Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

Probabile rootkit?

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

Probabile rootkit?

Messaggioda Totori » lun dic 28, 2009 2:12 am

Salve ragazzi! Eccomi qua a richiedere ancora una volta il vostro aiuto...
Ultimamente, mi è sembrato che sul pc ci sia qualcosa di strano, soprattutto relativamente all'apertura di mozilla. Altra cosa, più importante, riguarda il masterizzatore. Questo improvvisamente nn viene più visto come tale...cioè su gestione periferiche il masterizzatore c'è ed è funzionante, ma viene visto solo come lettore, mentre programmi come nero e imgburn riportano il messaggio "no device detected". Posto il log di Hijackthis...
Grazie mille in anticipo! [:)]

Logfile of HijackThis v1.99.1
Scan saved at 2.14.19, on 28/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\htpatch.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\BillP Studios\WinPatrol\winpatrol.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\WiFiConnector\NintendoWFCReg.exe
C:\Programmi\Logitech\SetPoint\SetPoint.exe
C:\Programmi\File comuni\Logitech\KhalShared\KHALMNPR.EXE
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Tori\Documenti\Programmi Vari\Anti Virus\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Programmi\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Esegui il programma di registrazione.lnk = C:\Programmi\WiFiConnector\NintendoWFCReg.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8139EA4F-DFEB-4648-90A3-B12D52787417}: NameServer = 193.70.152.15,193.70.152.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6594924-0DAE-4769-8A1F-AD80C7C60592}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programmi\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
Avatar utente
Totori
Aficionado
Aficionado
 
Messaggi: 85
Iscritto il: mar mag 01, 2007 3:04 am
Località: Tokyo

Re: Probabile rootkit?

Messaggioda crazy.cat » lun dic 28, 2009 7:52 am

Se pensi ad un rootkit sicuramente non lo vedi con hijackthis, ma con gmer o combofix. In hijackthis non si vede niente.
In quanto al masterizzatore prova a rimuoverlo dalla lista delle periferiche e riavviare il pc in modo che si riconfiguri, i programmi di masterizzazione prova a reinstallarli nelle versioni più aggiornate.
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Re: Probabile rootkit?

Messaggioda ste_95 » lun dic 28, 2009 8:14 am

Scarica ComboFix , salvandolo sul desktop con un nome di fantasia, ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto inserendolo tra i tag LOG, in questo modo:
Codice: Seleziona tutto
[LOG]qui va inserito il log[/LOG]
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Re: Probabile rootkit?

Messaggioda Totori » lun dic 28, 2009 11:36 am

Già Combofix... [acc2] ...scusate!!!
comunque tutto ok, ho avviato combofix e ha rimosso diversi rootkit! Periferiche nuovamente funzionanti!!!!!
Posto comunque il log...Grazie mille Ste e Crazy!

ComboFix 09-12-27.03 - Tori 28/12/2009 11.13.06.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.512.216 [GMT 1:00]
Eseguito da: c:\documents and settings\Tori\Desktop\AZ.exe
.
ADS - system32: deleted 40 bytes in 1 streams.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Tori\IMPOST~1\Temp\wscsvc32.exe
c:\documents and settings\Tori\Dati applicazioni\inst.exe
c:\windows\system32\drivers\H8SRTcxnbowpdwq.sys
c:\windows\system32\H8SRTjkdkfxmkyf.dll
c:\windows\system32\H8SRTuiqppjxumh.dat
c:\windows\system32\H8SRTwjyodirerr.dll
c:\windows\system32\krl32mainweq.dll
c:\windows\system32\mswmpdat.tlb
c:\windows\system32\srcr.dat
c:\windows\system32\wmcache.nld

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Creati Da 2009-11-28 al 2009-12-28 )))))))))))))))))))))))))))))))))))
.

2009-12-27 19:00 . 2009-12-27 19:00 -------- d-----w- c:\documents and settings\Tori\Dati applicazioni\ImgBurn
2009-12-27 18:59 . 2009-12-27 18:59 -------- d-----w- c:\programmi\ImgBurn
2009-12-23 23:17 . 2009-12-23 23:33 -------- d-----w- c:\documents and settings\Tori\Pavark
2009-12-22 23:40 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-22 23:40 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-22 23:40 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-12-22 23:40 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-22 23:40 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-12-22 23:40 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-12-22 23:40 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-22 23:40 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-22 23:39 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-22 23:39 . 2009-12-22 23:39 -------- d-----w- c:\programmi\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 00:37 . 2007-12-18 23:59 -------- d-----w- c:\programmi\Mozilla Thunderbird
2009-12-22 18:56 . 2008-09-11 09:34 -------- d-----w- c:\programmi\WiFiConnector
2009-11-15 18:41 . 2001-08-31 11:00 77668 ----a-w- c:\windows\system32\perfc010.dat
2009-11-15 18:41 . 2001-08-31 11:00 456262 ----a-w- c:\windows\system32\perfh010.dat
2009-11-12 15:11 . 2009-01-04 21:41 -------- d-----w- c:\documents and settings\Tori\Dati applicazioni\uTorrent
2009-11-09 12:27 . 2007-12-18 20:55 54104 ----a-w- c:\documents and settings\Tori\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-11-09 12:26 . 2009-11-09 12:26 -------- d-----w- c:\programmi\Microsoft Silverlight
2009-11-09 12:26 . 2009-11-09 12:23 -------- d-----w- c:\programmi\Microsoft
2009-11-09 12:26 . 2007-12-20 20:48 -------- d-----w- c:\programmi\Windows Live
2009-11-09 12:26 . 2009-11-09 12:26 -------- d-----w- c:\programmi\Microsoft Sync Framework
2009-11-09 12:24 . 2009-11-09 12:24 -------- d-----w- c:\programmi\Microsoft SQL Server Compact Edition
2009-11-09 12:23 . 2009-11-09 12:23 -------- d-----w- c:\programmi\Windows Live SkyDrive
2009-11-09 12:14 . 2009-11-09 12:14 -------- d-----w- c:\programmi\File comuni\Windows Live
2009-11-08 09:45 . 2008-02-13 22:21 -------- d-----w- c:\documents and settings\Tori\Dati applicazioni\dvdcss
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="c:\windows\htpatch.exe" [2002-10-30 28672]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"WinPatrol"="c:\programmi\BillP Studios\WinPatrol\winpatrol.exe" [2007-04-19 271936]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2008-06-02 185896]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"CloneDVDElbyDelay"="c:\programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" [2002-11-02 45056]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Esegui il programma di registrazione.lnk - c:\programmi\WiFiConnector\NintendoWFCReg.exe [2008-9-11 1175552]
Logitech SetPoint.lnk - c:\programmi\Logitech\SetPoint\SetPoint.exe [2008-10-29 692224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Tori\\Desktop\\utorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\WiFiConnector\\NintendoWFCReg.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14344:TCP"= 14344:TCP:NortonAV
"14464:TCP"= 14464:TCP:NortonAV
"14124:TCP"= 14124:TCP:NortonAV
"15455:TCP"= 15455:TCP:NortonAV
"18403:TCP"= 18403:TCP:NortonAV
"15794:TCP"= 15794:TCP:NortonAV
"16182:TCP"= 16182:TCP:NortonAV
"18294:TCP"= 18294:TCP:NortonAV
"14129:TCP"= 14129:TCP:NortonAV
"15989:TCP"= 15989:TCP:NortonAV
"12913:TCP"= 12913:TCP:NortonAV
"18807:TCP"= 18807:TCP:NortonAV
"14302:TCP"= 14302:TCP:NortonAV
"17785:TCP"= 17785:TCP:NortonAV
"13019:TCP"= 13019:TCP:NortonAV
"13053:TCP"= 13053:TCP:NortonAV

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [19/12/2007 13.19.19 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [19/12/2007 13.19.20 5248]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [23/12/2009 0.40.05 114768]
R2 a2free;a-squared Free Service;c:\programmi\a-squared Free\a2service.exe [24/03/2008 23.16.51 419448]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [23/12/2009 0.40.05 20560]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [09/11/2009 13.26.30 54752]
S3 iadusb;Libero IAD LAN Modem;c:\windows\system32\drivers\glauiad.sys [22/12/2007 2.33.05 30371]
S4 fsssvc;Servizio Windows Live Family Safety;c:\programmi\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22.48.42 704864]
.
------- Scansione supplementare -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {8139EA4F-DFEB-4648-90A3-B12D52787417} = 193.70.152.15,193.70.152.25
TCP: {E6594924-0DAE-4769-8A1F-AD80C7C60592} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Tori\Dati applicazioni\Mozilla\Firefox\Profiles\ajg9q58f.default\
FF - component: c:\documents and settings\Tori\Dati applicazioni\Mozilla\Firefox\Profiles\ajg9q58f.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - plugin: c:\programmi\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\programmi\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

AddRemove-HijackThis - c:\documents and settings\Tori\Desktop\HijackThis.exe
AddRemove-SiS7002 - c:\windows\UnSiSUSB.exe PCI\VEN_1039&DEV_7002



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 11:23
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run???\???/??[???????[???[???????????????????[???[ C?????[$??????[????????????S??[????????m??[???w????(???{??w???w???????w???w???[????????d???b6?[%??[???[????"??[A??[???[.??wZ??[?3?[?3?[????st.I???????[????d???0=?[?K?[

Scansione files nascosti ...


c:\windows\TEMP\_av_proI.tm~a02892
c:\windows\TEMP\_av_proI.tm~a02892\setup.lok 0 bytes

Scansione completata con successo
Files nascosti: 2

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x818B3340]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8599f28
\Driver\ACPI -> ACPI.sys @ 0xf84c6cb8
\Driver\atapi -> 0x818b3340
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf834eb0a
PacketIndicateHandler -> NDIS.sys @ 0xf833ba0d
SendHandler -> NDIS.sys @ 0xf834fb40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(3540)
c:\programmi\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\cmpbka2.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Alwil Software\Avast4\aswUpdSv.exe
c:\programmi\Alwil Software\Avast4\ashServ.exe
c:\programmi\File comuni\Logitech\KhalShared\KHALMNPR.EXE
c:\programmi\Bonjour\mDNSResponder.exe
c:\programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\programmi\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2009-12-28 11:30:45 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-12-28 10:30
ComboFix2.txt 2009-08-19 15:28

Pre-Run: 7.308.595.200 byte disponibili
Post-Run: 7.458.779.136 byte disponibili

- - End Of File - - F7BF0618DDD56585CAE92C7679427AD2
Avatar utente
Totori
Aficionado
Aficionado
 
Messaggi: 85
Iscritto il: mar mag 01, 2007 3:04 am
Località: Tokyo

Re: Probabile rootkit?

Messaggioda crazy.cat » lun dic 28, 2009 11:41 am

Prova a far girare pure questo http://support.kaspersky.com/downloads/ ... killer.zip anche se combofix dovrebbe aver già rimosso tutto.
Non è che hai installato per errore malware defense o antimalware?
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 8 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising