E1explorer - W1inmovieplugin - xxx adult key

[Bacillo]

Ciao a tutti, ho un problema su un pc di un utente e non riesco a risolverlo. Classiche iconcine e1explorer e w1inmovieplugin sul desktop più una schermata su desktop di xxx adult key.

Ho provato con vari metodi, ma evidentemente ho lasciato sempre qualche cosa in giro....

PS: noto ora dal log che la versione di windows è ancora la SP1....dubito basti l'aggiornamento alla SP2, ma ditemi voi...^_^

Grazie mille per l'aiuto.

Luke

Allego il log

Logfile of HijackThis v1.99.1
Scan saved at 17.26.14, on 04/09/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\SYSTEM32\XPinvAGENT.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\logonuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\RKillSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
D:\TEMP\JNB68B.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\PowerCheck\powerchk.exe
C:\WINDOWS\2kadiras.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Siemens\Card API\bin\siecacst.exe
C:\Program Files\CryptoEx\Common\CexTray.exe
C:\WINDOWS\System32\spoolsvc.exe
D:\Documents and Settings\ITL38990\Application Data\ratorefaci\sysrtmvs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\dcomcfg.exe
C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ADSL\StarModem ADSL USB MODEM\dslmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\ITL38990\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ep.icn.siemens.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Siemens SMC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.icn.siemens.it
O2 - BHO: m1a2 - {521693AA-7453-47ED-9959-3BD47DAA1B1A} - C:\WINDOWS\System32\msx.dll (file missing)
O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\System32\comcap16.dll (file missing)
O2 - BHO: Intense - {FB47056B-B34D-410E-819A-E8A51CC8E2EB} - C:\WINDOWS\System32\Kaboom.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DirXconnect settings] C:\PROGRA~1\SIEMENS\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PowerCheck] C:\WINDOWS\PowerCheck\powerchk.exe
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [2kadiras] 2kadiras.exe
O4 - HKLM\..\Run: [GCXX-Manager-Class] "C:\Program Files\Sony Ericsson\Wireless Manager\GCXXManager.exe" -startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Siemens\Card API\bin\siecacst.exe
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKLM\..\Run: [JavaProfileFix2] C:\Program Files\Java\Profile Fix\Java_Profile_2.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [aouei] D:\Documents and Settings\ITL38990\Application Data\ratorefaci\sysrtmvs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: DSLMON.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Point&&Go - C:\Program Files\Common Files\Expert System\PGPlatform\PGPlatform.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Garzanti Linguistica - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Common Files\Garzanti\Dizionari Garzanti 2005\IEExtension.dll
O9 - Extra 'Tools' menuitem: Garzanti Linguistica - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Common Files\Garzanti\Dizionari Garzanti 2005\IEExtension.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://ep.icn.siemens.it
O15 - Trusted Zone: http://www.1987324.com
O15 - Trusted Zone: http://www.adslconnection.name
O15 - Trusted Zone: *.aflashcounter.com
O15 - Trusted Zone: http://cingl0sx.icn.siemens.it
O15 - Trusted Zone: http://dimensions80.icn.siemens.it
O15 - Trusted Zone: http://testdirector.icn.siemens.it
O15 - Trusted Zone: *.siemens.it
O15 - Trusted Zone: http://*.siemens.it
O15 - Trusted Zone: http://www.softlab.name
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://www.xxx-content.name
O15 - Trusted Zone: *.siemens.it (HKLM)
O15 - Trusted Zone: http://*.siemens.it (HKLM)
O15 - Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07804e240fc ... 601_it.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - http://testdirector.icn.siemens.it/tdbin/Spider.ocx
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.softlab.name/conn.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = icn.siemens.it
O17 - HKLM\Software\..\Telephony: DomainName = icn.siemens.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{020D803F-647D-4A69-ADFF-895CE90DB014}: Domain = icn.siemens.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D323342-8EB5-42A3-A2EB-33B55C9E2465}: Domain = icn.siemens.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F980204-8C8F-4545-8FF3-565003E9AC0A}: Domain = icn.siemens.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{93619731-7011-41CB-8D67-8F0A46BD3B80}: Domain = icn.siemens.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B7FF829-0D7F-46FA-9B0D-799927FCF904}: Domain = icn.siemens.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA2E2549-6864-4507-8E6D-107F5B93CD6D}: Domain = icn.siemens.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA2E2549-6864-4507-8E6D-107F5B93CD6D}: NameServer = 141.29.208.144,141.29.193.17
O17 - HKLM\System\CCS\Services\Tcpip\..\{F124B05F-304D-4762-BB77-6202616C86FF}: Domain = icn.siemens.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{F706354B-497B-4BBE-9744-B5DC05F0B3B0}: Domain = icn.siemens.it
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = icn.siemens.it
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = icn.siemens.it,lab.icnlab.it,it001.siemens.net,siemens.it
O17 - HKLM\System\CS1\Services\Tcpip\..\{020D803F-647D-4A69-ADFF-895CE90DB014}: Domain = icn.siemens.it
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = icn.siemens.it,lab.icnlab.it,it001.siemens.net,siemens.it
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automated Services (AutoExNT) - Unknown owner - C:\WINDOWS\System32\AutoExNT.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA-Management INSTALLER - Siemens ICM - C:\WINDOWS\System32\XPinstAGENT.EXE
O23 - Service: CA-Management INVENTORY - Siemens ICM - C:\WINDOWS\SYSTEM32\XPinvAGENT.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Local Automated Services (LAutoExNT) - Unknown owner - C:\WINDOWS\System32\AutoExNT.exe
O23 - Service: Logon User Service (LogonUserService) - Guardeonic Solutions AG - C:\WINDOWS\System32\logonuser.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: Remote Process Killer - Unknown owner - C:\WINDOWS\system32\RKillSrv.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

[andorra24]

Ciao, come prima cosa esegui questa operazione:

scarica SmitFraudfix e decomprimilo in una cartella a tua scelta estraendo tutti i file:
http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Riavvia in modalità provvisoria

Apri la cartella che contiene SmitfraudFix avvia smitfraudfix.cmd
Seleziona opzione #2 - Clean cliccando sul 2 e premi Invio.
Riceverai questo messaggio: Registry cleaning - Do you want to clean the registry ?
Rispondi Sì cliccando Y e premi invio.
Rispondi Sì (Y) ad eventuali altre domande

eseguita la scansione riavvia il pc normalmente.
--------------------------------------------------------------------------

Scarica ATF Cleaner da qui:
http://www.atribune.org/ccount/click.php?id=1
(per eliminare file temporanei di windows e IE)
Avvia ATF cleaner, clicca sul menu "main" e poi seleziona la casella "Select All". Adesso clicca sul pulsante "Empty selected" e aspetta il messaggio "Done Cleaning!"
---------------------------------------------------------------------------
Adesso passiamo ad hijackthis. Apri hijackthis, premi su ''open the misc tools section'', poi premi ''open process manager'', individua (se presenti) le voci indicate sotto e premi ''kill process'':

D:\TEMP\JNB68B.EXE
C:\WINDOWS\System32\spoolsvc.exe
D:\Documents and Settings\ITL38990\Application Data\ratorefaci\sysrtmvs.exe
C:\WINDOWS\System32\dcomcfg.exe

Poi vai in basso e premi il tasto back e subito dopo il tasto scan. Metti la spunta nella casellina accanto alle voci indicate sotto e premi ''fix checked'' :

O2 - BHO: m1a2 - {521693AA-7453-47ED-9959-3BD47DAA1B1A} - C:\WINDOWS\System32\msx.dll (file missing)
O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\System32\comcap16.dll (file missing)
O2 - BHO: Intense - {FB47056B-B34D-410E-819A-E8A51CC8E2EB} - C:\WINDOWS\System32\Kaboom.dll (file missing)
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [aouei] D:\Documents and Settings\ITL38990\Application Data\ratorefaci\sysrtmvs.exe
O15 - Trusted Zone: http://www.1987324.com
O15 - Trusted Zone: http://www.adslconnection.name
O15 - Trusted Zone: *.aflashcounter.com
O15 - Trusted Zone: http://www.softlab.name
O15 - Trusted Zone: http://www.xxx-content.name
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.softlab.name/conn.exe

Vai su start/risorse del computer/strumenti/opzioni cartella/visualizzazione e metti la spunta su visualizza cartelle file nascosti e togli la spunta da ''nascondi i file protetti di sistema''.

scarica killbox da qui:
http://www.bleepingcomputer.com/files/killbox.php
con killbox assicurati che spariscano dal tuo pc i seguenti files (se presenti) :
D:\TEMP\JNB68B.EXE
C:\WINDOWS\System32\spoolsvc.exe (da non confondere con il legittimo spoolsv.exe)
D:\Documents and Settings\ITL38990\Application Data\ratorefaci\sysrtmvs.exe (dopo aver eliminato il file exe elimina la cartella ratorefaci)
C:\WINDOWS\System32\dcomcfg.exe

[Bacillo]

Ciao, come prima cosa esegui questa operazione:

Procedura eseguita....per ora sembra tutto ok, ma la controprova ce l'avrò domani dopo che l'utente avrà usato il portatile a casa ^_^
Intanto grazie mille!

Luke