Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

r16, rootkit. Opzioni
simo95
Inviato: Wednesday, April 25, 2012 2:26:08 PM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
Ciao ragazzi, in particolare r16. Era un pezzo che non facevo una scansione con Avira, cosi stamattina l'ho lanciata. Non ha rilevato nulla ma mi ha subito avvertito che poteva esserci un infenzione nascosta in quanto rilevata una modificazione della memoria.

Ho provveduto a lanciare TDSSkiller che non ha rilevato nulla. AswMBR invece rileva delle stranezze tra il kernel e alcuni driver:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-25 14:12:13

14:12:13.700 OS Version: Windows x64 6.1.7601 Service Pack 1
14:12:13.700 Number of processors: 4 586 0x1707
14:12:13.700 ComputerName: SIMONE-PC UserName: Simone
14:12:15.447 Initialize success
14:12:21.132 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
14:12:21.132 Disk 0 Vendor: WDC_WD10EADS-65M2B0 01.00A01 Size: 953869MB BusType: 11
14:12:21.148 Disk 0 MBR read successfully
14:12:21.148 Disk 0 MBR scan
14:12:21.148 Disk 0 Windows 7 default MBR code
14:12:21.148 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
14:12:21.164 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 390569 MB offset 206848
14:12:21.195 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 51200 MB offset 800092160
14:12:21.195 Disk 0 Partition - 00 05 Extended 511999 MB offset 904949760
14:12:21.210 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 511998 MB offset 904951808
14:12:21.242 Disk 0 scanning C:\Windows\system32\drivers
14:12:26.234 Service scanning
14:12:38.526 Modules scanning
14:12:38.526 Disk 0 trace - called modules:
14:12:38.542 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80051bc2c0]<<
14:12:38.558 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80062b1060]
14:12:38.558 3 CLASSPNP.SYS[fffff88001b7a43f] -> nt!IofCallDriver -> [0xfffffa8005c191e0]
14:12:38.558 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8005c55060]
14:12:38.558 \Driver\atapi[0xfffffa8005bdf450] -> IRP_MJ_CREATE -> 0xfffffa80051bc2c0
14:12:38.573 Scan finished successfully
14:12:45.063 Disk 0 MBR has been saved successfully to "C:\Users\Simone\Desktop\MBR.dat"
14:12:45.078 The log file has been saved successfully to "C:\Users\Simone\Desktop\aswMBR.txt"

Come procedo?
Grazie
Sponsor
Inviato: Wednesday, April 25, 2012 2:26:08 PM

 
enigmista63
Inviato: Wednesday, April 25, 2012 3:05:09 PM

Rank: AiutAmico

Iscritto dal : 4/28/2007
Posts: 1,976
Ciao stesso problema sul portatile di mia moglie con avast, visto lo strano comportamento ho scansionato con avira che ha rilevato un elemento nascosto, mentre attendi r16 puoi utilizzare il rescue cd di avira lo lanci all'avvio del pc e sistema l'infezione.
simo95
Inviato: Wednesday, April 25, 2012 3:08:14 PM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
Si ho appena finito di preparare la penna usb per eseguire la scansione.
Uno dei due rilevamenti dovrei averlo già corretto, e probabilemente era riferito al driver Winpcap rimasto nel sistema dopo la disinstallazione di Ne.Me.Sys (lo strumento di Agcom per la misurazione dell'adsl). Rimane l'altro elemento, vediamo se Avira lo corregge.
r16
Inviato: Wednesday, April 25, 2012 4:22:51 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
simo95 ha scritto:

Ho provveduto a lanciare TDSSkiller che non ha rilevato nulla.

Ciao simo95.
Rifai la scansione con TDSSkiller, ma cambia i parametri cliccando su "Change parameters"
Metti la spunta sulle caselline: verify driver digital singatures e poi Detect TDLFS file system .
Conferma cliccando OK.
Poi clicca su "Start Scan"
Vedi se rileva qualcosa.

N.B:
AswMBR, non è molto attendibile con S.O a 64 bit.
simo95
Inviato: Wednesday, April 25, 2012 9:44:49 PM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
Grazie per la risposta.
Eseguito, qui il log: http://dl.dropbox.com/u/6853787/TDSSKiller.txt

Ha trovato 4 voci, che dovrebbero essere tutte legittime: Cadence License Manager lo è sicuramente come anche le voci relative a vmware. La restante penso faccia parte di itunes.
Non ho avuto modo di fare la scansione con avira poichè appena lo carica il pc si riavvia.
Posso fare qualche altra verifica?

Grazie
Ciao
r16
Inviato: Wednesday, April 25, 2012 10:17:07 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Commenta:
Non ho avuto modo di fare la scansione con avira poichè appena lo carica il pc si riavvia.

Vuoi dire che il pc si riavvia quando Avira incomincia la scansione?

Se vuoi prova una scansione con Combofix.
Meglio se rinominato.


simo95
Inviato: Wednesday, April 25, 2012 10:55:47 PM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
No proprio all'atto del caricamento del sistema linux che gestisce l'avira rescue. E' proprio un problema di incompatibilità.

Appena posso lancio la scansione con combofix.
Grazie

EDIT: Ho appena notato che tutti i file e le cartelle, comprese quelle di sistema, hanno perso l'attributo di invisibilità. (e' disabilitata la loro visualizzazione) Penso sia successo dopo aver eseguito o TDSSKiller o aswMBR in quanto prima non avevo questo problema.

PS: Puoi fare tutte le prove che vuoi, ho un immagine pulita (anche se non credo che adesso il sistema sia infetto, sarebbe la prima volta dopo anni e le precauzioni che prendo sono sempre fin troppe Drool ) ma proprio per questo voglio proprio andare in fondo sulla questione se ne hai voglia.

Grassie
Good night
simo95
Inviato: Thursday, April 26, 2012 2:46:24 PM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
Ecco il log, grazie.

ComboFix 12-04-26.01 - Simone 26/04/2012 14:33:49.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.39.1040.18.6143.4885 [GMT 2:00]
Eseguito da: c:\users\Simone\Desktop\datasheet.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Creato nuovo punto di ripristino
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Simone\AppData\Roaming\Mozilla\Firefox\Profiles\ayr73qvw.default\weave\toFetch
.
.
((((((((((((((((((((((((( Files Creati Da 2012-03-26 al 2012-04-26 )))))))))))))))))))))))))))))))))))
.
.
2012-04-26 12:37 . 2012-04-26 12:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-25 10:13 . 2012-04-25 10:13 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-04-25 10:13 . 2012-04-25 10:13 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-25 10:13 . 2012-04-25 10:13 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-04-24 12:31 . 2012-04-24 21:13 -------- d-----w- c:\users\Simone\AppData\Local\Apps
2012-04-24 12:31 . 2012-04-24 12:31 119808 ----a-r- c:\users\Simone\AppData\Roaming\Microsoft\Installer\{CCF298AF-9CE1-4B26-B251-486E98A34789}\icons.exe
2012-04-19 17:13 . 2011-10-28 14:01 680960 ------w- c:\windows\SysWow64\ROGThemeSetup.exe
2012-04-16 18:43 . 2012-04-16 18:43 -------- d-----w- c:\program files\iTunes
2012-04-16 18:43 . 2012-04-16 18:43 -------- d-----w- c:\program files (x86)\iTunes
2012-04-16 18:43 . 2012-04-16 18:43 -------- d-----w- c:\program files\iPod
2012-04-14 19:21 . 2012-04-14 19:21 -------- d-----w- c:\program files (x86)\Nitro PDF
2012-04-14 19:14 . 2012-04-23 13:59 -------- d-----w- c:\users\Simone\AppData\Roaming\Nitro PDF
2012-04-14 19:14 . 2012-04-14 19:14 -------- d-----w- c:\programdata\Nitro PDF
2012-04-14 19:12 . 2012-04-14 19:16 -------- d-----w- c:\users\Simone\AppData\Roaming\Downloaded Installations
2012-04-13 19:30 . 2012-04-13 19:31 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-13 17:27 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-13 17:27 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-13 17:27 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-13 17:27 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-13 17:27 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-13 17:27 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-13 17:27 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-12 13:19 . 2012-04-12 13:19 -------- d-----w- c:\users\Simone\AppData\Roaming\Malwarebytes
2012-04-10 13:03 . 2012-04-10 13:04 -------- d-----w- c:\users\Simone\AppData\Roaming\Notepad++
2012-04-10 13:03 . 2012-04-10 13:03 -------- d-----w- c:\program files (x86)\Notepad++
2012-04-07 19:56 . 2012-04-07 19:56 -------- d-----w- c:\users\Simone\AppData\Roaming\kompozer.net
2012-04-07 19:56 . 2012-04-07 19:56 -------- d-----w- c:\users\Simone\AppData\Local\kompozer.net
2012-04-05 16:59 . 2012-04-05 16:59 -------- d-----w- c:\users\Simone\AppData\Local\Ubisoft
2012-04-05 16:59 . 2012-04-05 16:59 -------- d-----w- c:\programdata\Ubisoft
2012-04-05 16:53 . 2004-07-15 22:20 733184 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll
2012-04-05 16:53 . 2004-07-15 22:20 69715 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll
2012-04-05 16:53 . 2004-07-15 22:19 266240 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll
2012-04-05 16:53 . 2004-07-15 22:18 172032 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll
2012-04-05 16:53 . 2004-07-15 22:18 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe
2012-04-05 16:52 . 2012-04-05 16:52 303236 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll
2012-04-05 16:52 . 2012-04-05 16:52 180356 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 19:31 . 2012-01-22 10:40 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-04 13:56 . 2012-01-22 10:59 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-17 06:38 . 2012-03-16 13:21 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-16 13:21 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-16 13:21 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-16 13:21 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 18:02 . 2012-01-24 14:20 132320 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-02-10 06:36 . 2012-03-16 13:21 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-16 13:21 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-03 04:34 . 2012-03-16 13:21 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-01-29 13:52 . 2012-01-29 13:52 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-01-29 13:52 . 2012-01-29 13:52 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-01-29 13:52 . 2012-01-29 13:52 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-01-29 13:52 . 2012-01-29 13:52 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-01-29 13:52 . 2012-01-29 13:52 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-01-29 13:52 . 2012-01-29 13:52 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-01-29 13:52 . 2012-01-29 13:52 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-01-29 13:52 . 2012-01-29 13:52 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-01-29 13:52 . 2012-01-29 13:52 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-01-29 13:52 . 2012-01-29 13:52 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-01-29 13:52 . 2012-01-29 13:52 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-01-29 13:52 . 2012-01-29 13:52 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-01-29 13:52 . 2012-01-29 13:52 603648 ----a-w- c:\windows\system32\vbscript.dll
2012-01-29 13:52 . 2012-01-29 13:52 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-01-29 13:52 . 2012-01-29 13:52 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-01-29 13:52 . 2012-01-29 13:52 448512 ----a-w- c:\windows\system32\html.iec
2012-01-29 13:52 . 2012-01-29 13:52 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-01-29 13:52 . 2012-01-29 13:52 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-01-29 13:52 . 2012-01-29 13:52 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-01-29 13:52 . 2012-01-29 13:52 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-01-29 13:52 . 2012-01-29 13:52 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-01-29 13:52 . 2012-01-29 13:52 222208 ----a-w- c:\windows\system32\msls31.dll
2012-01-29 13:52 . 2012-01-29 13:52 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-01-29 13:52 . 2012-01-29 13:52 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-01-29 13:52 . 2012-01-29 13:52 160256 ----a-w- c:\windows\system32\wextract.exe
2012-01-29 13:52 . 2012-01-29 13:52 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-01-29 13:52 . 2012-01-29 13:52 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-01-29 13:52 . 2012-01-29 13:52 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-01-29 13:52 . 2012-01-29 13:52 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-01-29 13:52 . 2012-01-29 13:52 12288 ----a-w- c:\windows\system32\mshta.exe
2012-01-29 13:52 . 2012-01-29 13:52 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-01-29 13:52 . 2012-01-29 13:52 114176 ----a-w- c:\windows\system32\admparse.dll
2012-01-29 13:52 . 2012-01-29 13:52 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-01-29 13:52 . 2012-01-29 13:52 101888 ----a-w- c:\windows\SysWow64\admparse.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Simone\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Simone\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Simone\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Simone\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-12-15 258512]
.
c:\users\Simone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Simone\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-4-25 27265408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-02-07 1436424]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 51740536]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-25 129976]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2011-08-21 846448]
R3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 253088]
R4 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2011-03-01 130976]
R4 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\NLSSRV32.EXE [2011-11-02 68896]
R4 VMwareHostd;VMware Workstation Server;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2011-08-22 11837440]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-12-15 86224]
S2 Cadence License Manager;Cadence License Manager;c:\orcad\license_manager\lmgrd.exe [2007-03-18 1327104]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi10-shared.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
S3 RTL8167;Driver Realtek 8167 NT;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 TRIXX;TRIXX;c:\users\Simone\AppData\Local\Temp\TRIXX.sys [x]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
.
.
Contenuto della cartella 'Scheduled Tasks'
.
2012-04-26 c:\windows\Tasks\ShappireTRIXX.job
- c:\program files (x86)\Sapphire TRIXX\TRIXX.exe -s [2012-01-22 18:07]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Simone\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Simone\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Simone\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Simone\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
------- Scansione supplementare -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.it/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\vsocklib.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Simone\AppData\Roaming\Mozilla\Firefox\Profiles\ayr73qvw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/ig?hl=it
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Ora fine scansione: 2012-04-26 14:40:02
ComboFix-quarantined-files.txt 2012-04-26 12:40
.
Pre-Run: 341.960.761.344 byte disponibili
Post-Run: 341.905.739.776 byte disponibili
.
- - End Of File - - 23B295795B0C36E99D4D7426BF8A6FA6
r16
Inviato: Thursday, April 26, 2012 6:02:48 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao simo95.
Non ci sono infezioni.
Ci sono tutta una serie di chiavi "bloccate", ma non centrano nulla con il problema.
E' molto facile (fra l'altro con S.O a 64 bit) che si tratti di incompatibilità.
Commenta:
Ho appena notato che tutti i file e le cartelle, comprese quelle di sistema, hanno perso l'attributo di invisibilità.

Il responsabile dovrebbe essere TDSSKiller, quando hai fatto la scansione cambiando i parametri.
Commenta:
Puoi fare tutte le prove che vuoi,

Ohhhh lo farei......ma con il pc privo di infezioni non ha senso....Drool
Fatti infettare, e poi ne parliamo.Whistle (scherzo)
Ciao!!
simo95
Inviato: Thursday, April 26, 2012 9:38:31 PM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
Grazie infinite r16, esaudiente come sempre. Applause
Buon proseguimento Drool
Utenti presenti in questo topic
Guest


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.