www.MegaLab.it

[stubborn74]

un saluto a tutti,ho un notebook HP dv6000 con (haimè) installato il mitico so vista 32bit,ho molta familiarità con questo pc che uso ormai da anni,presto sempre molta cautela per le infezioni ma sta volta (non per mia causa) mi sa che l ho beccata,e anche bella grossa purtroppo.... nella mia ignoranza visti i sintomi che vedo si puo parlare (ripeto,per ipotesi) del temibile "mebromi" o di chissàquale altra strana infezione,sarete voi poi a guidarmi. i sintomi sono cpu a palla,lentezza,schermata nera per pochi secondi prima dell avvio,e poi ho trovato la presenza di 2 voci di registro alquanto sospette,penso c entrino sicuramente qualcosa perché non le ho mai notate prima d ora. i file temporanei sono stati tutti eliminati,li elimino ogni settimana. scansioni varie effettuate non riscontrano alcunchè,la visualizzazione dei file nascosti è attiva,e oggi ho provato a cercare qualcosa manualmente in C:\windows\system32\ & \drivers ma sembra tutto firmato.... booo,...si tratta di rootkit?
in attesa di istruzioni.


questa è una schermata delle 2 voci di registro strane,possono essere cancellate cambiando le autorizzazioni (non le ho ancora cancellate,le ho lasciate per un eventuale indagine)

[crazy.cat]

fai una scansione con mbr.exe e posta il suo log.

[stubborn74]

fatto.



Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: WDC_WD1600BEVS-60RST0 rev.04.01G04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[hashcat]

A questo punto un log di MbrScan é d'obbligo.

[stubborn74]

bingo,l abbiamo trovato... ?

MBRScan v1.1.1

OS : Windows Vista Service Pack 2 (32 bit)
PROCESSOR : x86 Family 6 Model 15 Stepping 13, GenuineIntel
BOOT : Normal Boot
DATE : 2012/08/03 (ISO 8601) at 19:52:51
________________________________________________________________________________

DISK : Device\Harddisk0\DR0 __WDC WD1600BEVS-60RST0 (04.01G04)
BUS_TYPE : (0x03) P-ATA
USE_PIO : NO
MAX_TRANSFER : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

DISK : Device\Harddisk2\DR5 __TDKMedia TF090 Drive (0.00)
BUS_TYPE : (0x07) USB
USE_PIO : NO
MAX_TRANSFER : 64 Kb
ALIGNMENT_MASK : byte aligned
________________________________________________________________________________

Device\Harddisk0\DR0 149.1 Go [Fixed] ==> Vista MBR Code

MBR_MD5 : B81F91212F00783202A9803A0D31626C
MBR_SHA1 : DA981143FBDC6789C172CDEBB4322BBEB6A28548

Device\Harddisk0\Partition1 59.97 Go 0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2 81.74 Go 0x07 NTFS / HPFS
Device\Harddisk0\Partition3 7.33 Go 0x07 NTFS / HPFS
________________________________________________________________________________

Device\Harddisk2\DR5 29.81 Go [Removable] ==> Unknown MBR Code

MBR_MD5 : 0B9BD1278C07EA900E3F64853A1654FE
MBR_SHA1 : BDECBE86D1D8D5CC203DEA212C0CB886A9171E21

Device\Harddisk2\Partition1 29.81 Go 0x0C FAT32 [LBA] __ BOOTABLE __
________________________________________________________________________________

############################### Additional scan ################################

DRIVER : C:\Windows\System32\Drivers\dump_dumpata.sys => Invisible on the disk
ADDRESS : 0x8DBC8000
SIZE : 44.0 Ko

DRIVER : C:\Windows\System32\Drivers\dump_msahci.sys => Invisible on the disk
ADDRESS : 0x8DBD3000
SIZE : 40.0 Ko

DRIVER : C:\Windows\system32\Drivers\PROCEXP141.SYS => Invisible on the disk
ADDRESS : 0xA0D1A000
SIZE : 20.0 Ko

DRIVER : C:\Users\poltel\AppData\Local\Temp\mbr.sys => Invisible on the disk
ADDRESS : 0xA0D95000
SIZE : 28.0 Ko

BCD EmsSettings {0CE4991B-E6B3-4B16-B23C-5E0D9250E5D9} => BcdLibraryBoolean_EmsEnabled (16000020)

SystemStartOptions : /NOEXECUTE=OPTIN

________________________________________________________________________________

_______MBR \Device\Harddisk0\DR0

0x00000000 33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00 3À.м.|.À.ؾ.|¿.
0x00000010 06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00 .¹..üó¤Ph..Ëû¹..
0x00000020 BD BE 07 80 7E 00 00 7C 0B 0F 85 10 01 83 C5 10 ½¾..~..|......Å.
0x00000030 E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00 âñÍ..V.UÆF..ÆF..
0x00000040 B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09 ´A»ªUÍ.]r..ûUªu.
0x00000050 F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74 ÷Á..t.þF.f`.~..t
0x00000060 26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00 &fh....f.v.h..h.
0x00000070 7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13 |h..h..´B.V..ôÍ.
0x00000080 9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00 ..Ä..ë.¸..».|.V.
0x00000090 8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1E FE .v..N..n.Í.fas.þ
0x000000A0 4E 11 0F 85 0C 00 80 7E 00 80 0F 84 8A 00 B2 80 N......~......².
0x000000B0 EB 82 55 32 E4 8A 56 00 CD 13 5D EB 9C 81 3E FE ë.U2ä.V.Í.]ë..>þ
0x000000C0 7D 55 AA 75 6E FF 76 00 E8 8A 00 0F 85 15 00 B0 }Uªun.v.è......°
0x000000D0 D1 E6 64 E8 7F 00 B0 DF E6 60 E8 78 00 B0 FF E6 Ñædè..°ßæ`èx.°.æ
0x000000E0 64 E8 71 00 B8 00 BB CD 1A 66 23 C0 75 3B 66 81 dèq.¸.»Í.f#Àu;f.
0x000000F0 FB 54 43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 ûTCPAu2.ù..r,fh.
0x00000100 BB 00 00 66 68 00 02 00 00 66 68 08 00 00 00 66 »..fh....fh....f
0x00000110 53 66 53 66 55 66 68 00 00 00 00 66 68 00 7C 00 SfSfUfh....fh.|.
0x00000120 00 66 61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 .fah...Í.Z2öê.|.
0x00000130 00 CD 18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 .Í..·.ë..¶.ë..µ.
0x00000140 32 E4 05 00 07 8B F0 AC 3C 00 74 FC BB 07 00 B4 2ä....ð¬<.tü»..´
0x00000150 0E CD 10 EB F2 2B C9 E4 64 EB 00 24 02 E0 F8 24 .Í.ëò+Éädë.$.àø$
0x00000160 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 74 .ÃInvalid partit
0x00000170 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72 20 ion table.Error
0x00000180 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 6E loading operatin
0x00000190 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E 67 g system.Missing
0x000001A0 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 operating syste
0x000001B0 6D 00 00 00 00 62 7A 99 22 42 22 42 00 00 80 01 m....bz."B"B....
0x000001C0 01 00 07 FE FF FF 3F 00 00 00 16 24 7F 07 00 FE ...þ..?....$...þ
0x000001D0 FF FF 07 FE FF FF 95 24 7F 07 AF CE 37 0A 00 FE ...þ...$..¯Î7..þ
0x000001E0 FF FF 07 FE FF FF 44 F3 B6 11 7D 97 EA 00 00 00 ...þ..Dó¶.}.ê...
0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª

_______MBR \Device\Harddisk2\DR5

0x00000000 FA 33 C0 8E D0 BC 00 7C 8B F4 50 07 50 1F FB FC ú3À.м.|.ôP.P.ûü
0x00000010 BF 00 06 B9 00 01 F2 A5 EA 1D 06 00 00 BE BE 07 ¿..¹..ò¥ê....¾¾.
0x00000020 B3 04 80 3C 80 74 0E 80 3C 00 75 1C 83 C6 10 FE ³..<.t..<.u..Æ.þ
0x00000030 CB 75 EF CD 18 8B 14 8B 4C 02 8B EE 83 C6 10 FE ËuïÍ....L..î.Æ.þ
0x00000040 CB 74 1A 80 3C 00 74 F4 BE 8B 06 AC 3C 00 74 0B Ët..<.tô¾..¬<.t.
0x00000050 56 BB 07 00 B4 0E CD 10 5E EB F0 EB FE BF 05 00 V»..´.Í.^ëðëþ¿..
0x00000060 BB 00 7C B8 01 02 57 CD 13 5F 73 0C 33 C0 CD 13 ».|¸..WÍ._s.3ÀÍ.
0x00000070 4F 75 ED BE A3 06 EB D3 BE C2 06 BF FE 7D 81 3D Ouí¾£.ëÓ¾Â.¿þ}.=
0x00000080 55 AA 75 C7 8B F5 EA 00 7C 00 00 49 6E 76 61 6C UªuÇ.õê.|..Inval
0x00000090 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 62 id partition tab
0x000000A0 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E 67 le.Error loading
0x000000B0 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 operating syste
0x000000C0 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61 74 m.Missing operat
0x000000D0 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00 00 ing system......
0x000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001B0 00 00 00 00 00 00 00 00 1C A7 8E 0B 00 00 80 01 .........§......
0x000001C0 01 00 0C FE FF 32 3F 00 00 00 34 CF B9 03 00 00 ...þ.2?...4Ϲ...
0x000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª

[stubborn74]

mi era parso di aver visto qualcosa ma non so interpretare il log.

[stubborn74]

mi avete abbandonato?

[crazy.cat]

mi avete abbandonato?

No.
Ma aspetta che torni hashcat o uomosenzasonno che sono più bravi a leggere questi log.

(dal log di mbr.exe non sembri infetto)

[stubborn74]

ok

[GERONIMO*]

Nel frattempo fai una scansione con TDSSkiller
http://windowsguide.altervista.org/kasp ... dsskiller/

[stubborn74]

già fatta,non trova nulla.

[GERONIMO*]

non credo si tratti di mebroni
combofix? già fatta una scansione?

[stubborn74]

si,ho usato anche combofix e pensa che combofix ha fallito l eliminazione del file,è apparsa la scritta "eliminazione file:" ma nello schermo non è apparso il file che stava eliminando e nemmeno nel report compare nulla!,e pensa...la scansione è durata addirittura 18 minuti,mai successo.

[GERONIMO*]

combofix rilascia un report lo trovi in C\Combofix.txt
postalo sul forum

[stubborn74]

ComboFix 12-07-31.06 - poltel 04/08/2012 15.44.33.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.39.1040.18.2046.1248 [GMT 2:00]
Eseguito da: c:\users\poltel\Desktop\Combo-Fix.exe
AV: COMODO Antivirus *Disabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Creati Da 2012-07-04 al 2012-08-04 )))))))))))))))))))))))))))))))))))
.
.

2012-08-02 22:58 . 2012-08-02 22:57 90368 ----a-w- c:\windows\system32\drivers\ew_jucdcacm.sys
2012-08-02 22:58 . 2012-08-02 22:57 73216 ----a-w- c:\windows\system32\drivers\ew_jubusenum.sys
2012-08-02 22:58 . 2012-08-02 22:57 64384 ----a-w- c:\windows\system32\drivers\ew_jucdcecm.sys
2012-08-02 22:58 . 2012-08-02 22:57 26624 ----a-w- c:\windows\system32\drivers\ew_juextctrl.sys
2012-08-02 22:58 . 2012-08-02 22:57 25856 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2012-08-02 22:58 . 2012-08-02 22:57 235392 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2012-08-02 22:58 . 2012-08-02 22:57 194816 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2012-08-02 22:58 . 2012-08-02 22:57 19200 ----a-w- c:\windows\system32\drivers\ew_hwupgrade.sys
2012-08-02 22:58 . 2012-08-02 22:57 11136 ----a-w- c:\windows\system32\drivers\ew_usbenumfilter.sys
2012-08-02 22:58 . 2012-08-02 22:57 102784 ----a-w- c:\windows\system32\drivers\ew_hwusbdev.sys
2012-07-29 13:37 . 2012-07-29 13:37 -------- d-----w- c:\users\poltel\AppData\Local\Microsoft_Corporation
2012-07-28 18:12 . 2012-08-03 00:27 707 ----a-w- c:\windows\_default.pif
2012-07-25 12:58 . 2006-11-02 09:45 7680 ----a-w- c:\windows\system32\pcalua.exe
2012-07-25 11:11 . 2012-08-01 21:29 -------- d-----w- c:\users\poltel\AppData\Local\CrashDumps
2012-07-16 21:39 . 2012-07-16 21:39 -------- d-----w- c:\users\poltel\AppData\Local\Microsoft Games
2012-07-11 17:13 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 13:26 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 13:26 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 13:26 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 13:26 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 13:26 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 13:26 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-09 00:16 . 2012-07-09 00:59 -------- d-----w- c:\programdata\InstallMate
2012-07-08 11:26 . 2012-07-08 11:26 -------- d-----w- c:\program files\Microsoft.NET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-02 22:57 . 2012-05-13 01:12 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2012-08-02 22:57 . 2012-05-13 01:12 1112288 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01007.dll
2012-06-02 22:19 . 2012-06-21 20:04 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 20:04 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 20:03 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 20:03 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 20:04 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 20:04 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 20:03 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 13:19 . 2012-06-21 20:03 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 13:12 . 2012-06-21 20:03 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-21 17:43 . 2012-05-21 17:43 319456 ----a-w- c:\windows\DIFxAPI.dll
2012-05-13 17:53 . 2012-05-13 17:53 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-05-13 17:53 . 2012-05-13 17:53 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-05-13 17:53 . 2012-05-13 17:53 1060864 ----a-w- c:\windows\system32\mfc71.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-10-03 13826664]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1458176]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-10-14 2299176]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-11 6749512]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2012-03-27 10967656]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
--- Altri Servizi/Drivers In Memoria ---
.
*NewlyCreated* - 06914404
*Deregistered* - 06914404
*Deregistered* - PROCEXP141
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
.
.
------- Scansione supplementare -------
.
TCP: DhcpNameServer = 193.70.152.25 212.52.97.25
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-04 16:08
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwClose
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8066FB71-AFA1-343E-8070-44AB4F3F85C9}\InprocServer32\4.0.0.0]
@DACL=(02 0000)
"RuntimeVersion"="v4.0.30319"
"Assembly"="System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
"Class"="System.EnterpriseServices.RegistrationException"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PenIMC.PimcManager.4\CLSID]
@DACL=(02 0000)
@="{E23B1CED-5E47-4FDB-AF66-B20370261B5E}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PenIMC.PimcSurrogate.4\CLSID]
@DACL=(02 0000)
@="{07B0E5E9-D635-4CD3-B98D-7C10E700DEA0}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{215D64D2-031C-33C7-96E3-61794CD1EE61}\2.4]
@DACL=(02 0000)
@="System_Windows_Forms"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4FB2D46F-EFC8-4643-BCD0-6E5BFA6A174C}\2.4]
@DACL=(02 0000)
@="System_EnterpriseServices"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5477469E-83B1-11D2-8B49-00A0C9B7C9C4}\2.4]
@DACL=(02 0000)
@="Common Language Runtime Execution Engine 2.4 Library"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BED7F4EA-1A96-11D2-8F08-00A0C9A6186D}\2.4]
@DACL=(02 0000)
@="mscorlib.dll"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BEE4BFEC-6683-3E67-9167-3C0CBC68F40A}\2.4]
@DACL=(02 0000)
@="System"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D3295D87-D604-11D4-A704-00C04FA137E4}\a.0]
@DACL=(02 0000)
@="Microsoft_JScript"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D37E2A3E-8545-3A39-9F4F-31827C9124AB}\2.4]
@DACL=(02 0000)
@="System_Drawing"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Answer]
@DACL=(02 0000)
"1"="ATA<cr>"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Clients]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Hangup]
@DACL=(02 0000)
"1"="ATH E1<cr>"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Init]
@DACL=(02 0000)
"1"="AT<cr>"
"2"="AT&FE0V1X1&D2&C1S0=0<cr>"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Monitor]
@DACL=(02 0000)
"1"="ATS0=0<cr>"
"2"="None"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Settings]
@DACL=(02 0000)
"Prefix"="AT"
"Terminator"="<cr>"
"DialPrefix"="D"
"DialSuffix"=""
"Pulse"="P"
"Tone"="T"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\Answer]
@DACL=(02 0000)
"1"="ATA<cr>"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\Clients]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\Hangup]
@DACL=(02 0000)
"1"="ATH E1<cr>"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\Init]
@DACL=(02 0000)
"1"="AT<cr>"
"2"="AT&FE0V1X1&D2&C1S0=0<cr>"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\Monitor]
@DACL=(02 0000)
"1"="ATS0=0<cr>"
"2"="None"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\Settings]
@DACL=(02 0000)
"Prefix"="AT"
"Terminator"="<cr>"
"DialPrefix"="D"
"DialSuffix"=""
"Pulse"="P"
"Tone"="T"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(772)
c:\windows\System32\guard32.dll
.
- - - - - - - > 'lsass.exe'(692)
c:\windows\System32\guard32.dll
.
Ora fine scansione: 2012-08-04 16:10:48
ComboFix-quarantined-files.txt 2012-08-04 14:10
.
Pre-Run: 39.965.052.928 byte disponibili
Post-Run: 39.201.853.440 byte disponibili
.
- - End Of File - - 581E4DCD704D5635562DDA9255862CC5

[stubborn74]

http://www.nod32.it/threat-center/encyclopedia1.php?id=2534

[stubborn74]

@Al3x chiedo scusa.

[GERONIMO*]

curiosità da dove hai scaricato combofix?

disabilita firewall,e Antivirus
crea un Nuovo documento di testo sul Desktop
Ci copi e incolli il codice che vedi sotto, e lo salvi con il nome CFScript.txt
e trascinalo sull'icona di ComboFix.
partirà la scansione attendi la fine senza toccare niente
se chiede il riavvio del pc riavvia
Posta il log aggiornato di combofix

Codice: Seleziona tutto

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

[hashcat]

Desidererei poter consultar qualche altro log:

Esegui una scansione con Gmer (prima di eseguirlo disabilita il defense+ e (eventualmente) la sandbox di Comodo). Rinomina il file in maniera casuale e configuralo come mostrato nell'immagine:



Fai una scansione anche con aswMBR, al termine della scansione salva il log sul Desktop ed inseriscilo nel tuo prossimo messaggio:



Infine effettua una scansione con HitmanPro:

Se vengono rilevate minacce attiva la licenza di prova e rimuovile. Al termine della scansione salva il log ed inseriscilo nel tuo prossimo messaggio:

[stubborn74]

@hashcat
@GERONIMO*
2 domande e un avviso:
aswMBR devo scaricare anche gli aggiornamenti?
lo script di GERONIMO* devo eseguirlo in quale ordine di tempo rispetto agli altri 2 sw?

GMER non mi fa selezionare la spunta su "Show All"