Pagina 1 di 1

Controllo MBR

MessaggioInviato: ven apr 01, 2011 7:03 pm
da Sabbb
OS XP Home in dual boot con Ubuntu. Ho lanciao Combofix che ha rilevato presenza rootkit e chiedeva un primo riavvio ; procede con l'eliminazione di alcune cose

ComboFix 11-04-01.01 - Alessandro 01/04/2011 19.31.39.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1022.655 [GMT 2:00]
Eseguito da: c:\documents and settings\Alessandro\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {0012F2B4-5C49-7C92-0300-000000000000}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\1.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\a.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\b.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\c.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\d.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\e.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\f.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\g.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\h.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\i.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\J.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\k.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\l.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\m.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\mru.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\n.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\o.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\p.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\q.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\r.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\s.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\t.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\u.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\v.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\w.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\x.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\y.xml
c:\documents and settings\Alessandro\Dati applicazioni\PriceGong\Data\z.xml
.
.
((((((((((((((((((((((((( Files Creati Da 2011-03-01 al 2011-04-01 )))))))))))))))))))))))))))))))))))
.
.
2011-03-21 12:08 . 2011-03-21 12:09 -------- d-----w- C:\PMAIL
2011-03-13 16:51 . 2011-03-13 16:51 -------- d-----w- C:\Intel
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:54 . 2004-08-19 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:54 . 2004-08-19 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-01-21 14:44 . 2004-08-19 12:00 440832 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-19 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
.
.
------- Sigcheck -------
.
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-19 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2004-08-03 21:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0012\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\programmi\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Google Update"="c:\documents and settings\Alessandro\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2011-03-13 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2011-03-16 421888]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2009-12-04 1037192]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2011-02-04 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
"DWQueuedReporting"="c:\progra~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 18:03 152872 ----a-w- c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:11 3872080 ----a-w- c:\programmi\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 14:57 153136 ----a-w- c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Nero\\Nero 7\\Nero MediaHome\\NeroMediaHome.exe"=
"c:\\Programmi\\Nero\\Nero 7\\Nero MediaHome\\NMMediaServer.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [13/03/2011 17.55.52 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [13/03/2011 17.55.52 5248]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\programmi\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [04/02/2011 14.50.46 196912]
R3 es1969;Driver audio ESS 1969 (WDM);c:\windows\system32\drivers\es1969.sys [13/03/2011 17.51.00 72192]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 14.16.28 130384]
S2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [13/03/2011 18.14.36 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 14.16.28 753504]
.
Contenuto della cartella 'Scheduled Tasks'
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2011-03-13 16:14]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2011-03-13 16:14]
.
2011-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-484061587-725345543-1004Core.job
- c:\documents and settings\Alessandro\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2011-03-26 16:14]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-484061587-725345543-1004UA.job
- c:\documents and settings\Alessandro\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2011-03-26 16:14]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: Scarica con Mipony - file://c:\programmi\MiPony\Browser\IEContext.htm
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
BHO-{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - (no file)
Toolbar-{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - (no file)
Toolbar-10 - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-01 19:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\Ati2evxx.dll
.
Ora fine scansione: 2011-04-01 19:38:39
ComboFix-quarantined-files.txt 2011-04-01 17:38
.
Pre-Run: 23.390.781.440 byte disponibili
Post-Run: 23.397.613.568 byte disponibili
.
- - End Of File - - 5B09A72C882232D6E85BD6D330CEC62A

mbr check dice che è utto ok :log

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JS-60MHB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

ma TDSKiller non è daccordo

Immagine

Uploaded with ImageShack.us

Re: Controllo MBR

MessaggioInviato: ven apr 01, 2011 7:09 pm
da Uomo_Senza_Sonno
Lascia stare quel driver, se lo cancelli avrai grossi problemi al riavvio successivo.. non sembrano esserci particolari minacce, probabilmente combofix ha fatto il suo lavoro per cui non preoccuparti, a meno di non avere problemi evidenti.

Re: Controllo MBR

MessaggioInviato: ven apr 01, 2011 7:12 pm
da Sabbb
Gentilissimo come sempre [grazie]