULT User Startup: W6Intro.lnk = C:\Program Files\Performance Support\W6Intro.exe (User 'Default user')

      	O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    

    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O15 - Trusted Zone: *.accenture.com

    O15 - Trusted Zone: *.accenture.com (HKLM)

    O16 - DPF: {2F175895-5819-4014-83BF-385FA6833677} (IObjSafety.eSupportWS) -

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Accenture.com

    O17 - HKLM\Software..\Telephony: DomainName = Accenture.com

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Accenture.com

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Accenture.com

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com

    O20 - Winlogon Notify: tuvvuuv - C:\WINDOWS\SYSTEM32\tuvvuuv.dll

    O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe

    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\svnwvunl.exe

    Selezionate tutte le chiavi e fixate con hijackthis, effetttua uno scan con Ad-Aware e SuperAntiSpyware "aggiornati"!

    Dai anche una bella ripulita/correzione con ccleaner.

    Dimenticavo... installa il service pack più recente e un buon Antivirus! 😉


  • User Newbie

    Ciao, ho eseguito quasi tutti i passi (tranne l'ADWARE che non riesco a scaricarlo)....ad ora sembra che tutto funzioni correttamente e non ho più segnalazioni dal Norton. Anche i vari Vundo non segnalano più nulla.

    Ti allego l'ultimo HJT, come vedi non tutto è stato fixed di quello che mi hai segnalato, soprattutto sul domain accenture (l'azienda di ex appartenenza del pc).

    Mi sembra che tutto sia ok, ma se me ne dai conferma possiamo considerare RISOLTO il caso.

    Ti ringrazio tantissimo

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10.20.27, on 23/01/08
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\WIDCOMM\Software Bluetooth\bin\btwdins.exe
    C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\acstp\icserv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$GCPM\Binn\sqlservr.exe
    C:\WINDOWS\system32\acstp\wake_up.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
    C:\Documents and Settings\germano.paganelli\Desktop\HiJackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: runchk.lnk = C:\WINDOWS\source\Utilities\runchk.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: runchk.lnk = C:\WINDOWS\source\Utilities\runchk.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: runchk.lnk = C:\WINDOWS\source\Utilities\runchk.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: W6Intro.lnk = C:\Program Files\Performance Support\W6Intro.exe (User 'Default user')
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Invia a &Bluetooth - C:\Program Files\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Software Bluetooth\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Software Bluetooth\btsendto_ie.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\Software..\Telephony: DomainName = Accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Accenture.com
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - \Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Software Bluetooth\bin\btwdins.exe
    O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
    O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

    End of file - 5998 bytes


  • Consiglio Direttivo

    Ciao mattia0712,

    @mattia0712 said:

    Mi sembra che tutto sia ok, ma se me ne dai conferma possiamo considerare RISOLTO il caso.

    effettua pure un controllo con Panda Active Scan! 😉

    :ciauz:


  • User Newbie

    Mi sembra che tutto funzioni regolarmente.

    Stasera lancerò l'antivirus PAnda

    grazie

    :):):):):):)


  • User Newbie

    Ops...piccolo problema che mi viene comunicato da casa adesso (purtroppo sono al lavoro).

    Sembra che in fase di avvio si accenda correttamente (desktop + icone) ma posizionando il mouse sulla barra delle applicazioni la clessidra continua ad andare......CTRL+ALT+CANC consente di avviare il task manager, ma poi quest'ultimo non viene visualizzato.

    Avevo provato più volte (5/6 volte) il PC dopo aver tolto il virus e questo fatto si era verificato una volta sola, ma spegnendo e ravviando era andato tutto a posto

    Che fare? riavvio in modalità provvisoria?

    ❌x❌x


  • Consiglio Direttivo

    Ciao mattia0712,

    novita'? Posta un nuovo log con hijackthis! 🙂