Precedente :: Successivo |
Autore |
Messaggio |
baciami Semidio
Registrato: 02/09/07 14:40 Messaggi: 287 Residenza: toscana
|
Inviato: 10 Feb 2008 20:26 Oggetto: * registro e altro |
|
|
clicco opzioni internet,contenuto,a contenuto verificato vi sono "disattiva" e "impostazioni"cliccando sia l'uno che altro,vi trovo dentro a "suggerimento" "tu sei scemo! proprio sopra a "password" è normale? grazie.
ho anche un problema sul registro..hkey_current_user
printers
connections
DevModePerUser
Pù?(ø?
Pù?(ø?
SessionInformation
software
ecc....volevo sapere se sono normali quelle 2 cartelle
ho un microsoft windows xp home edition
gia' una volta chiesi per il solito problema ma di cartelle strane ne avevo sei e subito dopo mi è partito il sistema operativo.grazie x l'aiuto che potete darmi
p.s. ho fatto una scansione on-line con kaspersky e mi ha dato questi 3 virus..ho controllato e uno è il programma di bearshare..non ho trovato gli altri 2.ecco la scansione
C:\Documents and Settings\Proprietario\Desktop\kaspersky.html |
|
Top |
|
|
bdoriano Amministratore
Registrato: 02/04/07 11:05 Messaggi: 14300 Residenza: 3° pianeta del sistema solare...
|
Inviato: 10 Feb 2008 21:59 Oggetto: |
|
|
Segui le istruzioni di questo topic per postare il log di hijackthis.
Poi, segui le istruzioni di questo topic per postare il log di combofix.
Infine, collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato. |
|
Top |
|
|
baciami Semidio
Registrato: 02/09/07 14:40 Messaggi: 287 Residenza: toscana
|
Inviato: 11 Feb 2008 13:22 Oggetto: |
|
|
ciao bdoriano..ho windows xp home edition,ho il firewall della microsoft,come antivirus avira antivir e a-squared. ti posto il log di hijack
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12.59.01, on 11/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\HijackThis\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Programmi\GbPlugin\gbieh.dll
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153583001906
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Programmi\GbPlugin\GbpSv.exe
--
End of file - 4624 bytes
il log di combofix
ComboFix 08-02-11.2 - Proprietario 2008-02-11 13.13.47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.411 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Proprietario\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Creati Da 2008-01-11 al 2008-02-11 )))))))))))))))))))))))))))))))))))
.
2008-02-10 19:01 . 2008-02-10 19:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-10 19:01 . 2008-02-10 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2008-02-05 22:27 . 2008-02-05 22:27 <DIR> d-------- C:\WINDOWS\PixArt
2008-01-29 19:20 . 2008-02-11 12:58 <DIR> d-------- C:\HijackThis
2008-01-22 11:45 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-01-22 11:44 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-01-22 11:42 . 2008-01-22 11:42 <DIR> d-------- C:\Programmi\CIF USB Camera
2008-01-22 11:42 . 2006-11-10 13:51 505,984 --a------ C:\WINDOWS\system32\drivers\PFC027.SYS
2008-01-22 11:42 . 2006-10-12 18:10 119,296 --a------ C:\WINDOWS\system32\SP207.AX
2008-01-22 11:42 . 2006-11-08 09:54 6,656 --a------ C:\WINDOWS\system32\CoInst.dll
2008-01-22 11:42 . 2006-11-14 14:47 518 --a------ C:\WINDOWS\system32\SP207.INI
2008-01-22 11:38 . 2008-01-22 11:38 <DIR> d-------- C:\Documents and Settings\Proprietario\Dati applicazioni\InstallShield
2008-01-19 13:26 . 2008-02-04 18:28 <DIR> d-------- C:\Documents and Settings\Proprietario\.housecall6.6
2008-01-17 13:19 . 2008-01-22 11:41 <DIR> d-------- C:\VideoCAM Express V2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 19:58 --------- d-----w C:\Programmi\a-squared Free
2008-01-28 12:42 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-01-26 21:46 --------- d-----w C:\Programmi\backups
2008-01-21 12:04 --------- d-----w C:\Documents and Settings\Proprietario\Dati applicazioni\skypePM
2008-01-10 19:44 32 ----a-w C:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
2008-01-10 19:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Skype
2007-09-14 10:36 17,219,376 ----a-w C:\Programmi\a2FreeSetup.exe
2007-09-13 20:10 9,679,815 ----a-w C:\Programmi\vlc-0.8.6c-win32.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:39 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-21 15:15 249896]
"Monitor"="C:\WINDOWS\PixArt\PAC207\Monitor.exe" [2006-11-03 11:01 319488]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 14:39 15360]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" [2004-11-24 23:27 32768]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\Programmi\GbPlugin\gbieh.dll [2007-08-08 13:29 209224]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^ATI CATALYST System Tray.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray]
--a------ 2006-03-20 20:43 331776 C:\Programmi\AGEIA Technologies\TrayIcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2004-11-24 23:27 32768 C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-11-24 20:10 344064 C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
--a------ 2003-05-28 18:11 94208 C:\Programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Programmi\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanRegistry]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2002-03-21 03:23 46592 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 18:19 15872 C:\Programmi\Unlocker\UnlockerAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VIRIT LITE MONITOR]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GbpSv"=2 (0x2)
R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2007-05-24 16:32]
R2 GbpSv;Gbp Service;C:\Programmi\GbPlugin\GbpSv.exe [2007-08-08 13:29]
R3 PAC207;CIF USB Camera;C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2006-11-10 13:51]
R3 WLAN FVNETusb(R);WLAN FVNETusb(R) Service for ATMEL USB FastVNET (AR);C:\WINDOWS\system32\DRIVERS\vnetusbr.sys [2002-08-06 16:38]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 13:14:55
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2008-02-11 13.15.35
ComboFix-quarantined-files.txt 2008-02-11 12:15:20
.
2008-01-09 20:36:35 --- E O F ---
ora faccio la scansione con kaspersky grazie
fatto
http://www.freefilehosting.net/download/3bmkh
ciao |
|
Top |
|
|
baciami Semidio
Registrato: 02/09/07 14:40 Messaggi: 287 Residenza: toscana
|
Inviato: 12 Feb 2008 17:40 Oggetto: qualcuno può aiutarmi.mi avete lasciato a metà :P |
|
|
baciami ha scritto: | ciao bdoriano..ho windows xp home edition,ho il firewall della microsoft,come antivirus avira antivir e a-squared. ti posto il log di hijack
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12.59.01, on 11/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\HijackThis\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Programmi\GbPlugin\gbieh.dll
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153583001906
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Programmi\GbPlugin\GbpSv.exe
--
End of file - 4624 bytes
il log di combofix
ComboFix 08-02-11.2 - Proprietario 2008-02-11 13.13.47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.411 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Proprietario\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Creati Da 2008-01-11 al 2008-02-11 )))))))))))))))))))))))))))))))))))
.
2008-02-10 19:01 . 2008-02-10 19:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-10 19:01 . 2008-02-10 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2008-02-05 22:27 . 2008-02-05 22:27 <DIR> d-------- C:\WINDOWS\PixArt
2008-01-29 19:20 . 2008-02-11 12:58 <DIR> d-------- C:\HijackThis
2008-01-22 11:45 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-01-22 11:44 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-01-22 11:42 . 2008-01-22 11:42 <DIR> d-------- C:\Programmi\CIF USB Camera
2008-01-22 11:42 . 2006-11-10 13:51 505,984 --a------ C:\WINDOWS\system32\drivers\PFC027.SYS
2008-01-22 11:42 . 2006-10-12 18:10 119,296 --a------ C:\WINDOWS\system32\SP207.AX
2008-01-22 11:42 . 2006-11-08 09:54 6,656 --a------ C:\WINDOWS\system32\CoInst.dll
2008-01-22 11:42 . 2006-11-14 14:47 518 --a------ C:\WINDOWS\system32\SP207.INI
2008-01-22 11:38 . 2008-01-22 11:38 <DIR> d-------- C:\Documents and Settings\Proprietario\Dati applicazioni\InstallShield
2008-01-19 13:26 . 2008-02-04 18:28 <DIR> d-------- C:\Documents and Settings\Proprietario\.housecall6.6
2008-01-17 13:19 . 2008-01-22 11:41 <DIR> d-------- C:\VideoCAM Express V2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 19:58 --------- d-----w C:\Programmi\a-squared Free
2008-01-28 12:42 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-01-26 21:46 --------- d-----w C:\Programmi\backups
2008-01-21 12:04 --------- d-----w C:\Documents and Settings\Proprietario\Dati applicazioni\skypePM
2008-01-10 19:44 32 ----a-w C:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
2008-01-10 19:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Skype
2007-09-14 10:36 17,219,376 ----a-w C:\Programmi\a2FreeSetup.exe
2007-09-13 20:10 9,679,815 ----a-w C:\Programmi\vlc-0.8.6c-win32.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:39 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-21 15:15 249896]
"Monitor"="C:\WINDOWS\PixArt\PAC207\Monitor.exe" [2006-11-03 11:01 319488]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 14:39 15360]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" [2004-11-24 23:27 32768]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\Programmi\GbPlugin\gbieh.dll [2007-08-08 13:29 209224]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^ATI CATALYST System Tray.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray]
--a------ 2006-03-20 20:43 331776 C:\Programmi\AGEIA Technologies\TrayIcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2004-11-24 23:27 32768 C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-11-24 20:10 344064 C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
--a------ 2003-05-28 18:11 94208 C:\Programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Programmi\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanRegistry]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2002-03-21 03:23 46592 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 18:19 15872 C:\Programmi\Unlocker\UnlockerAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VIRIT LITE MONITOR]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GbpSv"=2 (0x2)
R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2007-05-24 16:32]
R2 GbpSv;Gbp Service;C:\Programmi\GbPlugin\GbpSv.exe [2007-08-08 13:29]
R3 PAC207;CIF USB Camera;C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2006-11-10 13:51]
R3 WLAN FVNETusb(R);WLAN FVNETusb(R) Service for ATMEL USB FastVNET (AR);C:\WINDOWS\system32\DRIVERS\vnetusbr.sys [2002-08-06 16:38]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 13:14:55
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2008-02-11 13.15.35
ComboFix-quarantined-files.txt 2008-02-11 12:15:20
.
2008-01-09 20:36:35 --- E O F ---
ora faccio la scansione con kaspersky grazie
fatto
http://www.freefilehosting.net/download/3bmkh
ciao | |
|
Top |
|
|
bdoriano Amministratore
Registrato: 02/04/07 11:05 Messaggi: 14300 Residenza: 3° pianeta del sistema solare...
|
|
Top |
|
|
baciami Semidio
Registrato: 02/09/07 14:40 Messaggi: 287 Residenza: toscana
|
Inviato: 15 Feb 2008 19:01 Oggetto: |
|
|
allego ..
http://www.freefilehosting.net/download/3c4d0 |
|
Top |
|
|
baciami Semidio
Registrato: 02/09/07 14:40 Messaggi: 287 Residenza: toscana
|
Inviato: 25 Feb 2008 20:09 Oggetto: |
|
|
ho fatto anche una scansione con virit
VirIT eXplorer Lite Log
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
25/02/2008 - 19:41:12
[SCANSIONE DEL REGISTRO]
OK
[A:]
BOOT SECTOR: OK
[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
C:\Programmi\GbPlugin\gbieh.dll Possibile variante da BHO.Agent.AJ
[E:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[F:]
Chiavi Registro infette: 0.
Files Infetti: 1.
Files Sospetti: 0.
Files Analizzati: 30862.
Files Totali: 30862.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.
non si elimina neanche manualmente .. fa parte del banco do brasil..è nella stessa cartella dove c'è "gbpsv g-buster browser defense service...la cosa strana è che danno la stessa data di scaricamento. ho molti problemi..chi perde un po di tempo da me..grazie |
|
Top |
|
|
bdoriano Amministratore
Registrato: 02/04/07 11:05 Messaggi: 14300 Residenza: 3° pianeta del sistema solare...
|
Inviato: 25 Feb 2008 20:55 Oggetto: |
|
|
Crea un file di testo con le seguenti istruzioni:
Citazione: | File::
C:\Programmi\GbPlugin\GbpSv.exe
C:\Programmi\GbPlugin\gbieh.dll |
Salva il file sul desktop con il nome CFScript.txt e trascinalo sull'icona di ComboFix, come indicato in seguito:
Rifai la scansione con hijackthis.
PS: per cortesia, non creare nuovi thread se prima non finiamo con questo.
Se non ricevi risposta in tempi brevi, puoi sempre aggiungere un nuovo post al tuo vecchio thread (verrà portato in testa automaticamente). |
|
Top |
|
|
baciami Semidio
Registrato: 02/09/07 14:40 Messaggi: 287 Residenza: toscana
|
Inviato: 25 Feb 2008 23:23 Oggetto: |
|
|
sei un genio..cmq se poi qcn mi aiuta x il resto dico grazie.
prima di mandarti il log volevo dirti se posso eliminare la cartella GbPlugin con dentro
gbieh.gmd
Bb.gpc
gbpdist.dll
ecco il log
ComboFix 08-02-25.3 - Proprietario 2008-02-25 23:01:59.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.517 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Proprietario\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Proprietario\Desktop\CFScript.txt.txt
* Creato nuovo punto di ripristino
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Programmi\GbPlugin\gbieh.dll
C:\Programmi\GbPlugin\GbpSv.exe
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Programmi\GbPlugin\gbieh.dll
C:\Programmi\GbPlugin\GbpSv.exe
.
((((((((((((((((((((((((( Files Creati Da 2008-01-25 al 2008-02-25 )))))))))))))))))))))))))))))))))))
.
2008-02-25 23:03 . 2004-08-19 14:39 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-25 23:03 . 2008-02-25 23:03 268 --ah----- C:\sqmdata00.sqm
2008-02-25 23:03 . 2008-02-25 23:03 244 --ah----- C:\sqmnoopt00.sqm
2008-02-25 17:26 . 2008-02-25 17:26 <DIR> d-------- C:\Programmi\Avira
2008-02-25 17:26 . 2008-02-25 17:26 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Avira
2008-02-24 20:49 . 2008-02-24 21:11 <DIR> d-------- C:\Programmi\Eusing Free Registry Cleaner
2008-02-23 20:50 . 2008-02-23 20:50 <DIR> d-------- C:\Documents and Settings\Proprietario\Dati applicazioni\Nokia
2008-02-23 20:50 . 2008-02-23 20:50 <DIR> d-------- C:\Documents and Settings\Proprietario\Dati applicazioni\Datalayer
2008-02-23 20:47 . 2008-02-23 20:50 <DIR> d-------- C:\Documents and Settings\Proprietario\Phone Browser
2008-02-23 20:47 . 2008-02-23 20:47 <DIR> d-------- C:\Documents and Settings\Proprietario\Dati applicazioni\PC Suite
2008-02-23 20:46 . 2008-02-23 20:47 <DIR> d-------- C:\Programmi\Nokia
2008-02-23 20:46 . 2008-02-23 20:46 <DIR> d-------- C:\Programmi\File comuni\PCSuite
2008-02-23 20:46 . 2008-02-23 20:46 <DIR> d-------- C:\Programmi\File comuni\Nokia
2008-02-10 19:01 . 2008-02-10 19:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-10 19:01 . 2008-02-10 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2008-02-05 22:27 . 2008-02-05 22:27 <DIR> d-------- C:\WINDOWS\PixArt
2008-01-29 19:20 . 2008-02-24 19:50 <DIR> d-------- C:\HijackThis
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 22:03 --------- d-----w C:\Programmi\GbPlugin
2008-02-25 19:28 --------- d-----w C:\Programmi\Yahoo!
2008-02-23 19:47 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-02-14 20:04 39,808 ----a-w C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2008-02-12 13:04 --------- d-----w C:\Programmi\Unlocker
2008-01-29 19:58 --------- d-----w C:\Programmi\a-squared Free
2008-01-26 21:46 --------- d-----w C:\Programmi\backups
2008-01-22 10:42 --------- d-----w C:\Programmi\CIF USB Camera
2008-01-22 10:38 --------- d-----w C:\Documents and Settings\Proprietario\Dati applicazioni\InstallShield
2008-01-10 19:44 32 ----a-w C:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
2007-09-14 10:36 17,219,376 ----a-w C:\Programmi\a2FreeSetup.exe
2007-09-13 20:10 9,679,815 ----a-w C:\Programmi\vlc-0.8.6c-win32.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:39 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DataLayer"="C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe" [2005-03-31 09:30 1106944]
"avgnt"="C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-25 17:33 249896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 14:39 15360]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" [2004-11-24 23:27 32768]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\Programmi\GbPlugin\gbieh.dll [ ]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^ATI CATALYST System Tray.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray]
--a------ 2006-03-20 20:43 331776 C:\Programmi\AGEIA Technologies\TrayIcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2004-11-24 23:27 32768 C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-11-24 20:10 344064 C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
--a------ 2003-05-28 18:11 94208 C:\Programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
--a------ 2006-11-03 11:01 319488 C:\WINDOWS\PixArt\PAC207\Monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Programmi\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-03-22 09:39 167936 C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2005-04-20 09:57 847872 C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanRegistry]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2002-03-21 03:23 46592 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 18:19 15872 C:\Programmi\Unlocker\UnlockerAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VIRIT LITE MONITOR]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GbpSv"=2 (0x2)
"NMIndexingService"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2008-02-14 21:04]
R3 PAC207;CIF USB Camera;C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2006-11-10 13:51]
R3 WLAN FVNETusb(R);WLAN FVNETusb(R) Service for ATMEL USB FastVNET (AR);C:\WINDOWS\system32\DRIVERS\vnetusbr.sys [2002-08-06 16:38]
S2 GbpSv;Gbp Service;C:\Programmi\GbPlugin\GbpSv.exe []
S3 mbr;mbr;C:\DOCUME~1\PROPRI~1\IMPOST~1\Temp\mbr.sys []
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 23:04:44
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2008-02-25 23:07:03 - machine was rebooted [Proprietario]
ComboFix-quarantined-files.txt 2008-02-25 22:06:54
ComboFix2.txt 2008-02-18 12:33:24
ComboFix3.txt 2008-02-11 12:15:36
.
2008-02-14 00:17:20 --- E O F --- |
|
Top |
|
|
baciami Semidio
Registrato: 02/09/07 14:40 Messaggi: 287 Residenza: toscana
|
Inviato: 26 Feb 2008 17:16 Oggetto: |
|
|
mi sono aumentate le cartelle strane aiuto!!!!!
problema sul registro..hkey_current_user
printers
connections
DevModePerUser
Pù?(ø?
Pù?(ø?
Pù{(ø{
PùÈ(øÈ
Pù?(ø?
SessionInformation
software
ecc.... |
|
Top |
|
|
bdoriano Amministratore
Registrato: 02/04/07 11:05 Messaggi: 14300 Residenza: 3° pianeta del sistema solare...
|
Inviato: 26 Feb 2008 17:19 Oggetto: |
|
|
Prova a fare queste operazioni di pulizia:
Mi sa più di problema di Windows che di virus... |
|
Top |
|
|
baciami Semidio
Registrato: 02/09/07 14:40 Messaggi: 287 Residenza: toscana
|
Inviato: 26 Feb 2008 18:10 Oggetto: |
|
|
ho fatto tutto ma il problema resta se pensi sia windows..che mi consigli..grazie bdoriano |
|
Top |
|
|
baciami Semidio
Registrato: 02/09/07 14:40 Messaggi: 287 Residenza: toscana
|
Inviato: 27 Feb 2008 19:51 Oggetto: |
|
|
la cosa strana è che sembra che quelle cartelle siano in più..perchè prima era così
printers
connections
DevModePerUser
Pù?(ø?
Pù?(ø?
SessionInformation
software
ecc....
e ora è così
printers
connections
DevModePerUser
Pù?(ø?
Pù?(ø?
Pù{(ø{
PùÈ(øÈ
Pù?(ø?
SessionInformation
software
ecc..
mi ricapito' tempo fa e mi partì il sistema operativo..non so' se è dipeso da questo.help!!!!! |
|
Top |
|
|
baciami Semidio
Registrato: 02/09/07 14:40 Messaggi: 287 Residenza: toscana
|
Inviato: 27 Feb 2008 22:05 Oggetto: trojan horse |
|
|
ho fatto una scansione e mi ha trovato queste 4 varianti del trojan horse. allego il report
AntiVir PersonalEdition Classic
Report file date: mercoledì 27 febbraio 2008 21:32
Scanning for 1126829 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Proprietario
Computer name: PIOMBINO
Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 16:33:51
ANTIVIR2.VDF : 7.0.2.181 1993728 Bytes 24/02/2008 16:33:51
ANTIVIR3.VDF : 7.0.2.203 88064 Bytes 27/02/2008 20:29:28
AVEWIN32.DLL : 7.6.0.67 3293696 Bytes 25/02/2008 16:33:52
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 25/02/2008 16:33:52
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21
Configuration settings for the scan:
Jobname..........................: Local Drives
Configuration file...............: c:\programmi\avira\antivir personaledition classic\alldrives.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: F:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: mercoledì 27 febbraio 2008 21:32
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'usnsvc.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'ServiceLayer.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'DataLayer.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned
Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'E:\'
[NOTE] No virus was found!
Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!
Starting to scan the registry.
The registry was scanned ( '29' files ).
Starting the file scan:
Begin scan in 'C:\' <Winxp>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\QooBox\Quarantine\C\Programmi\GbPlugin\gbieh.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '482eca8d.qua'!
C:\QooBox\Quarantine\C\Programmi\GbPlugin\GbpSv.exe.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '4835ca90.qua'!
C:\System Volume Information\_restore{076107CF-1A0D-4F9E-900C-C2650A59E993}\RP205\A0039866.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '47f5cad6.qua'!
C:\System Volume Information\_restore{076107CF-1A0D-4F9E-900C-C2650A59E993}\RP205\A0039867.exe
[DETECTION] Is the Trojan horse TR/Killav.28714
[INFO] The file was moved to '47f5cada.qua'!
Begin scan in 'E:\' <Copia>
Begin scan in 'A:\'
Search path A:\ could not be opened!
Periferica non pronta.
Begin scan in 'F:\' <N6630>
End of the scan: mercoledì 27 febbraio 2008 21:51
Used time: 18:59 min
The scan has been done completely.
3628 Scanning directories
107348 Files were scanned
4 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
4 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
107344 Files not concerned
986 Archives were scanned
1 Warnings
0 Notes
posto anche il log di hijak
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22.00.20, on 27/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avcenter.exe
c:\programmi\avira\antivir personaledition classic\avscan.exe
C:\WINDOWS\system32\msiexec.exe
C:\HijackThis\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153583001906
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
--
End of file - 4963 bytes |
|
Top |
|
|
Riverside Ban a tempo indeterminato
Registrato: 29/02/08 21:32 Messaggi: 4396 Residenza: Riverside House
|
Inviato: 01 Mar 2008 03:09 Oggetto: |
|
|
Ciao.
Il log di Hthis è pulito (dovresti, comunque, aggiornare Adobe Reader e il JavaSun).
Per quanto riguarda questo:
baciami ha scritto: | sono entrato in modalità provvisoria (dopo aver disattivato il ripristino di sistema) ho aperto avira..ho eliminato dalla quarantena i virus..ho fatto la scansione e non me li ha trovati più..ho fatto casino? |
sarebbe stato interessante vedere il log dopo la scansione in modalità provvisoria.
Visto che hai problemi a completare le scansioni online e se ritieni di avere dei dubbi (se hai già risolto il problema lascia perdere e scusami), disattiva il Ripristino configurazione di sistema e:
Scarica ed KASPERSKY VIRUS REMOVAL TOOL: clicca qui per il download
scarica la versione del tool più aggiornata rispetto alla data ed ora di pubblicazione
● verrà creata una apposta cartella sul Desktop
● all?interno della cartella è presente la classica icona (una K) di Kaspersky
● clicca sull?icona per lanciare il tool
● imposta le aree che intendi scansionare (Startup Objects e Disk boot sector sono impostate di default)
● al termine della scansione sarà possibile rimuovere i file infetti rilevati
salva il ed allega il log che verrà rilasciato
Nota 1: ● Il tool è incompatibile se si hanno già prodotti Kaspersky installati
Procedura per disinstallare KASPERSKY VIRUS REMOVAL TOOL:
● clicca sull?icona per lanciare il tool
● nella finestra principale, in basso, clicca sulla voce Complete Virus Protection
● verrà visualizzato un messaggio: clicca su Ok
● chiudi la pagina web che verrà aperta
● nel messaggio successivo, clicca su SI per avviare la disinstallazione
● al termine, verrà richiesto di riavviare il P.C.
Esegui la disinstallazione, una volta risolto il probema |
|
Top |
|
|
bdoriano Amministratore
Registrato: 02/04/07 11:05 Messaggi: 14300 Residenza: 3° pianeta del sistema solare...
|
Inviato: 01 Mar 2008 09:28 Oggetto: |
|
|
@baciami
dovresti, cortesemente, evitare di continuare ad aprire nuovi topic quando non ricevi risposte in tempi brevi. Al limite, accodi un nuovo messaggio al tuo topic e vedrai che, magicamente, viene portato in cima agli altri.
Ti ringrazio per la collaborazione. |
|
Top |
|
|
baciami Semidio
Registrato: 02/09/07 14:40 Messaggi: 287 Residenza: toscana
|
Inviato: 01 Mar 2008 18:15 Oggetto: |
|
|
grazie riverside..non ha trovato niente..cmq allego il report..
scusa bdoriano..avevo aperto un altro topic xchè avevo un altra situazione e non volevo confondere le 2 cose..puoi fare qcs x il mio registro? ti ringrazio anticipamente.
Scan
----
Scanned: 214063
Detected: 0
Untreated: 0
Start time: 01/03/2008 14.00.08
Duration: 01.12.07
Finish time: 01/03/2008 15.12.15
Detected
--------
Status Object
------ ------
Events
------
Time Name Status Reason
---- ---- ------ ------
Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------
Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Quarantine
----------
Status Object Size Added
------ ------ ---- -----
Backup
------
Status Object Size
------ ------ ---- |
|
Top |
|
|
bdoriano Amministratore
Registrato: 02/04/07 11:05 Messaggi: 14300 Residenza: 3° pianeta del sistema solare...
|
Inviato: 01 Mar 2008 19:24 Oggetto: |
|
|
Ciao baciami,
sinceramente, non so cos'altro consigliarti.
Sarebbe da scoprire come e quando vengono create quelle cartelle nel file di registro, utilizzando uno dei tools della (ex)SysInternals.
Ma non è un'operazione semplice.
Fai un backup completo usando uno dei programmi di clonazione dei dischi e, poi, prova a eliminare dal registro quelle voci sospette. Vediamo che succede. |
|
Top |
|
|
baciami Semidio
Registrato: 02/09/07 14:40 Messaggi: 287 Residenza: toscana
|
Inviato: 01 Mar 2008 23:22 Oggetto: |
|
|
ciao bdoriano..ho fatto il backup con drive imagine xml ho eliminato quelle 5 cartelle strane e sembra che niente di grave sia accaduto..che faccio ora..posso eliminare il backup e il programma? grazie del tuo aiuto |
|
Top |
|
|
baciami Semidio
Registrato: 02/09/07 14:40 Messaggi: 287 Residenza: toscana
|
Inviato: 01 Mar 2008 23:33 Oggetto: |
|
|
il backup da eliminare l 'ho trovato in "documenti" una serie di "file" di circa 672.000 kb aspetto il tuo consenso prima di farlo.ciao e grazie di tutto |
|
Top |
|
|
|