Aiuto PC

Virus Polizia Penitenziaria,Polizia di Stato,Carabinieri (RISOLTO)

« Older   Newer »
 
  Share  
.
  1. dariusx
     
    .

    User deleted


    Ho preso il virus della polizia penitenziaria.
    La modalità provvisoria non funziona,ho allegato il log di FRST come da guida.
    Spero in una soluzione al problema.
    <b>
    Ho seguito la tua guida alla rimozione virus Polizia di Stato-Polizia Penitenziaria-Polizia Postale e posto il log della scansione

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-06-2013 01
    Ran by SYSTEM on 04-06-2013 10:09:48
    Running from G:\
    Windows 7 Home Premium (X64) OS Language: Italian Standard
    Internet Explorer Version 8
    Boot Mode: Recovery
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ==================


    HKLM\...\Run: [Teco] "%­ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1489760 2010-03-17] (TOSHIBA Corporation)
    HKLM\...\Run: [TosNC] %­ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-04-23] (TOSHIBA Corporation)
    HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2009-11-19] ()
    HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [521272 2010-03-22] (Conexant Systems, Inc.)
    HKLM\...\Run: [SmartFaceVWatcher] %­ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
    HKLM\...\Run: [TPwrMain] %­ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation)
    HKLM\...\Run: [HSON] %­ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
    HKLM\...\Run: [SmoothView] %­ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [570680 2009-08-23] (TOSHIBA Corporation)
    HKLM\...\Run: [00TCrdMain] %­ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-08] (TOSHIBA Corporation)
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$126229a4cd03364c153ae8fea842f0ab\n. ATTENTION! ====> ZeroAccess
    HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [102400 2010-04-26] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [SSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe [112600 2010-11-15] (PC Tools)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [MPlayerForWindows_UpdateReminder] "D:\Applicazioni\MPlayer for Windows\AutoUpdate.exe" /L=1033 /TASK [x]
    HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4394032 2013-03-13] (AVG Technologies CZ, s.r.o.)
    HKU\dario\...\Run: [Google Update] "C:\Users\dario\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-01-28] (Google Inc.)
    HKU\dario\...\Winlogon: [Shell] explorer.exe,C:\Users\dario\AppData\Roaming\skype.dat [95744 2009-07-14] ()

    ==================== Services (Whitelisted) =================

    S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-02-27] (AVG Technologies CZ, s.r.o.)
    S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [282624 2013-02-19] (AVG Technologies CZ, s.r.o.)
    S2 PCToolsSSDMonitorSvc; C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [632792 2011-01-28] (PC Tools)

    ==================== Drivers (Whitelisted) ====================

    S2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [314016 2011-08-24] ()
    S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-02-26] (AVG Technologies CZ, s.r.o.)
    S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-08] (AVG Technologies CZ, s.r.o.)
    S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-08] (AVG Technologies CZ, s.r.o.)
    S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-08] (AVG Technologies CZ, s.r.o.)
    S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-08] (AVG Technologies CZ, s.r.o.)
    S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-08] (AVG Technologies CZ, s.r.o.)
    S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [239416 2013-02-14] (AVG Technologies CZ, s.r.o.)
    S3 CnxtHdmiAudService; C:\Windows\System32\drivers\CHDMI64.sys [720952 2010-03-05] (Conexant Systems Inc.)
    S2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43680 2011-08-24] ()
    S0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2011-03-12] (Duplex Secure Ltd.)
    S3 pccsmcfd; system32\DRIVERS\pccsmcfdx64.sys [x]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-06-04 08:49 - 2013-04-22 08:49 - 00000000 ____D C:\FRST
    2013-06-04 06:43 - 2013-04-22 08:58 - 00000004 ____A C:\Users\dario\AppData\Roaming\skype.ini
    2013-05-15 00:00 - 2013-04-22 08:56 - 00000784 ____A C:\Windows\setupact.log
    2013-05-15 00:00 - 2013-04-15 00:00 - 00000000 ____A C:\Windows\setuperr.log
    2013-03-30 10:07 - 2013-03-30 10:07 - 00000000 ____D C:\Users\dario\AppData\Roaming\AVG2013
    2013-03-30 02:31 - 2013-03-30 02:31 - 00000000 ____D C:\Users\dario\AppData\Roaming\TuneUp Software
    2013-03-30 02:27 - 2013-03-30 02:33 - 00000000 ____D C:ProgramData\AVG2013
    2013-03-30 02:16 - 2013-03-31 14:26 - 00000000 ____D C:\Users\dario\AppData\Local\Avg2013
    2013-03-30 02:16 - 2013-03-30 02:16 - 00000000 ____D C:\Users\dario\AppData\Local\MFAData


    ==================== One Month Modified Files and Folders =======

    2013-06-04 08:58 - 2013-04-22 06:43 - 00000004 ____A C:\Users\dario\AppData\Roaming\skype.ini
    2013-05-22 08:56 - 2013-04-15 00:00 - 00000784 ____A C:\Windows\setupact.log
    2013-04-22 08:56 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-06-04 08:49 - 2013-04-22 08:49 - 00000000 ____D C:\FRST
    2013-04-22 07:27 - 2013-02-20 01:42 - 00308324 ____A C:\Windows\WindowsUpdate.log
    2013-04-22 07:27 - 2009-07-14 05:45 - 00018016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-04-22 07:27 - 2009-07-14 05:45 - 00018016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-04-22 07:03 - 2009-07-14 11:53 - 00738754 ____A C:\Windows\System32\perfh010.dat
    2013-04-22 07:03 - 2009-07-14 11:53 - 00145794 ____A C:\Windows\System32\perfc010.dat
    2013-04-22 07:03 - 2009-07-14 06:13 - 01652418 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-04-22 06:32 - 2012-11-20 14:45 - 00000978 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-04-22 05:47 - 2012-01-28 14:12 - 00001172 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3814798622-1503148130-2465254516-1000UA.job
    2013-04-22 04:49 - 2011-03-11 23:44 - 00000000 ____D C:\Users\dario\AppData\Roaming\Mozilla
    2013-04-22 04:27 - 2011-07-11 11:52 - 00000000 ___AD C:ProgramData\TEMP
    2013-04-21 23:46 - 2012-01-28 14:12 - 00001120 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3814798622-1503148130-2465254516-1000Core.job
    2013-04-21 23:42 - 2011-04-10 23:41 - 00000000 ____D C:ProgramData\MFAData
    2013-04-21 23:37 - 2012-10-31 12:28 - 00000272 ____A C:\Windows\Tasks\RMSchedule.job
    2013-04-17 18:34 - 2012-11-22 16:21 - 00000000 ___RD C:\Users\dario\Desktop\Scrivania
    2013-04-17 18:09 - 2011-09-28 17:22 - 00000000 ___RD C:\Users\dario\Desktop\Elementi temporanei
    2013-04-15 00:00 - 2013-04-15 00:00 - 00000000 ____A C:\Windows\setuperr.log
    2013-04-05 07:03 - 2011-09-28 16:15 - 00000000 ___HD C:\$AVG
    2013-03-31 14:26 - 2013-03-30 02:16 - 00000000 ____D C:\Users\dario\AppData\Local\Avg2013
    2013-03-31 10:34 - 2011-11-28 18:25 - 00000000 ____D C:ProgramData\Ubisoft
    2013-03-30 20:31 - 2012-08-09 16:01 - 00000000 ____D C:ProgramData\AVG2012
    2013-03-30 20:31 - 2012-08-09 16:00 - 00000000 ____D C:\Program Files (x86)\AVG
    2013-03-30 10:07 - 2013-03-30 10:07 - 00000000 ____D C:\Users\dario\AppData\Roaming\AVG2013
    2013-03-30 02:33 - 2013-03-30 02:27 - 00000000 ____D C:ProgramData\AVG2013

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-3814798622-1503148130-2465254516-1000\$126229a4cd03364c153ae8fea842f0ab

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-18\$126229a4cd03364c153ae8fea842f0ab

    Other Malware:
    ===========
    C:\Users\dario\AppData\Roaming\skype.dat
    C:\Users\dario\AppData\Roaming\skype.ini

    ==================== Known DLLs (Whitelisted) ================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit




    Last Boot: 2013-05-28 18:28

    ==================== End Of Log ============================


    Edited by vicky67 - 17/8/2013, 13:07
     
    .
  2.  
    .
    Avatar

    Master Malware Expert

    Group
    Administrator
    Posts
    4,513
    Location
    Poggio Mirteto(RI)

    Status
    Anonymous
    Ciao dariusx
    copia il codice in basso in un file di testo (tasto dx del mouse sul desktop-nuovo-documento di testo)rinominalo a fixlist.

    start
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$126229a4cd03364c153ae8fea842f0ab\n. ATTENTION! ====> ZeroAccess
    HKU\dario\...\Winlogon: [Shell] explorer.exe,C:\Users\dario\AppData\Roaming\skype.dat [95744 2009-07-14] ()
    2013-04-22 06:43 - 2013-04-22 08:58 - 00000004 ____A C:\Users\dario\AppData\Roaming\skype.ini
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    C:\$Recycle.Bin\S-1-5-21-3814798622-1503148130-2465254516-1000\$126229a4cd03364c153ae8fea842f0ab
    C:\$Recycle.Bin\S-1-5-18\$126229a4cd03364c153ae8fea842f0ab
    C:\Users\dario\AppData\Roaming\skype.dat
    end



    Copia il file di testo nella pendrive dove hai FRST.Riavvia FRST come hai fatto precedentemente,solo che ora clicca sul pulsante fix una sola volta.
    Allega il log fixlixt.txt che troverai nella pendrive.
    Riavvia il pc,dovresti di nuovo accedere a windows.

    Edited by vicky67 - 6/9/2013, 14:41
     
    .
  3. dariusx
     
    .

    User deleted


    Perfetto.
    Il pc si riavvia perfettamente.
    Devo eseguire altre operazioni?
    Grazie mille per il supporto.
     
    .
  4.  
    .
    Avatar

    Master Malware Expert

    Group
    Administrator
    Posts
    4,513
    Location
    Poggio Mirteto(RI)

    Status
    Anonymous
    Ok
    Cancella la cartella FRST in C.
    Per una migliore disinfezione del pc esegui una scansione completa con malwarebytes.Trovi le istruzioni nelle guide ai tool di rimozione nella sezione sicurezza.

    Esegui la guida post rimozione https://aiuto-pc.forumfree.it/?t=65967383
    Se non hai altri problemi ti saluto.
     
    .
  5. dariusx
     
    .

    User deleted


    grazie mille.
    Tutto fatto.Il pc funziona di nuovo correttamente.
    Un grosso saluto.
     
    .
  6. Wild69
     
    .

    User deleted


    Ciao Vicky... ho preso di nuovo il virus polizia di stato.
    Ti incollo di seguito il log di FRST64 (non riesco ad allegare il txt nel messaggio)

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-06-2013
    Ran by SYSTEM on 09-06-2013 10:44:23
    Running from H:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    Internet Explorer Version 9
    Boot Mode: Recovery

    The current controlset is ControlSet001
    ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11775592 2011-01-26] (Realtek Semiconductor)
    HKLM\...\Run: [SynTPEnh] %­ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2679592 2011-02-03] (Synaptics Incorporated)
    HKLM\...\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-10-07] ()
    HKLM\...\Run: [bit4id csp store register (M x64)] "RUNDLL32.EXE" "C:\Windows\system32\bit4upki-store.dll",RegisterMyPhysicalStore [176128 2010-08-10] (bit4id srl)
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)
    HKLM\...\Run: [VDownloader] "C:\Program Files\VDownloader\VDownloader.exe" /silent [879104 2012-12-20] (Vitzo)
    HKLM-x32\...\Run: [RemoteControl10] "C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe" [87336 2010-09-19] (CyberLink Corp.)
    HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [103720 2009-11-01] (CyberLink)
    HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" [x]
    HKLM-x32\...\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
    HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
    HKLM-x32\...\Run: [] [x]
    HKLM-x32\...\Run: [HPUsageTrackingLEDM] "C:\Program Files (x86)\HP\HP UT LEDM\bin\hppusg.exe" "C:\Program Files (x86)\HP\HP UT LEDM\" [30264 2009-08-04] (Hewlett-Packard Company)
    HKLM-x32\...\Run: [IDProtect Monitor] "C:\Program Files (x86)\Athena\IDProtect Client\Utils\IDProtect Monitor.exe" [323664 2010-12-02] (Athena Smartcard Solutions)
    HKLM-x32\...\Run: [bit4id csp store register (M)] "C:\Windows\SysWOW64\RUNDLL32.EXE" "C:\Windows\system32\bit4upki-store.dll",RegisterMyPhysicalStore [176128 2010-08-10] (bit4id srl)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [DivXMediaServer] C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [x]
    HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [103768 2009-09-12] (Citrix Systems, Inc.)
    HKU\Fabry\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-09-13] (Google Inc.)
    HKU\Fabry\...\Winlogon: [Shell] explorer.exe,C:\Users\Fabry\AppData\Roaming\skype.dat [110592 2011-11-16] () <==== ATTENTION
    AppInit_DLLs: C:\Windows\system32\nvinitx.dll [247144 2012-10-08] (NVIDIA Corporation)
    Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk
    ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
    Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
    Startup: C:\Users\Fabry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ritaglio schermata e avvio di OneNote 2007.lnk
    ShortcutTarget: Ritaglio schermata e avvio di OneNote 2007.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

    ==================== Services (Whitelisted) =================

    S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
    S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
    S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [244904 2009-11-30] ()

    ==================== Drivers (Whitelisted) ====================

    S3 ACSSCR; C:\Windows\System32\DRIVERS\a38usbx64.sys [42752 2007-01-17] (Advanced Card Systems Ltd)
    S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
    S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2012-12-23] (Marvell Semiconductor, Inc.)
    S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
    S3 rtport; C:\Windows\SysWOW64\drivers\rtport.sys [15144 2011-04-07] (Windows (R) 2003 DDK 3790 provider)

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-06-09 10:44 - 2013-06-09 10:44 - 00000000 ____D C:\FRST
    2013-06-08 12:22 - 2013-06-08 12:22 - 00000000 ____D C:\Windows\System32\SPReview
    2013-06-08 08:09 - 2013-06-08 08:12 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0
    2013-06-08 03:18 - 2013-06-08 03:27 - 00000000 ____D C:\918204edd2760c47d43a
    2013-06-08 03:15 - 2013-06-08 12:20 - 00000004 ____A C:\Users\Fabry\AppData\Roaming\skype.ini
    2013-06-04 08:06 - 2013-06-04 08:06 - 00000322 ____A C:\Windows\Tasks\WebReg HP Officejet 5600 series.job
    2013-05-31 23:55 - 2013-05-31 23:55 - 00000000 ____D C:\Users\Fabry\ClientVisuale_Infocamere
    2013-05-25 05:50 - 2013-05-25 05:52 - 00023187 ____A C:\ProgramData\SchemaPDFA.dat
    2013-05-25 05:50 - 2013-05-25 05:52 - 00005565 ____A C:\ProgramData\TypesPDFA.dat
    2013-05-25 05:50 - 2013-05-25 05:50 - 00000000 ____D C:\Users\Fabry\AppData\Roaming\callas software
    2013-05-14 10:03 - 2013-05-14 10:03 - 00000000 ____D C:\Users\Fabry\dikeTmpdir
    2013-05-11 05:03 - 2013-05-11 05:03 - 01666972 ____A C:\Users\Fabry\Downloads\IstanzaXBRL_win7.zip

    ==================== One Month Modified Files and Folders =======

    2013-06-09 10:44 - 2013-06-09 10:44 - 00000000 ____D C:\FRST
    2013-06-09 00:34 - 2011-08-19 23:29 - 00100411 ____A C:\Windows\setupact.log
    2013-06-09 00:34 - 2011-07-21 13:12 - 00000375 ____A C:\Windows\System32\Drivers\etc\hosts.ics
    2013-06-09 00:34 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-06-08 12:23 - 2011-03-14 22:46 - 01871108 ____A C:\Windows\WindowsUpdate.log
    2013-06-08 12:22 - 2013-06-08 12:22 - 00000000 ____D C:\Windows\System32\SPReview
    2013-06-08 12:20 - 2013-06-08 03:15 - 00000004 ____A C:\Users\Fabry\AppData\Roaming\skype.ini
    2013-06-08 12:13 - 2012-09-13 13:14 - 00001148 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-06-08 12:13 - 2012-04-01 21:01 - 00000978 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-06-08 08:12 - 2013-06-08 08:09 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0
    2013-06-08 07:15 - 2009-07-13 20:45 - 00014144 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-06-08 07:15 - 2009-07-13 20:45 - 00014144 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-06-08 07:08 - 2012-09-13 13:14 - 00001144 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-06-08 03:27 - 2013-06-08 03:18 - 00000000 ____D C:\918204edd2760c47d43a
    2013-06-08 03:27 - 2011-07-02 05:56 - 00000000 ____D C:\users\Fabry
    2013-06-08 03:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
    2013-06-08 01:27 - 2011-07-21 12:59 - 00000000 ____D C:\Users\Fabry\Documents\Youcam
    2013-06-07 08:24 - 2012-01-07 15:05 - 00000000 ____D C:\Coge07
    2013-06-06 12:08 - 2012-09-13 13:15 - 00002143 ____A C:\Users\Public\Desktop\Google Chrome.lnk
    2013-06-05 00:01 - 2011-03-15 14:46 - 00698804 ____A C:\Windows\System32\perfh010.dat
    2013-06-05 00:01 - 2011-03-15 14:46 - 00127998 ____A C:\Windows\System32\perfc010.dat
    2013-06-05 00:01 - 2009-07-13 21:13 - 01541618 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-06-04 08:06 - 2013-06-04 08:06 - 00000322 ____A C:\Windows\Tasks\WebReg HP Officejet 5600 series.job
    2013-06-04 06:44 - 2012-03-31 05:08 - 00000000 ____D C:\Users\Fabry\AppData\Local\CrashDumps
    2013-06-03 09:04 - 2012-05-21 08:07 - 00045478 ____A C:\Users\Fabry\LOGdeSign.log
    2013-06-03 09:04 - 2012-05-18 07:15 - 00000501 ____A C:\Users\Fabry\dike.ini
    2013-06-01 05:00 - 2011-03-14 22:46 - 00000000 ____D C:\Windows\softwaredistribution.bak
    2013-06-01 03:37 - 2012-01-07 14:40 - 00000000 ___RD C:\Users\Fabry\Desktop\Wild Soluzioni s.r.l
    2013-05-31 23:55 - 2013-05-31 23:55 - 00000000 ____D C:\Users\Fabry\ClientVisuale_Infocamere
    2013-05-27 10:46 - 2009-07-13 21:08 - 00032548 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2013-05-25 05:52 - 2013-05-25 05:50 - 00023187 ____A C:\ProgramData\SchemaPDFA.dat
    2013-05-25 05:52 - 2013-05-25 05:50 - 00005565 ____A C:\ProgramData\TypesPDFA.dat
    2013-05-25 05:50 - 2013-05-25 05:50 - 00000000 ____D C:\Users\Fabry\AppData\Roaming\callas software
    2013-05-25 05:50 - 2011-07-02 06:17 - 00000000 ____D C:\Users\Fabry\AppData\Local\Adobe
    2013-05-17 01:51 - 2012-07-06 08:20 - 00002088 ____A C:\Users\Fabry\Desktop\Servizi CGN 12 PM27393.lnk
    2013-05-15 10:59 - 2011-07-27 06:16 - 00000000 ____D C:\ProgramData\Microsoft Help
    2013-05-15 10:57 - 2011-08-01 10:49 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2013-05-15 09:04 - 2012-04-01 21:01 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-05-15 09:04 - 2011-07-27 10:01 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-05-14 10:08 - 2013-01-18 14:26 - 00000000 ____D C:\Users\Fabry\Desktop\Provvisorio
    2013-05-14 10:03 - 2013-05-14 10:03 - 00000000 ____D C:\Users\Fabry\dikeTmpdir
    2013-05-14 09:54 - 2012-04-17 09:24 - 00000000 ____D C:\prtele
    2013-05-13 06:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
    2013-05-11 05:03 - 2013-05-11 05:03 - 01666972 ____A C:\Users\Fabry\Downloads\IstanzaXBRL_win7.zip

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-1309665003-1285200881-1394159564-1002\$7e1df58ba1da9ae8265c14bb1e8043f4

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-18\$7e1df58ba1da9ae8265c14bb1e8043f4

    Files to move or delete:
    ====================
    C:\Users\Fabry\AppData\Roaming\skype.dat
    C:\Users\Fabry\AppData\Roaming\skype.ini
    C:\ProgramData\SchemaPDFA.dat
    C:\ProgramData\TypesPDFA.dat

    ==================== Known DLLs (Whitelisted) ================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2013-06-08 03:18:48
    Restore point made on: 2013-06-08 12:21:07

    ==================== Memory info ===========================

    Percentage of memory in use: 15%
    Total physical RAM: 4009.55 MB
    Available physical RAM: 3375.92 MB
    Total Pagefile: 4007.7 MB
    Available Pagefile: 3373.92 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.85 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:124 GB) (Free:54.1 GB) NTFS (Disk=0 Partition=2)
    Drive d: () (Fixed) (Total:317.78 GB) (Free:238.14 GB) NTFS (Disk=0 Partition=4)
    Drive f: (SAMSUNG_REC) (Fixed) (Total:23.88 GB) (Free:0.94 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)]
    Drive h: () (Removable) (Total:1.84 GB) (Free:1.58 GB) FAT (Disk=1 Partition=1)
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 466 GB) (Disk ID: FDF38C38)
    Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=124 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=318 GB) - (Type=OF Extended)
    Partition 4: (Not Active) - (Size=24 GB) - (Type=27)

    ========================================================
    Disk: 1 (Size: 2 GB) (Disk ID: 6F20736B)
    Partition 1: (Not Active) - (Size=544 GB) - (Type=72)
    Partition 2: (Not Active) - (Size=923 GB) - (Type=65)
    Partition 3: (Not Active) - (Size=923 GB) - (Type=79)
    Partition 4: (Not Active) - (Size=-336763289600) - (Type=0D)


    LastRegBack: 2013-06-03 10:45

    ==================== End Of Log ============================


    Edited by vicky67 - 21/8/2013, 17:27
     
    .
  7.  
    .
    Avatar

    Master Malware Expert

    Group
    Administrator
    Posts
    4,513
    Location
    Poggio Mirteto(RI)

    Status
    Anonymous
    ciao wild69

    Hai fatto bene a incollare il post.

    Copia il codice in basso in un file di testo (tasto dx del mouse sul desktop-nuovo-documento di testo)rinominalo a fixlist.

    start
    HKU\Fabry\...\Winlogon: [Shell] explorer.exe,C:\Users\Fabry\AppData\Roaming\skype.dat [110592 2011-11-16] () <==== ATTENTION
    2013-06-08 03:15 - 2013-06-08 12:20 - 00000004 ____A C:\Users\Fabry\AppData\Roaming\skype.ini
    C:\$Recycle.Bin\S-1-5-21-1309665003-1285200881-1394159564-1002\$7e1df58ba1da9ae8265c14bb1e8043f4
    C:\$Recycle.Bin\S-1-5-18\$7e1df58ba1da9ae8265c14bb1e8043f4
    C:\Users\Fabry\AppData\Roaming\skype.dat
    end




    Copia poi il file di testo nella pendrive dove hai FRST.Riavvia FRST come hai fatto precedentemente,solo che ora clicca sul pulsante fix una sola volta.

    Riavvia il pc,dovresti di nuovo accedere a windows.

    Il pc si riavvierà.
    La variante del ransom portava con se' anche il rootkit zero access che in alcune varianti puo' danneggiare alcuni servizi.

    Quindi dopo essere rientrato nuovamente in windows esegui una scansione con FSS per controllare se tutto è ok.

    -Scarica Farbar Service Scanner www.bleepingcomputer.com/download/f...-scanner/dl/62/
    Metti la spunta a tutto
    Premi "Scan".
    Verrà creato un log (FSS.txt) nella stessa directory del tool
    Posta il log.

    Edited by vicky67 - 6/9/2013, 14:37
     
    .
  8. Wild69
     
    .

    User deleted


    Perfetto il pc si è riavviato ;)

    Ecco il log di FSS

    Grazie


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys
    [2013-02-14 13:31] - [2013-01-04 07:41] - 1893224 ____A (Microsoft Corporation) 5CFB7AB8F9524D1A1E14369DE63B83CC

    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****

    Edited by vicky67 - 28/6/2013, 10:49
     
    .
  9.  
    .
    Avatar

    Master Malware Expert

    Group
    Administrator
    Posts
    4,513
    Location
    Poggio Mirteto(RI)

    Status
    Anonymous
    Ok
    I servizi non sono stati danneggiati.C'è solo windows defender che non parte perchè l'avvio è settato su richiesta in quanto microsoft security client lo ha disabilitato.E' normale.

    Ora cancella la cartella FRST in C.

    Se vuoi(facoltativo) puoi eseguire per una migliore disinfezione del sistema una scansione con malwarebytes(trovi la guida in sicurezza-guide per la sicurezza del pc-guida ai tool di rimozione)

    Segui la guida post rimozione https://aiuto-pc.forumfree.it/?t=65967383
    E' molto importante per arginare soprattutto infezioni da ransom in quanto sfruttano le falle di alcuni software per infettare il sistema.
    Se non hai altri problemi ti saluto.
     
    .
  10.  
    .
    Avatar

    Aiutante

    Group
    Member
    Posts
    518

    Status
    Offline
    Ho preso il virus della polizia di stato e non mi faceva riavviare il computer nemmeno in modalità provvisoria ma solo in modalità provvisoria con Prompt dei comandi e facendo in quel modo sono entrato nel registro di sistema e per sbaglio ho cancellato il file explorer.exe quello che fa visualizzare il dekstop ma non ho eliminato il virus ed ora il computer quando lo avvio mi fa vedere una schermata nera e non posso fare nulla così avevo pensato di reinsttallare Windows 7 Professional scaricandolo da questo sito www.pedropuggioni.it/blog/35-blog/1...te-e-legalmente il poblema è che chiede la Product Key che ho nel computer che non ricordo e che non ho memorizzato da nesuna parte, il computer era passato da Vista a 7 è possibile usare la product key di Vista? Ho bisogno urgente di aiuto da un esperto perchè prima di portarlo a riparare vorei provare da solo anche se sicuramente mi sconsiglierete di farlo vi chiedo un aiuto.

    Se potete indicatemi una guida per ripristinare explorer.exe, una per togliere il virus dela polizia di stato e una per reinstalare da capo Windows 7 so che chiedo molto ma mi fareste veramente un piacere grazie.
    Credo che il mio babbo voglia portare il computer a riparare e a farlo formatare per fargli reinstallare da capo windows 7 credo domattina mi potete aiutare presto così non rischio di perdere i dati che alcuni sono importanti.

    Ti metto il log della mia scansione.

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 29-06-2013 01
    Ran by SYSTEM on 30-06-2013 22:28:08
    Running from G:\
    WIN_7 (X86) OS Language: Italian Standard
    Boot Mode: Recovery

    The current controlset is ControlSet001
    ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Winlogon: [Userinit] [x]
    HKLM\...\Winlogon: [Shell] [x ] () <=== ATTENTION
    HKU\seven\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe [26624 2010-11-20] (Microsoft Corporation)
    HKU\seven\...\Winlogon: [Shell] explorer.exe,C:\Users\seven\AppData\Roaming\skype.dat <==== ATTENTION
    Startup: C:\Users\seven\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
    ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
    BootExecute: autocheck autochk * bootroboscan.exe

    ========================== Services (Whitelisted) =================

    S2 Adobe Version Cue CS2; c:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe [163840 2005-04-04] (Adobe Systems Incorporated)
    S4 BstHdAndroidSvc; C:\Program Files\BlueStacks\HD-Service.exe [397176 2012-08-21] (BlueStack Systems, Inc.)
    S4 BstHdLogRotatorSvc; C:\Program Files\BlueStacks\HD-LogRotatorService.exe [384888 2012-08-21] (BlueStack Systems, Inc.)
    S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
    S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] (Microsoft Corporation)
    S2 NitroReaderDriverReadSpool3; C:\Program Files\Nitro\Reader 3\NitroPDFReaderDriverService3.exe [196624 2012-10-30] (Nitro PDF Software)
    S2 Roboscan_RTSrv; C:\Program Files\Roboscan\Roboscan\RSRTSrv.rse [355688 2012-03-29] (Roboscan Inc)
    S2 Roboscan_UpdSrv; C:\Program Files\Roboscan\Roboscan\RSUpdSrv.rse [606056 2012-03-29] (Roboscan Inc)
    S4 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [85776 2012-08-25] (SANDBOXIE L.T.D)
    S3 WefiEngSvc; C:\Program Files\WeFi\WefiEngSvc.exe [120152 2010-11-03] (WeFi)
    S3 rpcapd; "%­ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%­ProgramFiles%\WinPcap\rpcapd.ini" [x]

    ==================== Drivers (Whitelisted) ====================

    S2 BstHdDrv; C:\Program Files\BlueStacks\HD-Hypervisor-x86.sys [66424 2012-08-21] (BlueStack Systems)
    S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
    S3 MTsensor; C:\Windows\System32\DRIVERS\ATKACPI.sys [7680 2007-07-31] (ATK0100)
    S2 NPF; C:\Windows\System32\drivers\npf.sys [35088 2010-06-25] (CACE Technologies, Inc.)
    S3 RoboFww; c:\program files\roboscan\roboscan\plugin\realtime\RoboFww.sys [32064 2012-03-29] (Roboscan Inc)
    S3 RoboRtwIFDrv; c:\program files\roboscan\roboscan\plugin\realtime\RoboRtw.sys [100160 2012-03-29] (Roboscan Inc)
    S3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [157776 2012-08-25] (SANDBOXIE L.T.D)
    S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [x]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-06-30 22:27 - 2013-06-30 22:27 - 00000000 ____D C:\FRST
    2013-06-27 16:33 - 2013-06-27 16:33 - 00000000 __SHD C:\found.000
    2013-06-27 15:42 - 2013-06-27 15:42 - 147062908 ____A C:\Windows\MEMORY.DMP
    2013-06-26 22:28 - 2013-06-26 22:28 - 00000000 ____A C:\asdsetup.exe
    2013-06-26 22:18 - 2013-06-26 22:19 - 00000000 ___AD C:\.Trash-0
    2013-06-26 21:51 - 2013-06-26 21:52 - 00000004 ____A C:\Users\seven\AppData\Roaming\skype.ini
    2013-06-26 20:54 - 2013-06-26 22:01 - 00000000 ____D C:\Windows\pss
    2013-06-26 20:05 - 2013-06-26 20:05 - 43253760 ____A C:\Windows\System32\config\software.bhv
    2013-06-26 20:05 - 2013-06-26 20:05 - 24379392 ____A C:\Windows\System32\config\system.bhv
    2013-06-26 20:05 - 2013-06-26 20:05 - 00524288 ____A C:\Windows\System32\config\default.bhv
    2013-06-26 20:05 - 2013-06-26 20:05 - 00262144 ____A C:\Windows\System32\config\security.bhv
    2013-06-26 20:05 - 2013-06-26 20:05 - 00262144 ____A C:\Windows\System32\config\sam.bhv
    2013-06-26 20:05 - 2013-06-26 20:05 - 00000000 ___AD C:\$Anvi Rescue Disk$
    2013-06-26 17:37 - 2013-06-26 17:41 - 38001894 ____A C:\Users\seven\Downloads\Come navigare nel Deep Web.mp4
    2013-06-26 16:55 - 2013-06-26 22:02 - 00000000 ____D C:\Users\seven\AppData\Roaming\GetRight
    2013-06-26 16:55 - 2013-06-26 22:02 - 00000000 ____D C:\Program Files\GetRight
    2013-06-23 21:11 - 2013-06-26 21:51 - 00000891 ____A C:\Windows\setupact.log
    2013-06-23 21:11 - 2013-06-23 21:11 - 00000000 ____A C:\Windows\setuperr.log
    2013-06-21 02:09 - 2013-06-21 02:09 - 00000000 ____D C:\Users\seven\Downloads\Miei salvataggi
    2013-06-19 22:16 - 2013-06-19 22:46 - 192163640 ____A C:\Users\seven\Downloads\Documentario su Parigi.mp4
    2013-06-19 01:04 - 2013-06-19 01:04 - 00000000 ____D C:\Users\seven\Documents\The Prince of Codes
    2013-06-18 16:25 - 2013-06-20 23:59 - 00000000 __SHD C:\Windows\System32\AI_RecycleBin
    2013-06-18 16:19 - 2013-06-19 01:17 - 00000000 ____D C:\Program Files\PutLockerDownloader.com
    2013-06-18 12:44 - 2013-06-18 12:44 - 00000000 ____D C:\Users\seven\Downloads\Vari Testi
    2013-06-18 12:38 - 2013-06-19 00:05 - 00000000 ____D C:\Users\seven\Downloads\Video
    2013-06-16 12:57 - 2013-06-16 13:29 - 00000000 ____D C:\Users\Public\Documents\STALKER-STCS
    2013-06-16 12:49 - 2013-06-16 12:49 - 00000000 ____D C:\Program Files\Deep Silver
    2013-06-14 23:42 - 2013-06-14 23:42 - 00000000 ____D C:\Users\seven\AppData\Roaming\AbaEnglishRt.19ECF44F1B9DAF7C7A64FDC21A008AB0C5135E2F.1
    2013-06-14 23:37 - 2013-06-14 23:37 - 00000513 ____A C:\Users\seven\Desktop\ABA English Course.lnk
    2013-06-14 23:35 - 2013-06-14 23:42 - 00000000 ____D C:\EnglishCourse
    2013-06-14 23:35 - 2013-06-14 23:35 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
    2013-06-14 23:35 - 2013-06-14 23:35 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
    2013-06-14 23:35 - 2013-06-14 23:35 - 00000000 ____D C:\Program Files\Common Files\Adobe AIR
    2013-06-14 22:57 - 2013-05-17 00:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2013-06-14 22:57 - 2013-05-16 23:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2013-06-14 22:57 - 2013-05-16 23:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2013-06-14 22:57 - 2013-05-16 23:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2013-06-14 22:57 - 2013-05-16 23:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2013-06-14 22:57 - 2013-05-16 23:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2013-06-14 22:57 - 2013-05-16 23:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2013-06-14 22:57 - 2013-05-16 23:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2013-06-14 22:57 - 2013-05-16 23:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2013-06-14 22:57 - 2013-05-16 23:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2013-06-14 22:57 - 2013-05-16 23:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
    2013-06-14 22:57 - 2013-05-16 23:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2013-06-14 22:57 - 2013-05-16 23:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2013-06-14 22:57 - 2013-05-16 23:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2013-06-14 22:57 - 2013-05-16 23:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2013-06-14 22:57 - 2013-05-16 23:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2013-06-14 22:11 - 2013-06-14 22:12 - 00161944 ____A C:\Users\seven\Downloads\corso-di-inglese-abaenglish-windows-downloader.exe
    2013-06-14 19:43 - 2013-05-13 05:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2013-06-14 19:43 - 2013-05-13 05:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2013-06-14 19:43 - 2013-05-13 05:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2013-06-14 19:43 - 2013-05-13 04:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
    2013-06-14 19:43 - 2013-05-13 04:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
    2013-06-14 19:43 - 2013-05-10 04:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
    2013-06-14 19:43 - 2013-05-08 06:38 - 01293672 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
    2013-06-14 19:43 - 2013-05-06 06:06 - 03968872 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
    2013-06-14 19:43 - 2013-05-06 06:06 - 03913576 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2013-06-14 19:43 - 2013-04-26 05:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
    2013-06-12 23:54 - 2013-06-26 22:10 - 00000000 ____D C:\Users\seven\Downloads\Da copiare nella chiavetta
    2013-06-11 19:05 - 2013-06-23 21:13 - 00000000 ____D C:\Program Files\Steam
    2013-06-11 19:05 - 2013-06-14 23:16 - 00000000 ____D C:\Program Files\Common Files\Steam
    2013-06-11 18:56 - 2013-06-11 18:58 - 01669632 ____A C:\Users\seven\Downloads\SteamInstall.msi
    2013-06-07 18:06 - 2012-11-09 23:21 - 00246760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
    2013-06-07 18:05 - 2012-11-09 23:21 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
    2013-06-07 18:05 - 2012-11-09 23:21 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\java.exe
    2013-06-07 18:04 - 2013-06-07 18:04 - 00000000 ____D C:\Users\seven\Documents\VSO Downloader
    2013-06-07 18:03 - 2013-06-07 18:03 - 00000000 ____D C:\Users\seven\AppData\Roaming\KastorFreeVideoCatcher
    2013-06-07 18:03 - 2013-06-07 18:03 - 00000000 ____D C:\ProgramData\VSO
    2013-06-07 18:03 - 2013-06-07 18:03 - 00000000 ____D C:\Program Files\VSO
    2013-06-07 18:03 - 2013-06-07 18:03 - 00000000 ____D C:\Program Files\Kastor Free Video Catcher
    2013-06-07 18:03 - 2008-09-24 19:33 - 00484352 ____A C:\Windows\System32\lame_enc.dll
    2013-06-07 18:02 - 2013-06-26 22:10 - 00000000 ____D C:\Users\seven\AppData\Roaming\KastorAllVideoDownloader
    2013-06-07 18:02 - 2013-06-07 18:02 - 00000000 ____D C:\Program Files\Kastor All Video Downloader
    2013-06-07 18:01 - 2013-06-07 18:07 - 00000000 ____D C:\Program Files\TubeMaster++
    2013-06-05 14:36 - 2013-06-05 19:02 - 00000000 ____D C:\Users\seven\Documents\SpellForce
    2013-06-05 14:32 - 2013-06-05 14:32 - 00000926 ____A C:\Users\seven\Desktop\GameSpy Arcade.lnk
    2013-06-05 14:32 - 2013-06-05 14:32 - 00000000 ____D C:\Program Files\GameSpy Arcade
    2013-06-05 14:32 - 2013-06-05 14:32 - 00000000 ____D C:\Program Files\AWS
    2013-06-05 14:31 - 2013-06-05 14:31 - 00001124 ____A C:\Users\seven\Desktop\SpellForce - The Order of Dawn.lnk
    2013-06-05 14:25 - 2013-06-05 14:25 - 00000000 ____D C:\Program Files\JoWooD
    2013-06-04 18:43 - 2013-06-04 18:43 - 00001104 ____A C:\Users\Public\Desktop\aTube Catcher.lnk
    2013-06-04 18:31 - 2013-06-11 23:59 - 00000000 ____D C:\Users\seven\Downloads\Cfake

    ==================== One Month Modified Files and Folders ========

    2013-06-30 22:27 - 2013-06-30 22:27 - 00000000 ____D C:\FRST
    2013-06-27 16:33 - 2013-06-27 16:33 - 00000000 __SHD C:\found.000
    2013-06-27 15:42 - 2013-06-27 15:42 - 147062908 ____A C:\Windows\MEMORY.DMP
    2013-06-27 01:54 - 2013-01-25 15:33 - 00000318 ____A C:\Windows\System32\ayboot.ini
    2013-06-26 22:28 - 2013-06-26 22:28 - 00000000 ____A C:\asdsetup.exe
    2013-06-26 22:19 - 2013-06-26 22:18 - 00000000 ___AD C:\.Trash-0
    2013-06-26 22:10 - 2013-06-12 23:54 - 00000000 ____D C:\Users\seven\Downloads\Da copiare nella chiavetta
    2013-06-26 22:10 - 2013-06-07 18:02 - 00000000 ____D C:\Users\seven\AppData\Roaming\KastorAllVideoDownloader
    2013-06-26 22:10 - 2012-12-17 21:36 - 00000000 ____D C:\Users\seven\AppData\Roaming\vlc
    2013-06-26 22:10 - 2012-12-04 19:52 - 00000000 ____D C:\ProgramData\Ant.com
    2013-06-26 22:10 - 2012-11-08 10:16 - 00000000 ____D C:\Windows\AutoKMS
    2013-06-26 22:10 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\System32\wfp
    2013-06-26 22:10 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\System32\NDF
    2013-06-26 22:10 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\System32\DriverStore
    2013-06-26 22:10 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\registration
    2013-06-26 22:02 - 2013-06-26 16:55 - 00000000 ____D C:\Users\seven\AppData\Roaming\GetRight
    2013-06-26 22:02 - 2013-06-26 16:55 - 00000000 ____D C:\Program Files\GetRight
    2013-06-26 22:01 - 2013-06-26 20:54 - 00000000 ____D C:\Windows\pss
    2013-06-26 21:52 - 2013-06-26 21:51 - 00000004 ____A C:\Users\seven\AppData\Roaming\skype.ini
    2013-06-26 21:52 - 2012-11-09 17:36 - 00000978 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-06-26 21:51 - 2013-06-23 21:11 - 00000891 ____A C:\Windows\setupact.log
    2013-06-26 21:50 - 2012-11-14 23:31 - 00001132 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-06-26 21:50 - 2012-11-08 10:16 - 00000266 ____A C:\Windows\Tasks\AutoKMS.job
    2013-06-26 21:50 - 2009-07-14 05:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-06-26 20:05 - 2013-06-26 20:05 - 43253760 ____A C:\Windows\System32\config\software.bhv
    2013-06-26 20:05 - 2013-06-26 20:05 - 24379392 ____A C:\Windows\System32\config\system.bhv
    2013-06-26 20:05 - 2013-06-26 20:05 - 00524288 ____A C:\Windows\System32\config\default.bhv
    2013-06-26 20:05 - 2013-06-26 20:05 - 00262144 ____A C:\Windows\System32\config\security.bhv
    2013-06-26 20:05 - 2013-06-26 20:05 - 00262144 ____A C:\Windows\System32\config\sam.bhv
    2013-06-26 20:05 - 2013-06-26 20:05 - 00000000 ___AD C:\$Anvi Rescue Disk$
    2013-06-26 18:47 - 2012-12-21 20:29 - 00000000 ____D C:\Users\seven\AppData\Roaming\NetSpeedMonitor
    2013-06-26 17:41 - 2013-06-26 17:37 - 38001894 ____A C:\Users\seven\Downloads\Come navigare nel Deep Web.mp4
    2013-06-26 17:28 - 2012-11-08 10:47 - 00000000 ____D C:\Users\seven\AppData\Roaming\Nitro PDF
    2013-06-23 21:22 - 2012-12-14 23:53 - 01716519 ____A C:\Windows\WindowsUpdate.log
    2013-06-23 21:22 - 2012-11-14 23:31 - 00001136 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-06-23 21:18 - 2009-07-14 05:34 - 00025616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-06-23 21:18 - 2009-07-14 05:34 - 00025616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-06-23 21:13 - 2013-06-11 19:05 - 00000000 ____D C:\Program Files\Steam
    2013-06-23 21:11 - 2013-06-23 21:11 - 00000000 ____A C:\Windows\setuperr.log
    2013-06-23 01:50 - 2012-11-07 11:35 - 01653742 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-06-23 01:50 - 2009-07-14 09:21 - 00739254 ____A C:\Windows\System32\perfh010.dat
    2013-06-23 01:50 - 2009-07-14 09:21 - 00146294 ____A C:\Windows\System32\perfc010.dat
    2013-06-21 02:09 - 2013-06-21 02:09 - 00000000 ____D C:\Users\seven\Downloads\Miei salvataggi
    2013-06-20 23:59 - 2013-06-18 16:25 - 00000000 __SHD C:\Windows\System32\AI_RecycleBin
    2013-06-20 23:59 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\system
    2013-06-20 01:01 - 2012-11-09 20:39 - 00000925 ____A C:\Users\Public\Desktop\CCleaner.lnk
    2013-06-20 01:01 - 2012-11-09 20:39 - 00000000 ____D C:\Program Files\CCleaner
    2013-06-20 00:42 - 2013-01-25 15:17 - 00000000 ____D C:\WinWebExplorer
    2013-06-19 22:46 - 2013-06-19 22:16 - 192163640 ____A C:\Users\seven\Downloads\Documentario su Parigi.mp4
    2013-06-19 01:17 - 2013-06-18 16:19 - 00000000 ____D C:\Program Files\PutLockerDownloader.com
    2013-06-19 01:04 - 2013-06-19 01:04 - 00000000 ____D C:\Users\seven\Documents\The Prince of Codes
    2013-06-19 00:05 - 2013-06-18 12:38 - 00000000 ____D C:\Users\seven\Downloads\Video
    2013-06-18 12:44 - 2013-06-18 12:44 - 00000000 ____D C:\Users\seven\Downloads\Vari Testi
    2013-06-16 23:41 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\Microsoft.NET
    2013-06-16 13:29 - 2013-06-16 12:57 - 00000000 ____D C:\Users\Public\Documents\STALKER-STCS
    2013-06-16 12:49 - 2013-06-16 12:49 - 00000000 ____D C:\Program Files\Deep Silver
    2013-06-14 23:42 - 2013-06-14 23:42 - 00000000 ____D C:\Users\seven\AppData\Roaming\AbaEnglishRt.19ECF44F1B9DAF7C7A64FDC21A008AB0C5135E2F.1
    2013-06-14 23:42 - 2013-06-14 23:35 - 00000000 ____D C:\EnglishCourse
    2013-06-14 23:37 - 2013-06-14 23:37 - 00000513 ____A C:\Users\seven\Desktop\ABA English Course.lnk
    2013-06-14 23:37 - 2012-11-08 15:33 - 00000000 ____D C:\Users\seven\AppData\Roaming\Adobe
    2013-06-14 23:37 - 2012-11-08 15:28 - 00000000 ____D C:\ProgramData\Adobe
    2013-06-14 23:35 - 2013-06-14 23:35 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
    2013-06-14 23:35 - 2013-06-14 23:35 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
    2013-06-14 23:35 - 2013-06-14 23:35 - 00000000 ____D C:\Program Files\Common Files\Adobe AIR
    2013-06-14 23:35 - 2013-05-14 16:53 - 00000000 ____D C:\Users\seven\AppData\Local\Adobe
    2013-06-14 23:35 - 2013-02-26 21:02 - 00000000 ____D C:\Program Files\Adobe
    2013-06-14 23:16 - 2013-06-11 19:05 - 00000000 ____D C:\Program Files\Common Files\Steam
    2013-06-14 23:10 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\System32\it-IT
    2013-06-14 22:58 - 2012-11-07 12:14 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2013-06-14 22:12 - 2013-06-14 22:11 - 00161944 ____A C:\Users\seven\Downloads\corso-di-inglese-abaenglish-windows-downloader.exe
    2013-06-12 22:52 - 2012-11-09 17:36 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2013-06-12 22:52 - 2012-11-09 17:36 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2013-06-11 23:59 - 2013-06-04 18:31 - 00000000 ____D C:\Users\seven\Downloads\Cfake
    2013-06-11 18:58 - 2013-06-11 18:56 - 01669632 ____A C:\Users\seven\Downloads\SteamInstall.msi
    2013-06-08 22:40 - 2012-12-15 22:03 - 00000000 ____D C:\Users\seven\Documents\Conersazioni What's App
    2013-06-08 22:32 - 2013-01-29 15:14 - 00000000 ____D C:\Users\seven\.VirtualBox
    2013-06-07 18:07 - 2013-06-07 18:01 - 00000000 ____D C:\Program Files\TubeMaster++
    2013-06-07 18:06 - 2013-01-29 15:09 - 00000000 ____D C:\Program Files\Oracle
    2013-06-07 18:05 - 2012-11-09 23:21 - 00000000 ____D C:\Program Files\Java
    2013-06-07 18:04 - 2013-06-07 18:04 - 00000000 ____D C:\Users\seven\Documents\VSO Downloader
    2013-06-07 18:03 - 2013-06-07 18:03 - 00000000 ____D C:\Users\seven\AppData\Roaming\KastorFreeVideoCatcher
    2013-06-07 18:03 - 2013-06-07 18:03 - 00000000 ____D C:\ProgramData\VSO
    2013-06-07 18:03 - 2013-06-07 18:03 - 00000000 ____D C:\Program Files\VSO
    2013-06-07 18:03 - 2013-06-07 18:03 - 00000000 ____D C:\Program Files\Kastor Free Video Catcher
    2013-06-07 18:02 - 2013-06-07 18:02 - 00000000 ____D C:\Program Files\Kastor All Video Downloader
    2013-06-07 18:02 - 2012-12-10 21:26 - 00000000 ____D C:\Program Files\WinPcap
    2013-06-05 19:02 - 2013-06-05 14:36 - 00000000 ____D C:\Users\seven\Documents\SpellForce
    2013-06-05 14:32 - 2013-06-05 14:32 - 00000926 ____A C:\Users\seven\Desktop\GameSpy Arcade.lnk
    2013-06-05 14:32 - 2013-06-05 14:32 - 00000000 ____D C:\Program Files\GameSpy Arcade
    2013-06-05 14:32 - 2013-06-05 14:32 - 00000000 ____D C:\Program Files\AWS
    2013-06-05 14:31 - 2013-06-05 14:31 - 00001124 ____A C:\Users\seven\Desktop\SpellForce - The Order of Dawn.lnk
    2013-06-05 14:25 - 2013-06-05 14:25 - 00000000 ____D C:\Program Files\JoWooD
    2013-06-05 00:23 - 2012-11-09 20:37 - 00000000 ____D C:\Users\seven\Downloads\eMule
    2013-06-04 18:43 - 2013-06-04 18:43 - 00001104 ____A C:\Users\Public\Desktop\aTube Catcher.lnk
    2013-06-04 18:42 - 2013-01-22 16:41 - 00000000 ____D C:\Program Files\DsNET Corp
    2013-06-04 00:22 - 2013-02-18 18:04 - 00000000 ____D C:\Users\seven\Downloads\archpr22
    2013-06-04 00:07 - 2012-11-08 23:11 - 00000000 ____D C:\Users\seven\AppData\Roaming\DVDVideoSoft
    2013-06-03 23:39 - 2013-01-14 19:45 - 00000000 ____D C:\Users\seven\AppData\Roaming\uTorrent
    2013-06-03 22:47 - 2012-12-15 22:52 - 00000000 ____D C:\Users\seven\AppData\Local\Paint.NET

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-589101805-1279379778-812310743-1000\$381b76a2e37827a53b15dd0b75a72e9b

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-18\$381b76a2e37827a53b15dd0b75a72e9b

    Files to move or delete:
    ====================
    C:\Users\seven\AppData\Roaming\skype.dat
    C:\Users\seven\AppData\Roaming\skype.ini

    ==================== Known DLLs (Whitelisted) ============


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: <===== ATTENTION!
    HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
    HKLM\...\exefile\open\command: <===== ATTENTION!

    ==================== Restore Points =========================

    Restore point made on: 2013-06-14 18:46:55
    Restore point made on: 2013-06-14 22:55:42
    Restore point made on: 2013-06-16 13:01:25
    Restore point made on: 2013-06-18 16:20:39
    Restore point made on: 2013-06-18 16:24:33
    Restore point made on: 2013-06-19 01:04:22
    Restore point made on: 2013-06-19 21:21:27
    Restore point made on: 2013-06-20 23:59:37
    Restore point made on: 2013-06-23 21:23:08

    ==================== Memory info ===========================

    Percentage of memory in use: 13%
    Total physical RAM: 3071.27 MB
    Available physical RAM: 2648.68 MB
    Total Pagefile: 3069.55 MB
    Available Pagefile: 2653.84 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1921.11 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:297.99 GB) (Free:114.08 GB) NTFS
    Drive g: () (Removable) (Total:7.47 GB) (Free:7.47 GB) FAT32
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Drive y: (Riservato per il sistema) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 000997F0)
    Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (Size: 7 GB) (Disk ID: 70707573)
    Partition 1: (Not Active) - (Size=923 GB) - (Type=0D)
    Partition 2: (Not Active) - (Size=259 GB) - (Type=0A)
    Partition 3: (Not Active) - (Size=844 GB) - (Type=6F)
    Partition 4: (Not Active) - (Size=26 MB) - (Type=0A)


    LastRegBack: 2013-05-14 15:37

    ==================== End Of Log ============================


    Edited by vicky67 - 21/8/2013, 17:28
     
    .
  11.  
    .
    Avatar

    Master Malware Expert

    Group
    Administrator
    Posts
    4,513
    Location
    Poggio Mirteto(RI)

    Status
    Anonymous
    OK
    Hai cancellato il valore dell'userinit oltre che dell'explorer.

    Ora scarica il file che ti ho caricato qui http://wikisend.com/download/213390/fixlist.txt e copialo sulla pendrive dove hai FRST.
    Riavvia FRST come hai già fatto,solo che ora devi cliccare su FIX una sola volta.
    Riavvia il pc e vedi se ora riesci ad accedere.
    Allegami il log che troverai sulla pendrive chiamato fixlog.txt.

    Fammi sapere se il pc ora si riavvia perchè dobbiamo eseguire altre operazioni.
     
    .
  12.  
    .
    Avatar

    Master Malware Expert

    Group
    Administrator
    Posts
    4,513
    Location
    Poggio Mirteto(RI)

    Status
    Anonymous
    ciao Pulsarcorp

    Copia il codice in basso in un file di testo e rinominalo a fixlist.txt.
    Copia il file sulla pen drive dove hai FRST.

    HTML
    start
    HKCU\...\Winlogon: [Shell] explorer.exe,C:\Users\Conian\AppData\Roaming\skype.dat [60416 2011-11-17] () <==== ATTENTION
    C:\Users\Conian\AppData\Roaming\skype.dat
    C:\Users\Conian\AppData\Roaming\skype.ini
    C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
    C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
    end



    Riavvia FRST come hai già fatto.solo che questa volta clicca sul pulsante FIX una sola volta.
    Riavvia il pc dovresti poter accedere ora a windows.
    Poi terminiamo con le ultime operazioni.
     
    .
  13.  
    .
    Avatar

    Aiutante

    Group
    Member
    Posts
    518

    Status
    Offline
    Ho fatto come mi hai detto ma il pc ancora non si avvia.

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 29-06-2013 01
    Ran by SYSTEM at 2013-07-01 23:19:29 Run:1
    Running from G:\
    Boot Mode: Recovery

    ==============================================

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => Value was restored successfully.
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.
    HKU\seven\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
    C:\$Recycle.Bin\S-1-5-21-589101805-1279379778-812310743-1000\$381b76a2e37827a53b15dd0b75a72e9b => Moved successfully.
    C:\$Recycle.Bin\S-1-5-18\$381b76a2e37827a53b15dd0b75a72e9b => Moved successfully.
    C:\Users\seven\AppData\Roaming\skype.dat => Moved successfully.
    C:\Users\seven\AppData\Roaming\skype.ini => Moved successfully.
    HKLM\Software\Classes\.exe\\Default => Value was restored successfully.
    HKLM\Software\Classes\exefile\DefaultIcon\\Default => Value was restored successfully.

    ==== End of Fixlog ====
     
    .
  14.  
    .
    Avatar

    Master Malware Expert

    Group
    Administrator
    Posts
    4,513
    Location
    Poggio Mirteto(RI)

    Status
    Anonymous
    @judgement1991
    In condizioni normali il pc si sarebbe dovuto riavviare:le chiavi dell'explorer e userinit sono state ripristinate correttamente,l'infezione eliminata.

    Molto probabilmente i 2 problemi che ora potrebbero non permetttere al pc di riavviarsi sono o un registro corrotto o un problema sul file system.

    Procedi in questo modo,andiamo a ripristinare completamennte il registro e a correggere eventuali errori sul file system.

    1)Scarica il file in allegato facendo tasto dx del mouse "salva destinazione con nome" e salvalo sulla pendrive insieme a FRST.
    Riavvia FRST e clicca su FIX.Allega il log fixlog.txt sulla pendrive.
    Riavvia e controlla l'accesso.

    2)Se il pc ancora non si riavvia esegui questa operazione:
    Riavvia il pc con il prompt dei comandi da RIPRISTINA IL COMPUTER
    Nel prompt dei comandi scrivi questo comando: chkdsk /R C: (spazio dopo chkdsk e /R e tra /R e C:) e dai invio.
    Verrà eseguito uno scandisk alla ricerca di eventuali errori sul file system.Lascialo lavorarare,se il problema è evidente impiegherà diverso tempo per la riparazione(anche qualche ora a volte).Quindi lascialo lavorare fino al termine.

    Controlla il riavvio ed eventualmente se ancora non si riavvia effettua una nuoiva scansione con FRST ed allega il log.

    Edited by vicky67 - 2/7/2013, 13:00
    File Allegato
    fixlist.txt
    (Number of downloads: 104)

     
    .
  15.  
    .
    Avatar

    Aiutante

    Group
    Member
    Posts
    518

    Status
    Offline
    appena finito di fare il punto 2 che finisce in circa 10 secondi c'è scritto impossibile trasferire i messaggi registrati al registro eventi con stato 50 appena posso allego il log della nuova scansione
     
    .
698 replies since 5/6/2013, 08:44   22429 views
  Share  
.