finestra senza scritte ed errore in rundll32.exe

[medlava]

Ciao,
sono nuovo del forum, spero di essere nella giusta sezione.
Ho provato a cercare la risposta in vecchi forum ma non ho trovato nulla.
Il problema è che le finestre di windows mi appaiono senza scritte.
Dalle finestre che appaiono scaricando qualche cosa da internet, o gli allegati delle mail, alla finestra dell'antivirus VGA appaiono tutte senza scritte.
Inoltre se provo ad aprire le proprietà dello schermo per provare a cambiare i temi di windows, la finestra non si apre e mi da un errore "Si è verificato un errore in rundll32.exe. L'applicazione verrà chiusa."
grazie per l'aiuto

[menatwork]

ciao medlava

prova a controllare se in C:\windows\System32 hai il file rundll32.exe

[medlava]

il pc dove ho il problema è quello dell'ufficio, domani mattina controllo e ti faccio sapere grazie.

[medlava]

Ciao,
in C:\windows\System32 c'è un file rundll32 ma non so se è un file.exe e non posso visualizzare l'estensione dei file perchè anche la finestra Opzioni Cartella esce senza scritte

[medlava]

vi prego ... un aiuto!

[medlava]

Provo ad essere più chiaro.
Il PC e un HP Compaw dc7900 CMT con Windows XP.
Quando accendo il PC, prima ancora di inserire la password mi esce un messaggio che dice:

SVCHOST.EXE - immagine danneggiata
l'applicazione o DLL C:\windows\system32\cscdll.dll non è un'immagine valida di windows

faccio OK ed inserisco la password

Una volta entrato nell'accaunt (ne esiste solo 1 - administrator) faccio tasto destro del mouse sul desktop e apro Proprietà.

si apre la finestra di invio segnalazione di errore che dice:
rundll32.exe
si è verificato un errore in rundll32.exe l'applicazione verrà chiusa.

clicco su "non inviare" e mi appare la finestra "proprietà schermo" completamente senza scritte, vedo le sagome dei pulsanti e delle cekbox ma non ci sono scritte, niente di niente.
lo stesso se apro altre finestre come le proprietà della connessione di rete, o la finestra che appare quando scarichi un file da internet dove di solito ti chiede APRI o SALVA, appaiono le sagome dei pulsanti senza scritte.

ho fatto scansione di virus con AVG Free in modalità normale e provvisoria ma non ha trovato nulla. ho allora disinstallato l'antivirus per provare ad installare AVIRA ma non riesco più ad installare nulla perchè esce un messaggio di errore che dice che l'installazione è impossibile a carsa di un aggiornamento di windows eseguito parallelamente.

ecco il log di hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10.54.35, on 08/10/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ActivIdentity\ActivClient\accoca.exe
C:\Programmi\Intel\AMT\LMS.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\PDF Complete\pdfsvc.exe
C:\Programmi\File comuni\Intel\Privacy Icon\UNS\UNS.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Programmi\Hewlett-Packard\IAM\Bin\AsGHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\Hewlett-Packard\File Sanitizer\CoreShredder.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\ActivIdentity\ActivClient\accrdsub.ex e
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\ActivIdentity\ActivClient\acevents.ex e
C:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 128.8.11.203:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 128.8.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: BHO_Startup - {3134413B-49B4-425C-98A5-893C1F195601} - C:\Programmi\Hewlett-Packard\File Sanitizer\IEBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Programmi\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SetRefresh] C:\Programmi\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [picon] "C:\Programmi\File comuni\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDF Complete] C:\Programmi\PDF Complete\pdfsty.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [File Sanitizer] C:\Programmi\Hewlett-Packard\File Sanitizer\CoreShredder.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterM odule
O4 - HKLM\..\Run: [accrdsub] "C:\Programmi\ActivIdentity\ActivClient\accrdsub.e xe"
O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe " -t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1239014083125
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E8AF4A1-4B34-4A73-88EF-2EA7B813690F}: NameServer = 128.8.90.6,128.8.90.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{4E8AF4A1-4B34-4A73-88EF-2EA7B813690F}: NameServer = 128.8.90.6,128.8.90.7
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Programmi\ActivIdentity\ActivClient\acunlock.dl l
O20 - Winlogon Notify: DeviceNP - C:\WINDOWS\SYSTEM32\DeviceNP.dll
O20 - Winlogon Notify: OneCard - C:\Programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Programmi\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Controllo/blocco dispositivi HP ProtectTools (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINDOWS\system32\flcdlock.exe
O23 - Service: HP ProtectTools Service - Hewlett-Packard Development Company, L.P - C:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - C:\Programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: File Sanitizer for HP ProtectTools (HPFSService) - Hewlett-Packard - C:\Programmi\Hewlett-Packard\File Sanitizer\HPFSService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Programmi\Intel\AMT\LMS.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Programmi\PDF Complete\pdfsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm1 2.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Programmi\File comuni\Intel\Privacy Icon\UNS\UNS.exe

--
End of file - 8046 bytes

[giu lè]

ciao medlava tu 6 infetta segui queste indicazioni:


Scarica Combofix da qui:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Quando lo salvi hai la possibilità di rinominare il file: rinomina l’exe in abc.exe

● posiziona abc.exe sul Desktop
● disconnettiti da Internet
● sconnetti, fisicamente, il modem dal computer
● accedi al sistema in modalità provvisoria con un account con privilegi di Amministratore
● lancia ComboFix e segui le istruzioni che verranno rilasciate per eseguire la scansione
● senza eseguire altre operazioni, lascia che il tool completi la scansione e la fase di creazione del log
● al termine della operazione, il sistema verrà riavviato automaticamente (in caso contrario, riavvialo tu)

Note - durante la scansione:
● verranno creati alcuni file sul desktop e poi eliminati
● spariranno, per un attimo, tutte le icone presenti sul Desktop
● potrebbe venire rilasciato un messaggio in relazione all'antivirus in uso: prosegui ignorando il messaggio
● il firewall, se attivo, potrebbe rilasciare un avviso che verranno rimossi alcuni driver (consenti pure)

Verrà creato un log in Disco Locale C: dal nome combofix.txt che dovrai inviare qui.

Conclusa la scansione:
● riavvia il sistema in modalità normale
● ricollega, fisicamente, il modem al computer
● connettiti a Internet e invia il file di testo

N.B. Se non riuscissi in alcun modo ad utilizzare Combofix, segui questi semplici passi:

start > esegui, nel box bianco copia e incolla questo comando, virgolette comprese:
"%userprofile%\desktop\abc.exe" /killall
Premi OK, si dovrebbe avviare la scansione

oltra a questo scarica e installa malwarebites da qui:

http://www.malwarebytes.org/

scarica la versione free questa volta da normale senza andare in provvisoria ma sempre con internet sconnesso agisci in questo modo:

salva il file eseguibile di malwarebites sul desktop

installalo dopo che lo hai installato clicca sulla scheda aggiornamenti poi su ricerca aggiornamenti e fai una scansione COMPLETA ricordandoti alla fine della scansione di eliminare qualsiasi minaccia rilevata con un bottone che troverai da qualche parte in basso

dopo malwarebites usa:

trojan remover

http://www.xnavigation.net/linkext/4/a857/l5002.html

installalo e fai una scansione con il programma indicato e ancora sconnesso da internet posta il log che otterai dopo le scansioni qui sul forum

[medlava]

ciao, combofix ci ha messo un bel po' ma alla fine ecco il log:

ComboFix 10-10-07.02 - Administrator 08/10/2010 14.21.11.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1977.1726 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\abc.exe

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

C:\data
c:\windows\system32\_000005_.tmp.dll

c:\windows\system32\cryptsvc.dll . . . è infetto!!

.
((((((((((((((((((((((((( Files Creati Da 2010-09-08 al 2010-10-08 )))))))))))))))))))))))))))))))))))
.

2010-10-08 09:10 . 2010-10-08 09:10 -------- d-----w- C:\hijackthis
2010-10-08 08:50 . 2010-10-08 08:50 -------- d-----w- c:\programmi\Trend Micro
2010-10-05 13:54 . 2010-10-05 13:54 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2010-10-05 13:54 . 2010-10-05 13:54 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2010-10-05 13:54 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-05 13:54 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-05 13:54 . 2010-10-05 13:54 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-09-29 13:15 . 2010-09-29 13:23 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\MFAData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2010-10-05 13:40 . 2009-04-07 13:58 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avg8
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Google Update"="c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2009-04-09 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"SetRefresh"="c:\programmi\Compaq\SetRefresh\SetRe fresh.exe" [2003-11-20 525824]
"PTHOSTTR"="c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2008-08-19 329520]
"picon"="c:\programmi\File comuni\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-07-19 773144]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2008-07-01 141848]
"PDF Complete"="c:\programmi\PDF Complete\pdfsty.exe" [2008-04-07 318488]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-01 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-01 170520]
"File Sanitizer"="c:\programmi\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2008-06-23 10244096]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSV CC.dll" [2008-07-23 24848]
"accrdsub"="c:\programmi\ActivIdentity\ActivClient \accrdsub.exe" [2007-11-27 298536]
"DWQueuedReporting"="c:\progra~1\FILECO~1\MICROS~1 \DW\dwtrig20.exe" [2005-04-25 36040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-11-27 15:41 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-11-27 15:40 286720 ----a-w- c:\programmi\ActivIdentity\ActivClient\acunlock.dl l

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2008-08-06 13:23 69632 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2008-07-23 12:03 158992 ----a-w- c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\Safe Boot.sys [07/08/2008 17.47.42 109184]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [07/08/2008 17.47.50 51376]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFs Lock.sys [07/08/2008 17.47.46 12928]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [06/04/2009 20.04.31 24064]
R1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [11/07/2008 14.44.00 191872]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvloc k.sys [07/08/2008 17.47.44 12496]
R2 accoca;ActivClient Middleware Service;c:\programmi\ActivIdentity\ActivClient\acc oca.exe [27/11/2007 17.42.14 185896]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [20/08/2004 0.39.46 14336]
R2 ASChannel;Canale di comunicazione locale;c:\windows\System32\svchost.exe -k Cognizance [20/08/2004 0.39.46 14336]
R2 HP ProtectTools Service;HP ProtectTools Service;c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [19/08/2008 17.03.42 32768]
R2 HpFkCryptService;Drive Encryption Service;c:\programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [07/08/2008 16.23.08 256512]
R2 HPFSService;File Sanitizer for HP ProtectTools;c:\programmi\Hewlett-Packard\File Sanitizer\HPFSService.exe [06/04/2009 11.31.59 77824]
R2 pdfcDispatcher;PDF Document Manager;c:\programmi\PDF Complete\pdfsvc.exe [06/04/2009 11.29.43 576024]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\programmi\File comuni\Intel\Privacy Icon\UNS\UNS.exe [06/04/2009 11.27.03 2054680]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [06/04/2009 20.12.58 144480]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.s ys [06/04/2009 20.03.05 44800]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.s ys [06/08/2008 14.43.30 32256]
S3 FLCDLOCK;Controllo/blocco dispositivi HP ProtectTools;c:\windows\system32\flcdlock.exe [06/08/2008 15.24.40 349432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contenuto della cartella 'Scheduled Tasks'

2010-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2997100265-4208710410-989766811-500Core.job
- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-04-09 14:58]

2010-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2997100265-4208710410-989766811-500UA.job
- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-04-09 14:58]
.
.
------- Scansione supplementare -------
.
uInternet Settings,ProxyServer = 128.8.11.203:3128
uInternet Settings,ProxyOverride = 128.8.*;<local>
TCP: {4E8AF4A1-4B34-4A73-88EF-2EA7B813690F} = 128.8.90.6,128.8.90.7
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\p dfcDispatcher]
"ImagePath"="c:\programmi\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\accrypto.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\programmi\ActivIdentity\ActivClient\Resources\L ocalized\acerrmrc.dll
c:\programmi\ActivIdentity\ActivClient\Resources\L ocalized\asphatrc.dll
c:\windows\system32\msi.dll
c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\programmi\Hewlett-Packard\IAM\bin\itmsg.dll
c:\programmi\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\programmi\Hewlett-Packard\IAM\bin\brand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\brand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\itmsg.dll
c:\programmi\Hewlett-Packard\IAM\Bin\AsChnl.dll
c:\programmi\Hewlett-Packard\IAM\Bin\HPPlugIn.dll
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHostServices.dll
c:\windows\assembly\GAC_MSIL\mscorlib.resources\2. 0.0.0_it_b77a5c561934e089\mscorlib.resources.dll
c:\windows\assembly\GAC_MSIL\System.Xml.resources\ 2.0.0.0_it_b77a5c561934e089\System.Xml.resources.d ll
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\Interop.HPQWMIEXLib.dll
c:\programmi\ActivIdentity\ActivClient\acunlock.dl l
c:\windows\system32\aipingui.dll
c:\windows\system32\aicext.dll
c:\programmi\ActivIdentity\ActivClient\Resources\L ocalized\aipinguirc.dll
c:\programmi\ActivIdentity\ActivClient\resources\a cCobAPIrc.dll
c:\programmi\ActivIdentity\ActivClient\Resources\L ocalized\acunlockrc.dll
c:\windows\system32\DeviceNP.dll
c:\windows\system32\SSREGLIB.dll
c:\windows\system32\HPPTLog.dll
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\Interop.PTHstServsLib.dll
c:\programmi\Hewlett-Packard\Drive Encryption\Languages\0010\SbHpFve.lng
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTStrings.dll
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\HPjCard.dll
c:\windows\system32\acomx.dll
c:\windows\system32\acbsi21.dll
c:\programmi\Hewlett-Packard\DeviceAccessManager\0010\PTDMLiteResource. dll
c:\windows\system32\flcdlmsg.dll
c:\programmi\Hewlett-Packard\IAM\Bin\ItVCClient.dll
c:\programmi\Hewlett-Packard\IAM\Bin\ItReports.DLL
c:\programmi\Hewlett-Packard\IAM\Bin\ItVCard.dll
c:\programmi\Hewlett-Packard\IAM\Bin\NetAdmin.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\NetAdmin.dll

- - - - - - - > 'explorer.exe'(3976)
c:\windows\system32\APSHook.dll
c:\windows\system32\msi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\programmi\ActivIdentity\ActivClient\acevents.ex e
c:\programmi\Intel\AMT\LMS.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\programmi\Hewlett-Packard\IAM\Bin\AsGHost.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\ActivIdentity\ActivClient\acevents.ex e
c:\programmi\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\FILECO~1\MICROS~1\DW\DW20.EXE
.
************************************************** ************************
.
Ora fine scansione: 2010-10-08 15:06:59 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-10-08 13:06

Pre-Run: 227.604.742.144 byte disponibili
Post-Run: 225.474.887.680 byte disponibili

- - End Of File - - 908B2042DE895B8F2939C399E604158C

[medlava]

malwarebites non ho potuto aggiornarsi perchè non si collegava al server e la scansione non ha trovato nula.

Il log di trojanremove è troppo lungo, come faccio a postarlo?

***** THE SYSTEM HAS BEEN RESTARTED *****
08/10/2010 15.42.57: Trojan Remover has been restarted

Removing the following registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - already removed (or did not exist)
HKCR\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - already removed (or did not exist)

08/10/2010 15.42.57: Trojan Remover closed

***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.8.2.2596. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 15.39.52 08 ott 2010
Using Database v7588
Operating System: Windows XP Professional (SP2) [Build: 5.1.2600]
File System: NTFS
UserData directory: C:\Documents and Settings\Administrator\Dati applicazioni\Simply Super Software\Trojan Remover\
Database directory: C:\Documents and Settings\All Users\Dati applicazioni\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Documents and Settings\Administrator\Documenti\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Programmi\Trojan Remover\
Running with Administrator privileges
*****************************************
15.39.52: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.
******************************************
15.39.52: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1034752 bytes
Created: 20/08/2004 0.39
Modified: 20/08/2004 0.39
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
25088 bytes
Created: 20/08/2004 0.39
Modified: 20/08/2004 0.39
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
515584 bytes
Created: 20/08/2004 0.39
Modified: 20/08/2004 0.39
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: SoundMAXPnP
Value Data: C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
1044480 bytes
Created: 06/04/2009 20.04
Modified: 04/04/2008 17.09
Company: Analog Devices, Inc.
--------------------
Value Name: SetRefresh
Value Data: C:\Programmi\Compaq\SetRefresh\SetRefresh.exe
C:\Programmi\Compaq\SetRefresh\SetRefresh.exe
525824 bytes
Created: 06/04/2009 11.31
Modified: 20/11/2003 21.01
Company: Hewlett-Packard Company
--------------------
Value Name: PTHOSTTR
Value Data: C:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
C:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
329520 bytes
Created: 19/08/2008 17.23
Modified: 19/08/2008 17.23
Company: Hewlett-Packard Development Company, L.P.
--------------------
Value Name: picon
Value Data: "C:\Programmi\File comuni\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
C:\Programmi\File comuni\Intel\Privacy Icon\PrivacyIconClient.exe
773144 bytes
Created: 06/04/2009 11.27
Modified: 19/07/2008 12.40
Company: Intel Corporation

[medlava]

--------------------
Value Name: Persistence
Value Data: C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxpers.exe
141848 bytes
Created: 06/04/2009 20.12
Modified: 01/07/2008 12.47
Company: Intel Corporation
--------------------
Value Name: PDF Complete
Value Data: C:\Programmi\PDF Complete\pdfsty.exe
C:\Programmi\PDF Complete\pdfsty.exe
318488 bytes
Created: 06/04/2009 11.29
Modified: 07/04/2008 7.10
Company: PDF Complete Inc
--------------------
Value Name: IgfxTray
Value Data: C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxtray.exe
150040 bytes
Created: 06/04/2009 20.12
Modified: 01/07/2008 12.47
Company: Intel Corporation
--------------------
Value Name: HotKeysCmds
Value Data: C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hkcmd.exe
170520 bytes
Created: 06/04/2009 20.12
Modified: 01/07/2008 12.47
Company: Intel Corporation
--------------------
Value Name: File Sanitizer
Value Data: C:\Programmi\Hewlett-Packard\File Sanitizer\CoreShredder.exe
C:\Programmi\Hewlett-Packard\File Sanitizer\CoreShredder.exe
10244096 bytes
Created: 06/04/2009 11.31
Modified: 23/06/2008 14.12
Company: Hewlett-Packard
--------------------
Value Name: CognizanceTS
Value Data: rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterM odule
C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll
24848 bytes
Created: 23/07/2008 14.03
Modified: 23/07/2008 14.03
Company: Bioscrypt Inc.
--------------------
Value Name: accrdsub
Value Data: "C:\Programmi\ActivIdentity\ActivClient\accrdsub.e xe"
C:\Programmi\ActivIdentity\ActivClient\accrdsub.ex e
298536 bytes
Created: 27/11/2007 17.40
Modified: 27/11/2007 17.40
Company: ActivIdentity
--------------------
Value Name: TrojanScanner
Value Data: C:\Programmi\Trojan Remover\Trjscan.exe /boot
C:\Programmi\Trojan Remover\Trjscan.exe
1167808 bytes
Created: 08/10/2010 15.38
Modified: 02/08/2010 14.47
Company: Simply Super Software
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: Google Update
Value Data: "C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe
133104 bytes
Created: 09/04/2009 16.58
Modified: 09/04/2009 16.58
Company: Google Inc.
--------------------
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 20/08/2004 0.39
Modified: 20/08/2004 0.39
Company: Microsoft Corporation
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
This Registry Key appears to be empty
****************************************