report combofix - win xp sp3 infetto

**kjdyd** · 06-01-2012, 01:45

((((((((((((((((((((((((((((( SnapShot@2012-01-05_20.01.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-03-02 11:00 . 2012-01-05 20:43 89536 c:\windows\system32\perfc009.dat
- 2006-03-02 11:00 . 2012-01-05 20:03 89536 c:\windows\system32\perfc009.dat
+ 2006-03-02 11:00 . 2012-01-05 20:43 531846 c:\windows\system32\perfh010.dat
- 2006-03-02 11:00 . 2012-01-05 20:03 531846 c:\windows\system32\perfh010.dat
+ 2006-03-02 11:00 . 2012-01-05 20:43 506264 c:\windows\system32\perfh009.dat
- 2006-03-02 11:00 . 2012-01-05 20:03 506264 c:\windows\system32\perfh009.dat
+ 2006-03-02 11:00 . 2012-01-05 20:43 105944 c:\windows\system32\perfc010.dat
- 2006-03-02 11:00 . 2012-01-05 20:03 105944 c:\windows\system32\perfc010.dat
+ 2006-10-26 19:06 . 2012-01-05 21:18 584192 c:\windows\Installer\$PatchCache$\Managed\00002109 030000000000000000F01FEC\12.0.4518\SETUP.EXE
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2009-02-26 142360]
"RTHDCPL"="RTHDCPL.EXE" [2012-01-02 17719296]
"STICAP"="c:\windows\Twain_32\NX VEGA 300\SnapTrap.exe" [2012-01-05 307200]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Malwarebytes' Anti-Malware"="c:\programmi\Malwarebytes' Anti-Malware\mbamgui.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programmi\\Sports Interactive\\Football Manager 2011 Russian\\fm.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02/12/2010 18.57.22 691696]
R1 oreans32;oreans32;c:\windows\system32\drivers\orea ns32.sys [23/05/2011 19.15.32 33824]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.s ys [05/12/2011 18.55.53 21592]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [05/12/2011 18.29.00 332248]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [29/04/2011 14.01.42 101720]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [05/12/2011 18.29.11 212568]
R2 MBAMService;MBAMService;c:\programmi\Malwarebytes' Anti-Malware\mbamservice.exe [03/09/2011 11.52.44 797696]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapif s.sys [05/12/2011 18.55.53 74200]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\dr ivers\mbam.sys [03/09/2011 11.52.40 20464]
R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [05/12/2011 18.29.00 69208]
R3 SQTECH930B;NX VEGA 300;c:\windows\system32\drivers\Capt930b.sys [04/05/2010 0.20.57 247325]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys --> c:\windows\system32\DRIVERS\ehdrv.sys [?]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfw tdir.sys --> c:\windows\system32\DRIVERS\epfwtdir.sys [?]
S2 .EsetTrialReset;Eset Trial Reset;c:\windows\system32\regedt32.exe [02/03/2006 12.00.00 3584]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\ v4.0.30319\mscorsvw.exe [18/03/2010 13.16.28 275968]
S2 ekrn;ESET Service;"c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe" --> c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [?]
S2 SBAMSvc;VIPRE Antivirus Premium;"c:\programmi\Sunbelt Software\VIPRE\SBAMSvc.exe" --> c:\programmi\Sunbelt Software\VIPRE\SBAMSvc.exe [?]
S2 SBPIMSvc;SB Recovery Service;"c:\programmi\Sunbelt Software\VIPRE\SBPIMSvc.exe" --> c:\programmi\Sunbelt Software\VIPRE\SBPIMSvc.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfil t.sys [05/03/2010 12.09.04 1684736]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [05/12/2011 18.29.00 69208]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.s ys [05/12/2011 18.29.12 94040]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30 319\WPF\WPFFontCache_v0400.exe [18/03/2010 13.16.28 899072]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\David\Dati applicazioni\Mozilla\Firefox\Profiles\r8rl1y6q.def ault\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
************************************************** ************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-05 23:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
************************************************** ************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'explorer.exe'(3688)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\msiexec.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\sessmgr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
.
************************************************** ************************
.
Ora fine scansione: 2012-01-06 00:00:56 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2012-01-05 23:00
ComboFix2.txt 2012-01-05 20:58
ComboFix3.txt 2012-01-05 20:05
.
Pre-Run: 294.849.544.192 byte disponibili
Post-Run: 294.836.670.464 byte disponibili
.
- - End Of File - - 6359683D190E63C03802E1894A529EEF

----------------------------
Come vedete quasi tutti, se non tutti i file presenti in system32 me li segna come infetti ..ma non ho capito da cosa.
Facendo una scansione con malwarebyte non rileva nulla e il pc nonostante la situazione paraddossalmente surreale, sembra funzionare correttamente.

Come antivirus avevo Vipre Premium con firewall, ma ..da quel che mi è sembrato di capire dall'ultimo controllo con quest'ultimo, si è autodisintegrato autosegnalandosi come virus e cancellando i suoi stessi file, come se fosse anch'egli infetto. La protezione attiva di malwarebyte al momento mi risulta disattivata (si è autodisattivata) e se tento di attivarla mi compare questo errore: PROGRAM_ERROR_PROTECTION_MODULE (2, 0, Protection Enable).
Ho tentato anche di disinstallare Vipre, ma l'unistall mi si blocca a metà non trovando dei driver (??). Come diamine lo disinstallo adesso?

Ho fatto una scansione anche con TDSskiller e SecurityCheck, ma entrambi non mi hanno trovato nulla .. stesso discorso usando il securitytaskmanager, sembrerebbe che non ho programmi all'avvio potenzialmente pericolosi.
Help please

Scusate ..ecco il download del report sopracitato log.txt

Discussione: report combofix - win xp sp3 infetto

Strumenti discussione

Ricerca discussione

Visualizza

Visualizzazione discussione

Permessi di invio