mi rivolgo persomalmente a te perchè, dopo aver letto qua e la prima di registrarmi, ritengo tu sia uno dei più preparati nella materia
ma veniamo al mio problema: facendo una scanzione con combofix ( alcune volte il pc, solo se connesso in rete, va a rilento ), mi rileva delle attività rootkit e mi fa riavviare il computer; ad una successiva ed immediata scanzione, mi ritrova lo stesso evento malevolo, in pratica si rigenera ad ogni nuovo riavvio ( nella mia ignoranza, ho pure pensato e sperato che potesse essere un falso positivo, ma.... )
ti posto il log di combofix, spero potrai aiutarmi in modo da risolvere definitivamente il problema
ps. solo una curiosità: ho letto da qualche parte che, per disibstallare combofix, consigli di scaricare un software di cui non ricordo il nome; perchè suggerisci questa modalità, piùttosto che "start/esegui/combofix /uninstall"? Non è più semplice?
grazie
ComboFix 11-04-22.03 - sas 23/04/2011 12.59.36.41.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.223.95 [GMT 2:00]
Eseguito da: c:\documents and settings\sas\Desktop\ComboFix.exe
FW: PC Tools Firewall Plus *Disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
.
((((((((((((((((((((((((( Files Creati Da 2011-03-23 al 2011-04-23 )))))))))))))))))))))))))))))))))))
.
.
2011-04-23 06:25 . 2011-04-23 06:28 -------- d-----w- c:\windows\system32\NtmsData
2011-04-18 14:35 . 2003-10-01 15:44 31744 ----a-w- c:\windows\system32\drivers\IcdSX.sys
2011-04-18 14:33 . 2001-09-13 00:15 90112 ------w- c:\windows\snymsico.dll
2011-04-18 14:32 . 2011-04-18 15:20 -------- d-----w- c:\programmi\SONY
2011-04-18 14:30 . 2001-10-31 11:20 26409 ----a-w- c:\windows\system32\drivers\Icdusb.sys
2011-04-18 14:28 . 2002-11-28 19:23 39048 ----a-w- c:\windows\system32\drivers\ICDUSB2.sys
2011-04-16 07:33 . 2011-04-16 08:25 -------- d-----w- c:\programmi\hp deskjet 3320 series
2011-04-16 07:33 . 2002-06-17 13:36 184386 ----a-w- c:\windows\system32\hpzsnt05.dll
2011-04-16 06:29 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-04-16 06:29 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-16 06:20 . 2011-04-16 07:35 -------- d-----w- c:\programmi\Hewlett-Packard
2011-04-11 18:31 . 2011-04-11 18:31 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2011-04-11 14:13 . 2011-04-11 14:14 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Skype Extras
2011-04-10 23:15 . 2011-04-10 23:39 2304 ----a-w- c:\windows\listcmd.bin
2011-04-10 23:09 . 2011-04-10 23:09 822624 ----a-w- c:\windows\WINDOWSUPDATE.LOG.TMP
2011-04-10 23:09 . 2011-04-10 23:09 32592 ----a-w- c:\windows\SCHEDLGU.TXT.TMP
2011-04-10 22:35 . 2011-04-10 23:42 -------- dc-h--w- c:\documents and settings\All Users\Dati applicazioni\{619D4E1A-1164-42DD-8AE4-DECA8C1B305E}
2011-04-10 22:34 . 2011-04-10 22:34 -------- d-----w- c:\documents and settings\sas\Impostazioni locali\Dati applicazioni\PackageAware
2011-04-10 08:10 . 2011-04-21 07:02 -------- d-----w- c:\programmi\Microsoft Silverlight
2011-04-09 16:48 . 2010-11-25 08:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-04-09 16:48 . 2010-03-29 09:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-04-09 16:48 . 2010-11-17 08:19 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-04-09 16:47 . 2011-04-09 16:48 -------- d-----w- c:\programmi\File comuni\PC Tools
2011-04-09 16:47 . 2010-11-24 07:18 89192 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2011-04-09 16:47 . 2010-07-08 07:49 57536 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2011-04-09 16:47 . 2010-02-05 07:26 32808 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2011-04-09 16:47 . 2010-11-25 08:42 124992 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2011-04-09 16:47 . 2011-04-13 12:17 -------- d-----w- c:\programmi\PC Tools Firewall Plus
2011-04-09 16:38 . 2011-04-09 16:38 -------- d-----w- c:\programmi\Thomson
2011-04-09 16:37 . 2011-04-09 16:37 -------- d-----w- c:\programmi\Telecom Italia
2011-04-09 16:37 . 2011-04-09 16:37 -------- d-----w- c:\programmi\File comuni\InstallShield
2011-04-09 15:51 . 2008-04-14 02:13 397056 ----a-w- c:\windows\system32\dcmc0d1.dll
2011-04-04 16:00 . 2011-04-11 14:14 -------- d-----w- c:\documents and settings\sas\Dati applicazioni\skypePM
2011-04-04 15:47 . 2011-04-11 14:33 -------- d-----w- c:\documents and settings\sas\Dati applicazioni\Skype
2011-04-04 15:42 . 2011-04-11 14:33 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Skype
2011-03-30 22:12 . 2010-05-26 09:39 6144 ------w- c:\windows\system32\8.tmp
2011-03-28 17:23 . 2011-03-28 17:23 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\MSN6
2011-03-28 17:23 . 2011-03-28 17:24 -------- d-----w- c:\documents and settings\sas\Dati applicazioni\MSN6
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-09 15:42 . 2011-03-09 15:42 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-07 05:33 . 2011-03-08 14:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:36 . 2001-08-31 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:53 . 2001-08-31 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:05 . 2001-08-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:05 . 2001-08-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:05 . 2001-08-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:42 . 2004-08-19 22:26 385024 ------w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2001-08-31 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2001-08-31 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:54 . 2008-05-05 06:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2001-08-31 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:54 . 2004-08-19 22:39 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:54 . 2004-08-19 22:39 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:34 . 2001-08-31 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:34 . 2001-08-31 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2011-03-08 14:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2011-03-08 14:48 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="c:\programmi\Thomson\SpeedTouch USB\Dragdiag.exe" [2003-09-05 878080]
"00PCTFW"="c:\programmi\PC Tools Firewall Plus\FirewallGUI.exe" [2010-11-29 2676696]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-06-17 188416]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Freedom Scientific\\Activator\\1.1\\FSACTIVATE.EXE"=
.
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [09/04/2011 18.48.02 249616]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [09/04/2011 18.48.06 160448]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [09/04/2011 18.47.24 89192]
R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [09/04/2011 18.47.24 57536]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [09/04/2011 18.47.22 124992]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [18/04/2011 16.28.03 39048]
S3 JTVNCProxy_10.0;JTVNCProxy_10.0; [x]
S3 JTVNCProxy_11.0;JTVNCProxy_11.0;c:\programmi\Freedom Scientific\JAWS\11.0\JTVNCProxy.exe [17/09/2010 15.29.00 16152]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [09/04/2011 18.47.24 57536]
S3 PowerBrl;powerBraille System Driver;c:\windows\system32\drivers\powerbrl.sys [17/09/2010 15.33.00 14880]
.
.
------- Scansione supplementare -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\sas\Dati applicazioni\Mozilla\Firefox\Profiles\s0igvb8s.default\
FF - prefs.js: browser.startup.homepage -
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programmi\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2011-04-23 13:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9.tmp"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Ora fine scansione: 2011-04-23 13:16:29
ComboFix-quarantined-files.txt 2011-04-23 11:16
.
Pre-Run: 35.248.971.776 byte disponibili
Post-Run: 35.215.736.832 byte disponibili
.
- - End Of File - - 8DDB0B7148914CA620045D15AC6ACD1C