Combofix vs Flashget = tracce di ulteriore malware?

Arkaine · 10-07-2010, 14:46

Salve a tutti

Avendo dei problemi a scaricare in tempi ragionevoli DrWeb, ho avuto la pessima idea di scaricare un acceleratore di download: tramite un noto sito ho scaricato Flashget, che ricordavo di avere usato eoni fa.
Appena installato/avviato, i menu in cinese e le 3 finestre aperte mi hanno notevolmente insospettito. Il fatto che - nonostante indicazioni contrarie - si fosse inserito come BHO non mi ha certo rassicurato.
Cercando indicazioni su internet, ho scoperto che le ultime versioni sono oltremodo sospette

(complimenti al sito

).

Opto quindi per un'eradicazione brutale

tramite Combofix

MA... il log di pulizia rivela la cancellazione di voci che personalmente non so ricondurre a Flashget o ad altro, e non so se devo indagare ulteriormente o meno

, sembrano resti "lasciati indietro", magari da altri antimalware

questi i file in oggetto:

Codice:

c:\documents and settings\[OMISSIS]\Dati applicazioni\BITS
c:\documents and settings\[OMISSIS]\Dati applicazioni\BITS\BITS.ini
c:\documents and settings\[OMISSIS]\Dati applicazioni\BITS\DHTTable.dat
c:\documents and settings\[OMISSIS]\Dati applicazioni\BITS\ProxyList.ini
c:\documents and settings\[OMISSIS]\Dati applicazioni\inst.exe
c:\windows\system32\secushr.dat
c:\windows\system32\secustat.dat
c:\windows\system32\Thumbs.db

mi sorprende particolarmente il file thumbs

in allegato il log

Grazie mille in anticipo a chi saprà darmi delucidazioni

Arkaine · 10-07-2010, 18:28

Allego i log, freschi di scansione, di rispettivamente RootkitRevealer e RootRepeal

ps: GMer non funziona (dopo alcune ore di scansione, il pc cede e si riavvia)

Codice:

HKU\S-1-5-21-592585013-2936703351-3661302444-1006\Console	09/07/2010 20.13	0 bytes	Security mismatch.
HKU\S-1-5-21-592585013-2936703351-3661302444-1006\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY*	23/07/2009 16.49	0 bytes	Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAC*	03/09/2004 12.16	0 bytes	Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*	03/09/2004 12.16	0 bytes	Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed	10/07/2010 17.53	80 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\	14/03/2009 16.43	19 bytes	Data mismatch between Windows API and raw hive data.

Codice:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2010/07/10 17:31
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAE2B2000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B81000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: RKREVEAL150.SYS
Image Path: C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS
Address: 0xF7BCF000	Size: 4128	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB1B5000	Size: 49152	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 011	Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae520694

#: 031	Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae51fc38

#: 037	Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5202fa

#: 041	Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7c1778e

#: 046	Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae51fb14

#: 050	Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae522de6

#: 052	Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5231b6

#: 053	Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7c17784

#: 063	Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7c17793

#: 065	Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7c1779d

#: 068	Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae51f2ec

#: 071	Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52160a

#: 073	Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae521864

#: 097	Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5229de

#: 098	Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7c177a2

#: 105	Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae51fed4

#: 116	Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5204d6

#: 119	Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae520ed8

#: 122	Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7c17770

#: 125	Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae520184

#: 128	Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7c17775

#: 160	Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae521a80

#: 161	Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae521efe

#: 177	Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae521ca0

#: 192	Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae521422

#: 193	Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7c177ac

#: 200	Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae522472

#: 204	Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7c177a7

#: 210	Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae522726

#: 237	Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae520cb0

#: 240	Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae522bd6

#: 247	Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7c17798

#: 249	Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae51fe6e

#: 255	Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae520070

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7c1777f

#: 258	Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae51f6fc

Shadow SSDT
-------------------
#: 013	Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52512a

#: 122	Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae525854

#: 227	Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52525e

#: 233	Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52570e

#: 237	Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52539e

#: 292	Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5254d2

#: 310	Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae524faa

#: 319	Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5241fc

#: 383	Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae524c7a

#: 389	Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52560c

#: 414	Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5249e8

#: 416	Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae524b2a

#: 460	Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5246cc

#: 465	Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae523f34

#: 475	Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52437e

#: 476	Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52452a

#: 491	Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae524dca

#: 502	Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae52488e

#: 509	Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae524ec0

#: 529	Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae5240a4

#: 549	Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae525892

#: 552	Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xae525abc

==EOF==

Strumenti
Mostra una versione stampabile Invia questa pagina per email