Salve ragazzi, sono nuovo del forum e questa è la prima volta che posto, spero di instaurare un rapporto di collaborazione con tutti voi per risolvere i quotidiani problemi che sorgono nei nostri PC.
Dopo aver installato e configurato COMODO firewall e constatato un forte rallentamento della connessione internet l'ho disinstallato, però a quanto pare la navigazione permane lenta. Ho richiesto supporto tecnico e mi han suggerito di verificare che non si tratti di spyware di vario tipo. Una volta pensate tutte le vie che conosco ho deciso di passare a COMBOFIX ma, non essendo esperto ho bisogno di aiuto nella lettura del log che ora posterò.
C'è qualche anima pia che può darmi dei consigli?
Vi ringrazio in anticipo per il vostro supporto.
Un saluto,
Giago
ComboFix 13-06-05.01 - Utente 05/06/2013 13.13.40.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1155 [GMT 2:00]
Eseguito da: c:\documents and settings\Utente\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Dati applicazioni\TEMP
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Smart Wizard NETGEAR WNA1100 .lnk
c:\windows\wininit.ini
.
c:\windows\system32\drivers\ntfs.sys . . . è infetto!!
.
.
((((((((((((((((((((((((( Files Creati Da 2013-05-05 al 2013-06-05 )))))))))))))))))))))))))))))))))))
.
.
2013-06-05 07:37 . 2013-06-05 07:37 -------- d-----w- c:\windows\LastGood
2013-06-05 07:32 . 2013-06-05 06:32 133208 ----a-w- c:\windows\system32\drivers\72030563.sys
2013-06-05 07:14 . 2013-06-05 07:14 -------- d-sh--w- c:\documents and settings\Utente\IECompatCache
2013-06-04 16:51 . 2013-05-03 12:24 133208 ----a-w- c:\windows\system32\drivers\80335117.sys
2013-06-04 16:30 . 2009-01-25 10:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-05-22 10:12 . 2013-05-22 10:12 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\LavasoftStatistics
2013-05-22 10:00 . 2013-05-22 10:00 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Downloaded Installations
2013-05-22 09:59 . 2013-05-22 09:59 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\SecureSearch
2013-05-22 09:58 . 2013-05-22 09:58 44424 ----a-w- c:\windows\system32\sbbd.exe
2013-05-22 09:58 . 2013-05-22 09:58 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-05-22 08:14 . 2013-05-22 08:14 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Licenses
2013-05-22 08:14 . 2013-05-31 07:13 -------- d-----w- c:\programmi\SpywareBlaster
2013-05-22 08:11 . 2013-06-04 16:30 -------- d-----w- c:\programmi\Spybot - Search & Destroy 2
2013-05-17 22:58 . 2013-05-17 22:58 17613192 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-05-16 18:39 . 2013-05-16 18:39 -------- d-----w- c:\windows\system32\wbem\Repository
2013-05-16 18:16 . 2013-05-16 18:39 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\Foxit Software
2013-05-15 08:54 . 2013-05-15 09:28 -------- d-----w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Google
2013-05-14 11:43 . 2013-05-14 11:43 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Canneverbe Limited
2013-05-14 11:43 . 2013-05-14 11:43 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\Canneverbe Limited
2013-05-14 11:43 . 2012-06-03 08:45 5504 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2013-05-14 11:43 . 2013-05-27 18:48 -------- d-----w- c:\programmi\CDBurnerXP
2013-05-13 19:42 . 2013-05-13 19:42 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\Ashampoo
2013-05-13 19:42 . 2013-05-13 19:43 -------- d-----w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\ashampoo
2013-05-13 19:41 . 2013-05-13 19:42 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Ashampoo
2013-05-13 12:56 . 2013-05-13 18:36 -------- d-----w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Nero
2013-05-11 10:26 . 2013-05-15 09:28 -------- d-----w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Deployment
2013-05-11 10:26 . 2013-05-11 10:26 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\Systweak
2013-05-10 18:35 . 2013-01-31 08:57 32032 ----a-w- c:\windows\system32\TURegOpt.exe
2013-05-10 18:34 . 2013-05-15 07:58 -------- d-----w- c:\programmi\TuneUp Utilities 2013
2013-05-10 12:19 . 2013-05-11 10:26 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\SUPERAntiSpyware.com
2013-05-09 11:53 . 2013-05-11 10:26 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\ZipGenius
2013-05-09 11:52 . 2013-05-11 10:26 -------- d-----w- c:\programmi\ZipGenius 6
2013-05-09 11:52 . 2013-05-09 11:52 -------- d-----w- c:\programmi\Foxit Software
2013-05-08 11:58 . 2013-05-08 11:58 -------- d-----w- c:\documents and settings\Utente\AppData
2013-05-08 08:11 . 2013-05-08 08:11 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\CPA_VA
2013-05-08 08:04 . 2013-05-11 10:26 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Comodo
2013-05-08 08:04 . 2013-05-08 08:04 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2013-05-08 08:04 . 2013-05-08 08:04 1060864 ----a-w- c:\windows\system32\mfc71.dll
2013-05-06 15:52 . 2013-05-06 15:52 -------- d-----w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Identities
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-17 22:58 . 2013-03-19 18:41 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-17 22:58 . 2013-03-19 18:41 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-17 18:22 . 2013-04-17 07:44 23360 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2013-04-16 22:16 . 2010-05-04 06:42 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:16 . 2010-05-04 06:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:16 . 2010-05-04 06:41 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-14 18:26 . 2013-04-14 18:27 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-04-14 18:26 . 2013-04-14 18:27 135136 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-04-14 18:26 . 2013-03-19 16:24 84744 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-04-12 23:29 . 2010-05-04 06:41 385024 ----a-w- c:\windows\system32\html.iec
2013-04-12 14:00 . 2008-04-13 16:50 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 12:50 . 2013-04-15 17:00 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-04 03:35 . 2013-04-18 07:22 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-26 11:17 . 2013-03-26 11:17 82432 ----a-w- c:\documents and settings\Utente\Dati applicazioni\Microsoft\MSXML2\msxml4r.dll
2013-03-26 11:17 . 2013-03-26 11:17 44544 ----a-w- c:\documents and settings\Utente\Dati applicazioni\Microsoft\MSXML2\msxml4a.dll
2013-03-26 11:17 . 2013-03-26 11:17 348160 ----a-w- c:\windows\system32\msvcr71.dll
2013-03-26 11:17 . 2013-03-26 11:17 1275392 ----a-w- c:\documents and settings\Utente\Dati applicazioni\Microsoft\MSXML2\msxml4.dll
2013-03-19 18:06 . 2013-03-19 18:06 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-19 18:06 . 2013-03-19 16:14 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-08 08:36 . 2008-04-13 17:13 293888 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 15:56 . 2008-04-13 18:55 2032128 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-07 15:56 . 2008-04-13 16:54 2153472 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-05-04 . D5E120A3BA164D2E7307A6688FEB26B2 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\programmi\uTorrent\uTorrent.exe" [2013-05-03 802136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2011-06-24 20053608]
"StartCCC"="c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2013-05-13 345312]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2013-03-12 253816]
"SpywareTerminatorShield"="c:\programmi\spyware terminator\spywareterminatorshield.exe" [2013-04-03 2777736]
"SpywareTerminatorUpdater"="c:\programmi\spyware terminator\spywareterminatorupdate.exe" [2013-04-03 3684488]
"SDTray"="c:\programmi\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2013-02-28 18642024]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"_nltide_3"="advpack.dll" [2010-05-04 128512]
.
c:\documents and settings\Utente\Menu Avvio\Programmi\Esecuzione automatica\
_uninst_72030563.lnk - c:\documents and settings\Utente\Impostazioni locali\Temp\_uninst_72030563.bat [N/A]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sdnclean.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\programmi\QuickTime\QTTask.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" /minimized /regrun
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" -atboottime
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Spyware Terminator\\SpywareTerminator.exe"=
"c:\\Programmi\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Programmi\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Programmi\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Programmi\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Gestione remota Windows
.
R0 72030563;72030563;c:\windows\system32\drivers\72030563.sys [05/06/2013 9.32.07 133208]
R0 80335117;80335117;c:\windows\system32\drivers\80335117.sys [04/06/2013 18.51.16 133208]
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [22/05/2013 11.58.22 13560]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [14/04/2013 20.27.30 37352]
R1 sp_rsdrv2;Spyware Terminator 2012 Realtime Shield Driver;c:\windows\system32\drivers\sp_rsdrv2.sys [14/04/2013 20.15.20 32768]
R2 AntiVirSchedulerService;Avira Pianificatore;c:\programmi\Avira\AntiVir Desktop\sched.exe [14/04/2013 20.27.33 86752]
R2 MBAMScheduler;MBAMScheduler;c:\programmi\Malwarebytes' Anti-Malware\mbamscheduler.exe [15/04/2013 19.02.49 418376]
R2 MBAMService;MBAMService;c:\programmi\Malwarebytes' Anti-Malware\mbamservice.exe [15/04/2013 19.00.56 701512]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\programmi\Spybot - Search & Destroy 2\SDFSSvc.exe [04/06/2013 18.30.34 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\programmi\Spybot - Search & Destroy 2\SDUpdSvc.exe [04/06/2013 18.30.39 1369624]
R2 ST2012_Svc;Spyware Terminator 2012 Realtime Shield Service;c:\programmi\Spyware Terminator\st_rsser.exe [16/04/2013 10.55.58 587912]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\programmi\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe [31/01/2013 10.57.22 1724192]
R2 WSWNA1100;WSWNA1100;c:\programmi\NETGEAR\WNA1100\WifiSvc.exe [14/04/2013 15.37.53 266240]
R3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [14/04/2013 15.37.57 1759584]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [14/04/2013 15.37.56 57440]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [15/04/2013 19.00.56 22856]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\programmi\TuneUp Utilities 2013\TuneUpUtilitiesDriver32.sys [16/11/2012 16.51.36 10088]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\programmi\Spybot - Search & Destroy 2\SDWSCSvc.exe [04/06/2013 18.30.40 168384]
S2 SkypeUpdate;Skype Updater;c:\programmi\Skype\Updater\Updater.exe [28/02/2013 18.45.16 161384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [19/03/2013 19.50.06 1691480]
S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\programmi\NETGEAR\WNA1100\jswpsapi.exe [14/04/2013 15.37.53 360529]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Dati applicazioni\Skype\Toolbars\Skype C2C Service\c2c_service.exe [15/04/2013 15.27.46 3289208]
.
--- Altri Servizi/Drivers In Memoria ---
.
*NewlyCreated* - UTEXNJQ4
*NewlyCreated* - WS2IFSL
*Deregistered* - utexnjq4
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-05-24 08:33 1165776 ----a-w- c:\programmi\Google\Chrome\Application\27.0.1453.94\Installer\chrmstp.exe
.
Contenuto della cartella 'Scheduled Tasks'
.
2013-06-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-19 22:58]
.
2013-06-05 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\programmi\Spybot - Search & Destroy 2\SDUpdate.exe [2013-06-04 12:08]
.
2013-05-16 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2170 series272A572217594EBCF1CEE215E352B92AD073FDE4366147096.job
- c:\programmi\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 15:56]
.
2013-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2013-05-15 09:28]
.
2013-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2013-05-15 09:28]
.
2013-06-04 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\programmi\Spybot - Search & Destroy 2\SDImmunize.exe [2013-06-04 12:07]
.
2013-06-04 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\programmi\Spybot - Search & Destroy 2\SDScan.exe [2013-06-04 12:07]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 62.101.93.101 83.103.25.250
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
Notify-SDWinLogon - SDWinLogon.dll
SafeBoot-17842001.sys
SafeBoot-20022205.sys
SafeBoot-23309101.sys
SafeBoot-37162665.sys
SafeBoot-47857924.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-05 13:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(372)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\athgina.dll
.
Ora fine scansione: 2013-06-05 13:21:25
ComboFix-quarantined-files.txt 2013-06-05 11:21
.
Pre-Run: 117.577.244.672 byte disponibili
Post-Run: 117.931.376.640 byte disponibili
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - E04FDAC2FBE87558077A58C655A24AFC