Salve a tutti

Avendo dei problemi a scaricare in tempi ragionevoli DrWeb, ho avuto la pessima idea di scaricare un acceleratore di download: tramite un noto sito ho scaricato Flashget, che ricordavo di avere usato eoni fa.
Appena installato/avviato, i menu in cinese e le 3 finestre aperte mi hanno notevolmente insospettito. Il fatto che - nonostante indicazioni contrarie - si fosse inserito come BHO non mi ha certo rassicurato.
Cercando indicazioni su internet, ho scoperto che le ultime versioni sono oltremodo sospette :muro: (complimenti al sito :ncomment: ).

Opto quindi per un'eradicazione brutale :banned: tramite Combofix

MA... il log di pulizia rivela la cancellazione di voci che personalmente non so ricondurre a Flashget o ad altro, e non so se devo indagare ulteriormente o meno :confused:, sembrano resti "lasciati indietro", magari da altri antimalware

questi i file in oggetto:
c:\documents and settings\[OMISSIS]\Dati applicazioni\BITS
c:\documents and settings\[OMISSIS]\Dati applicazioni\BITS\BITS.ini
c:\documents and settings\[OMISSIS]\Dati applicazioni\BITS\DHTTable.dat
c:\documents and settings\[OMISSIS]\Dati applicazioni\BITS\ProxyList.ini
c:\documents and settings\[OMISSIS]\Dati applicazioni\inst.exe
c:\windows\system32\secushr.dat
c:\windows\system32\secustat.dat
c:\windows\system32\Thumbs.db

mi sorprende particolarmente il file thumbs

in allegato il log

Grazie mille in anticipo a chi saprà darmi delucidazioni :)

Allego i log, freschi di scansione, di rispettivamente RootkitRevealer e RootRepeal

ps: GMer non funziona (dopo alcune ore di scansione, il pc cede e si riavvia)

HKU\S-1-5-21-592585013-2936703351-3661302444-1006\Console 09/07/2010 20.13 0 bytes Security mismatch.
HKU\S-1-5-21-592585013-2936703351-3661302444-1006\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 23/07/2009 16.49 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAC* 03/09/2004 12.16 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 03/09/2004 12.16 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 10/07/2010 17.53 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\ 14/03/2009 16.43 19 bytes Data mismatch between Windows API and raw hive data.


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/07/10 17:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAE2B2000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B81000 Size: 8192 File Visible: No Signed: -
Status: -

Name: RKREVEAL150.SYS
Image Path: C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS
Address: 0xF7BCF000 Size: 4128 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB1B5000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae520694

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae51fc38

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5202fa

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7c1778e

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae51fb14

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae522de6

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5231b6

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7c17784

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7c17793

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7c1779d

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae51f2ec

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52160a

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae521864

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5229de

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7c177a2

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae51fed4

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5204d6

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae520ed8

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7c17770

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae520184

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7c17775

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae521a80

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae521efe

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae521ca0

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae521422

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7c177ac

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae522472

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7c177a7

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae522726

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae520cb0

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae522bd6

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7c17798

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae51fe6e

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae520070

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7c1777f

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae51f6fc

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52512a

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae525854

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52525e

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52570e

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52539e

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5254d2

#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae524faa

#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5241fc

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae524c7a

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52560c

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5249e8

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae524b2a

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5246cc

#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae523f34

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52437e

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52452a

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae524dca

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52488e

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae524ec0

#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5240a4

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae525892

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae525abc

==EOF==