-
gianlucasim.
User deleted
Ciao Vicky
come qualche tempo fa ho ripreso il virus della polizia di stato con Modalità provvisoria disabilitata.
Ho fatto lo scan con fabar recovery
ti posto (non sono riuscito ad allegarlo) il log in attesa di un tuo aiutoSPOILER (clicca per visualizzare)Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-07-2013
Ran by SYSTEM on 09-07-2013 00:41:54
Running from G:\
Windows 7 Home Premium (X64) OS Language: Italian Standard
Internet Explorer Version 8
Boot Mode: Recovery
The current controlset is ControlSet002
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1489760 2010-03-17] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-04-23] (TOSHIBA Corporation)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2009-11-19] ()
HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [521272 2010-03-22] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [570680 2009-08-13] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [102400 2010-04-26] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35736 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [31072 2008-10-25] (Microsoft Corporation)
HKLM-x32\...\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe [x]
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [SSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe [112600 2010-11-15] (PC Tools)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [MPlayerForWindows_UpdateReminder] "D:\Applicazioni\MPlayer for Windows\AutoUpdate.exe" /L=1033 /TASK [x]
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.)
HKU\Gianluca\...\Run: [Google Update] "C:\Users\Gianluca\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-01-28] (Google Inc.)
HKU\Gianluca\...\Run: [NBJ] "C:\Program Files (x86)\Ahead\Nero BackItUp\NBJ.exe" [1937408 2005-01-04] (Ahead Software AG)
HKU\Gianluca\...\Winlogon: [Shell] explorer.exe,C:\Users\Gianluca\AppData\Roaming\skype.dat [52736 2009-07-14] () <==== ATTENTION
Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth Manager.lnk
ShortcutTarget: Bluetooth Manager.lnk -> C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth Monitor.lnk
ShortcutTarget: Bluetooth Monitor.lnk -> C:\Program Files (x86)\TOSHIBA\Bluetooth Monitor\BtMon2.exe (TOSHIBA CORPORATION)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Ulead Photo Express SE Calendar Checker.lnk
ShortcutTarget: Ulead Photo Express SE Calendar Checker.lnk -> C:\Program Files (x86)\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe (Ulead Systems, Inc.)
Startup: C:\Users\Gianluca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\myCollections - collegamento.lnk
ShortcutTarget: myCollections - collegamento.lnk -> D:\Applicazioni\myCollections v2.3.2.0\mycollections v2.4.5.0\myCollections.exe (myCollections)
==================== Services (Whitelisted) =================
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-18] (AVG Technologies CZ, s.r.o.)
S2 PCToolsSSDMonitorSvc; C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [632792 2011-01-28] (PC Tools)
==================== Drivers (Whitelisted) ====================
S2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [314016 2011-08-24] ()
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-29] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-08] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-08] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-21] (AVG Technologies CZ, s.r.o.)
S3 CnxtHdmiAudService; C:\Windows\System32\drivers\CHDMI64.sys [720952 2010-03-05] (Conexant Systems Inc.)
S2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43680 2011-08-24] ()
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2011-03-12] (Duplex Secure Ltd.)
S3 pccsmcfd; system32\DRIVERS\pccsmcfdx64.sys [x]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-07-09 00:41 - 2013-07-09 00:41 - 00000000 ____D C:\FRST
2013-07-08 23:10 - 2013-07-08 23:20 - 00000004 ____A C:\Users\Gianluca\AppData\Roaming\skype.ini
2013-07-08 18:50 - 2013-07-08 18:50 - 00001163 ____A C:\Users\Gianluca\Desktop\bookTome.lnk
2013-07-08 18:50 - 2013-07-08 18:50 - 00000000 ____D C:\Users\Gianluca\AppData\Roaming\saSoftware
2013-07-08 18:50 - 2013-07-08 18:50 - 00000000 ____D C:\Program Files (x86)\saSoftware
2013-07-08 10:12 - 2013-07-08 10:12 - 00000000 ____D C:\Users\Gianluca\AppData\Roaming\AbeBooks
2013-07-08 10:11 - 2013-07-08 10:12 - 00000000 ____D C:\Users\Public\Documents\HomeBase 3
2013-07-08 10:11 - 2013-07-08 10:11 - 00000000 ____D C:\Users\Gianluca\AppData\Local\IsolatedStorage
2013-07-08 10:11 - 2013-07-08 10:11 - 00000000 ____D C:\Users\Gianluca\AppData\Local\Abebooks_Inc
2013-07-08 10:06 - 2013-07-08 10:07 - 13662870 ____A (AbeBooks) C:\Users\Gianluca\Desktop\HomeBase3Setup.exe
2013-06-10 21:03 - 2013-06-11 00:11 - 00000000 ____D C:\Users\Gianluca\Desktop\matera 9-6-2013
2013-06-10 21:02 - 2013-06-10 21:03 - 00000000 ____D C:\Users\Gianluca\Desktop\foto ale
==================== One Month Modified Files and Folders =======
2013-07-09 00:41 - 2013-07-09 00:41 - 00000000 ____D C:\FRST
2013-07-08 23:20 - 2013-07-08 23:10 - 00000004 ____A C:\Users\Gianluca\AppData\Roaming\skype.ini
2013-07-08 23:19 - 2013-04-22 13:44 - 00002914 ____A C:\Windows\setupact.log
2013-07-08 23:19 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-08 23:11 - 2013-04-22 10:56 - 00658513 ____A C:\Windows\WindowsUpdate.log
2013-07-08 23:11 - 2011-03-12 01:53 - 00000000 ____D C:\Users\Gianluca\AppData\Roaming\uTorrent
2013-07-08 22:58 - 2012-01-28 14:12 - 00001172 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3814798622-1503148130-2465254516-1000UA.job
2013-07-08 22:32 - 2012-11-20 14:45 - 00000978 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-08 18:50 - 2013-07-08 18:50 - 00001163 ____A C:\Users\Gianluca\Desktop\bookTome.lnk
2013-07-08 18:50 - 2013-07-08 18:50 - 00000000 ____D C:\Users\Gianluca\AppData\Roaming\saSoftware
2013-07-08 18:50 - 2013-07-08 18:50 - 00000000 ____D C:\Program Files (x86)\saSoftware
2013-07-08 18:49 - 2012-10-31 12:28 - 00000272 ____A C:\Windows\Tasks\RMSchedule.job
2013-07-08 18:49 - 2011-10-11 18:01 - 00003072 ____A C:\Windows\SysWOW64\Cache.db
2013-07-08 18:04 - 2011-07-11 11:52 - 00000000 ____D C:\Program Files (x86)\Registry Mechanic
2013-07-08 17:12 - 2011-04-10 23:41 - 00000000 ____D C:\ProgramData\MFAData
2013-07-08 16:58 - 2012-01-28 14:12 - 00001120 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3814798622-1503148130-2465254516-1000Core.job
2013-07-08 11:46 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\System32\NDF
2013-07-08 10:12 - 2013-07-08 10:12 - 00000000 ____D C:\Users\Gianluca\AppData\Roaming\AbeBooks
2013-07-08 10:12 - 2013-07-08 10:11 - 00000000 ____D C:\Users\Public\Documents\HomeBase 3
2013-07-08 10:11 - 2013-07-08 10:11 - 00000000 ____D C:\Users\Gianluca\AppData\Local\IsolatedStorage
2013-07-08 10:11 - 2013-07-08 10:11 - 00000000 ____D C:\Users\Gianluca\AppData\Local\Abebooks_Inc
2013-07-08 10:07 - 2013-07-08 10:06 - 13662870 ____A (AbeBooks) C:\Users\Gianluca\Desktop\HomeBase3Setup.exe
2013-07-05 12:04 - 2011-09-28 17:22 - 00000000 ___RD C:\Users\Gianluca\Desktop\Elementi temporanei
2013-07-03 18:54 - 2009-07-14 05:45 - 00018016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-03 18:54 - 2009-07-14 05:45 - 00018016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-03 11:17 - 2009-07-14 11:53 - 00738754 ____A C:\Windows\System32\perfh010.dat
2013-07-03 11:17 - 2009-07-14 11:53 - 00145794 ____A C:\Windows\System32\perfc010.dat
2013-07-03 11:17 - 2009-07-14 06:13 - 01652418 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-27 18:29 - 2012-11-22 19:07 - 00000000 ____D C:\Users\Gianluca\Downloads\eMule
2013-06-27 13:55 - 2011-03-11 23:44 - 00000000 ____D C:\Users\Gianluca\AppData\Roaming\Mozilla
2013-06-12 01:32 - 2012-11-20 14:45 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-12 01:32 - 2011-12-20 21:40 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-11 00:11 - 2013-06-10 21:03 - 00000000 ____D C:\Users\Gianluca\Desktop\matera 9-6-2013
2013-06-10 21:08 - 2012-11-21 20:44 - 00000000 ____D C:\Users\Gianluca\AppData\Local\myCollections
2013-06-10 21:03 - 2013-06-10 21:02 - 00000000 ____D C:\Users\Gianluca\Desktop\foto ale
Files to move or delete:
====================
C:\Users\Gianluca\AppData\Roaming\skype.dat
C:\Users\Gianluca\AppData\Roaming\skype.ini
C:\ProgramData\0345236.bat
C:\ProgramData\0345236.pad
C:\ProgramData\0345236.reg
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2013-07-08 10:10:28
Restore point made on: 2013-07-08 10:14:49
==================== Memory info ===========================
Percentage of memory in use: 14%
Total physical RAM: 3958.85 MB
Available physical RAM: 3383.79 MB
Total Pagefile: 3957 MB
Available Pagefile: 3372.07 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB
==================== Drives ================================
Drive c: (WINDOWS) (Fixed) (Total:232.65 GB) (Free:9.77 GB) NTFS (Disk=0 Partition=2)
Drive d: (Data) (Fixed) (Total:232.72 GB) (Free:7.57 GB) NTFS (Disk=0 Partition=3)
Drive e: (SYSTEM) (Fixed) (Total:0.39 GB) (Free:0.18 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]
Drive g: () (Removable) (Total:0.12 GB) (Free:0.11 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: DD3F1106)
Partition 1: (Active) - (Size=400 MB) - (Type=27)
Partition 2: (Not Active) - (Size=233 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=233 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (Size: 119 MB) (Disk ID: 009AFBD7)
Partition 1: (Active) - (Size=119 MB) - (Type=06)
LastRegBack: 2013-07-03 11:57
==================== End Of Log ============================
grazie anticipatamente
Edited by vicky67 - 9/7/2013, 09:50.
Virus Polizia Penitenziaria,Polizia di Stato,Carabinieri (RISOLTO) |