Come eliminare RECYCLER

[pepper70]

Ciao a tutti.
Scansionando il pc con AVG Free esso rileva tra le minacce qualcosa tipo Recyler seguito da una serie di numeri.
Se comando di spostare in quarantena o di eliminare mi compare il messaggio che il file è troppo grande per l'archivio.
Presumo sia un virus ma come diavolo lo elimino?

[shel]

ciao

Scarica Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
disconnettiti da internet e disattiva l'antivirus
Lascia lavorare il programma senza interferire (non installare la recovery console)
Allega il rapporto C:\ComboFix.txt nella tua risposta.

[pepper70]

ComboFix 09-06-07.01 - Falco 01/10/2009 22.13.18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1022.598 [GMT 2:00]
Eseguito da: d:\documents and settings\Falco\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
- MODALITÀ CON FUNZIONALITÀ RIDOTTE -
.

((((((((((((((((((((((((( Files Creati Da 2009-09-01 al 2009-10-01 )))))))))))))))))))))))))))))))))))
.

2009-09-05 09:49 . 2009-09-05 09:49 -------- d-s---w- d:\documents and settings\Falco\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 16:47 . 2001-08-31 18:00 48568 ----a-w- d:\windows\system32\perfc010.dat
2009-10-01 16:47 . 2001-08-31 18:00 347866 ----a-w- d:\windows\system32\perfh010.dat
2009-09-18 17:08 . 2009-08-24 20:48 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-09-02 05:28 . 2009-07-05 18:26 68448 ----a-w- d:\documents and settings\Falco\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-08-24 20:52 . 2009-08-24 20:52 -------- d-----w- d:\programmi\Microsoft Works
2009-08-24 20:52 . 2009-08-24 20:52 -------- d-----w- d:\programmi\MSBuild
2009-08-14 23:31 . 2009-08-14 23:31 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab Setup Files
2009-08-14 23:12 . 2009-08-14 23:12 7168 ----a-w- d:\documents and settings\Falco\Dati applicazioni\Thinstall\WinRAR archiver\10000001400002i\NOTEPAD.EXE
2009-08-14 23:12 . 2009-08-14 22:48 -------- d-----w- d:\documents and settings\Falco\Dati applicazioni\Thinstall
2009-08-12 17:41 . 2009-08-12 17:41 -------- d-----w- d:\programmi\File comuni\Adobe
2009-08-11 20:10 . 2009-08-11 20:10 -------- d-----w- d:\documents and settings\Falco\Dati applicazioni\Media Player Classic
2009-08-09 15:05 . 2009-08-09 15:05 -------- d-----w- d:\documents and settings\Falco\Dati applicazioni\AdobeUM
2009-07-05 18:27 . 2009-06-13 20:53 86327 ----a-w- d:\windows\pchealth\helpctr\OfflineCache\index.dat
.

------- Sigcheck -------

[-] 2006-04-11 21:26 1548288 744BE027C16680791A6AC13E0EF35F8F d:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2004-08-19 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-20 1948440]
"GrooveMonitor"="d:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SoundMan"="SOUNDMAN.EXE" - d:\windows\soundman.exe [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"nlhr"="d:\windows\System32\AdvPack.Dll" [2004-08-19 101888]
"tscuninstall"="d:\windows\system32\tscupgrd.exe" [2004-08-19 44544]

d:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - d:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 20:34 11952 ----a-w- d:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"d:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"d:\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"d:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [20/06/2009 22.33.58 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [20/06/2009 22.34.03 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [20/06/2009 22.33.48 906520]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [20/06/2009 22.33.48 298776]
S2 lejpm;Microsoft Boot;d:\windows\system32\svchost.exe -k netsvcs [19/08/2004 21.39.46 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
lejpm
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

SafeBoot-procexp90.Sys


.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.com
IE: E&sporta in Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-01 22:14
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lejpm]
"ServiceDll"="d:\windows\system32\ifqjty.dll"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(2204)
d:\windows\system32\msi.dll
.
Ora fine scansione: 2009-10-01 22.16.12
ComboFix-quarantined-files.txt 2009-10-01 20:16

Pre-Run: 15.597.645.824 byte disponibili
Post-Run: 15.694.741.504 byte disponibili

100

[Luke57]

Ciao, apri un file di testo, al suo interno copiaci il seguente testo.

Codice: Seleziona tutto

NetSvcs:
lejpm

Driver::
lejpm

File::
d:\windows\system32\ifqjty.dll

salvalo sul desktop con il nome obbligatorio di CFScript.txt

trascina con il puntatore del mouse sull'icona di combofix ; il programma avvierà una nuova scansione. Al termine di essa, riavvia e posta il nuovo report.

[pepper70]

ComboFix 09-06-07.01 - Falco 02/10/2009 9.10.45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1022.619 [GMT 2:00]
Eseguito da: d:\documents and settings\Falco\Desktop\ComboFix.exe
Opzioni usate :: d:\documents and settings\Falco\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
- MODALITÀ CON FUNZIONALITÀ RIDOTTE -

FILE ::
"d:\windows\system32\ifqjty.dll"
.

((((((((((((((((((((((((( Files Creati Da 2009-09-02 al 2009-10-02 )))))))))))))))))))))))))))))))))))
.

2009-09-05 09:49 . 2009-09-05 09:49 -------- d-s---w- d:\documents and settings\Falco\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 21:02 . 2009-10-01 21:02 -------- d-----w- d:\documents and settings\Falco\Dati applicazioni\IObit
2009-10-01 21:02 . 2009-10-01 21:02 -------- d-----w- d:\programmi\IObit
2009-10-01 16:47 . 2001-08-31 18:00 48568 ----a-w- d:\windows\system32\perfc010.dat
2009-10-01 16:47 . 2001-08-31 18:00 347866 ----a-w- d:\windows\system32\perfh010.dat
2009-09-18 17:08 . 2009-08-24 20:48 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-09-02 05:28 . 2009-07-05 18:26 68448 ----a-w- d:\documents and settings\Falco\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-08-24 20:52 . 2009-08-24 20:52 -------- d-----w- d:\programmi\Microsoft Works
2009-08-24 20:52 . 2009-08-24 20:52 -------- d-----w- d:\programmi\MSBuild
2009-08-14 23:31 . 2009-08-14 23:31 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab Setup Files
2009-08-14 23:12 . 2009-08-14 23:12 7168 ----a-w- d:\documents and settings\Falco\Dati applicazioni\Thinstall\WinRAR archiver\10000001400002i\NOTEPAD.EXE
2009-08-14 23:12 . 2009-08-14 22:48 -------- d-----w- d:\documents and settings\Falco\Dati applicazioni\Thinstall
2009-08-12 17:41 . 2009-08-12 17:41 -------- d-----w- d:\programmi\File comuni\Adobe
2009-08-11 20:10 . 2009-08-11 20:10 -------- d-----w- d:\documents and settings\Falco\Dati applicazioni\Media Player Classic
2009-08-09 15:05 . 2009-08-09 15:05 -------- d-----w- d:\documents and settings\Falco\Dati applicazioni\AdobeUM
2009-07-05 18:27 . 2009-06-13 20:53 86327 ----a-w- d:\windows\pchealth\helpctr\OfflineCache\index.dat
.

------- Sigcheck -------

[-] 2006-04-11 21:26 1548288 744BE027C16680791A6AC13E0EF35F8F d:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"Advanced SystemCare 3"="d:\programmi\IObit\Advanced SystemCare 3\AWC.exe" [2008-12-21 2250256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-20 1948440]
"GrooveMonitor"="d:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SoundMan"="SOUNDMAN.EXE" - d:\windows\soundman.exe [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"nlhr"="d:\windows\System32\AdvPack.Dll" [2004-08-19 101888]
"tscuninstall"="d:\windows\system32\tscupgrd.exe" [2004-08-19 44544]

d:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - d:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 20:34 11952 ----a-w- d:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"d:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"d:\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"d:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [20/06/2009 22.33.58 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [20/06/2009 22.34.03 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [20/06/2009 22.33.48 906520]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [20/06/2009 22.33.48 298776]
S2 lejpm;Microsoft Boot;d:\windows\system32\svchost.exe -k netsvcs [19/08/2004 21.39.46 14336]
.
Contenuto della cartella 'Scheduled Tasks'

2009-10-02 d:\windows\Tasks\AWC AutoSweep.job
- d:\programmi\IObit\Advanced SystemCare 3\AutoSweep.exe [2009-10-01 10:17]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.com
IE: E&sporta in Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 09:10
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lejpm]
"ServiceDll"="d:\windows\system32\ifqjty.dll"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(2888)
d:\windows\system32\msi.dll
.
Ora fine scansione: 2009-10-02 9.12.04
ComboFix-quarantined-files.txt 2009-10-02 07:12
ComboFix2.txt 2009-10-01 20:16

Pre-Run: 15.665.647.616 byte disponibili
Post-Run: 15.655.403.520 byte disponibili

107

[Luke57]

Ciao, scusa, mi sono arrugginito lo script corretto è questo:

Codice: Seleziona tutto

NetSvcs::
lejpm

Driver::
lejpm

File::
d:\windows\system32\ifqjty.dll

correggi, salva le modifiche e ripeti la scansione con il solito file CFScript.txt.
Allega poi il report.

[pepper70]

ComboFix 09-06-07.01 - Falco 02/10/2009 19.00.25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1022.627 [GMT 2:00]
Eseguito da: d:\documents and settings\Falco\Desktop\ComboFix.exe
Opzioni usate :: d:\documents and settings\Falco\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
- MODALITÀ CON FUNZIONALITÀ RIDOTTE -

FILE ::
"d:\windows\system32\ifqjty.dll"
.

((((((((((((((((((((((((( Files Creati Da 2009-09-02 al 2009-10-02 )))))))))))))))))))))))))))))))))))
.

2009-10-01 21:02 . 2009-10-01 21:02 -------- d-----w- d:\documents and settings\Falco\Dati applicazioni\IObit
2009-10-01 21:02 . 2009-10-01 21:02 -------- d-----w- d:\programmi\IObit
2009-09-05 09:49 . 2009-09-05 09:49 -------- d-s---w- d:\documents and settings\Falco\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 16:47 . 2001-08-31 18:00 48568 ----a-w- d:\windows\system32\perfc010.dat
2009-10-01 16:47 . 2001-08-31 18:00 347866 ----a-w- d:\windows\system32\perfh010.dat
2009-09-18 17:08 . 2009-08-24 20:48 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-09-02 05:28 . 2009-07-05 18:26 68448 ----a-w- d:\documents and settings\Falco\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-08-24 20:52 . 2009-08-24 20:52 -------- d-----w- d:\programmi\Microsoft Works
2009-08-24 20:52 . 2009-08-24 20:52 -------- d-----w- d:\programmi\MSBuild
2009-08-14 23:31 . 2009-08-14 23:31 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab Setup Files
2009-08-14 23:12 . 2009-08-14 23:12 7168 ----a-w- d:\documents and settings\Falco\Dati applicazioni\Thinstall\WinRAR archiver\10000001400002i\NOTEPAD.EXE
2009-08-14 23:12 . 2009-08-14 22:48 -------- d-----w- d:\documents and settings\Falco\Dati applicazioni\Thinstall
2009-08-12 17:41 . 2009-08-12 17:41 -------- d-----w- d:\programmi\File comuni\Adobe
2009-08-11 20:10 . 2009-08-11 20:10 -------- d-----w- d:\documents and settings\Falco\Dati applicazioni\Media Player Classic
2009-08-09 15:05 . 2009-08-09 15:05 -------- d-----w- d:\documents and settings\Falco\Dati applicazioni\AdobeUM
2009-07-05 18:27 . 2009-06-13 20:53 86327 ----a-w- d:\windows\pchealth\helpctr\OfflineCache\index.dat
.

------- Sigcheck -------

[-] 2006-04-11 21:26 1548288 744BE027C16680791A6AC13E0EF35F8F d:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-10-01_20.14.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-13 22:44 . 2009-10-02 16:50 265416 d:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"Advanced SystemCare 3"="d:\programmi\IObit\Advanced SystemCare 3\AWC.exe" [2008-12-21 2250256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-20 1948440]
"GrooveMonitor"="d:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SoundMan"="SOUNDMAN.EXE" - d:\windows\soundman.exe [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"nlhr"="d:\windows\System32\AdvPack.Dll" [2004-08-19 101888]
"tscuninstall"="d:\windows\system32\tscupgrd.exe" [2004-08-19 44544]

d:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - d:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 20:34 11952 ----a-w- d:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"d:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"d:\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"d:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [20/06/2009 22.33.58 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [20/06/2009 22.34.03 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [20/06/2009 22.33.48 906520]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [20/06/2009 22.33.48 298776]
S2 lejpm;Microsoft Boot;d:\windows\system32\svchost.exe -k netsvcs [19/08/2004 21.39.46 14336]
.
Contenuto della cartella 'Scheduled Tasks'

2009-10-02 d:\windows\Tasks\AWC AutoSweep.job
- d:\programmi\IObit\Advanced SystemCare 3\AutoSweep.exe [2009-10-01 10:17]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.com
IE: E&sporta in Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 19:00
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lejpm]
"ServiceDll"="d:\windows\system32\ifqjty.dll"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(684)
d:\windows\system32\MPR.dll

- - - - - - - > 'explorer.exe'(140)
d:\windows\system32\msi.dll
d:\windows\system32\browselc.dll
d:\programmi\Microsoft Office\Office12\1040\GrooveIntlResource.dll
.
Ora fine scansione: 2009-10-02 19.01.42
ComboFix-quarantined-files.txt 2009-10-02 17:01
ComboFix2.txt 2009-10-02 07:12
ComboFix3.txt 2009-10-01 20:16

Pre-Run: 15.660.556.288 byte disponibili
Post-Run: 15.649.308.672 byte disponibili

116

[Luke57]

Ciao, sembra sempre lì, allora scarica Avenger da qui

http://swandog46.geekstogo.com/avenger.zip

estrai il file avenger.exe sul desktop, chiudi programmi e applicazioni. Lo avvii,

Copi e incolli nella finestra: "Input script here" il seguente script :

Codice: Seleziona tutto

Files to delete:
d:\windows\system32\ifqjty.dll

Registry keys to delete:
HKLM\system\currentcontrolset\services\lejpm
HKLM\system\controlset001\services\lejpm
HKLM\system\controlset002\services\lejpm
HKLM\system\currentcontrolset\enum\root\legacy_lejpm
HKLM\system\controlset001\enum\root\legacy_lejpm
HKLM\system\controlset002\enum\root\legacy_lejpm

Fatto ciò spunta "Automatically disable any rootkits found"

clicca sul pulsante "Execute"
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

posta il log di avenger che trovi in c:\

[pepper70]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "d:\windows\system32\ifqjty.dll" not found!
Deletion of file "d:\windows\system32\ifqjty.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\system\currentcontrolset\services\lejpm" deleted successfully.

Error: registry key "HKLM\system\controlset001\services\lejpm" not found!
Deletion of registry key "HKLM\system\controlset001\services\lejpm" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\system\controlset002\services\lejpm" deleted successfully.
Registry key "HKLM\system\currentcontrolset\enum\root\legacy_lejpm" deleted successfully.

Error: registry key "HKLM\system\controlset001\enum\root\legacy_lejpm" not found!
Deletion of registry key "HKLM\system\controlset001\enum\root\legacy_lejpm" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\system\controlset002\enum\root\legacy_lejpm" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[pepper70]

Ciao, dopo aver scansionato con Avenger ho fatto una nuova scansione con AVG Free, rilevate le solite tre infezioni
che non riesco nè a spostare in quarantena nè ad eliminarle.
Una particolarità: non vedo più scritto Recycler, al suo posto
leggo D:\ System Volume Information\Restore (serie di numeri) :exe
D:\ Come sopra \Setup2.exe
D.\ Come sopra \$ JF\1.3.1.\Luky Tender.dll
Avg li rileva come SpyWare e le nomina AdwareGeneric3XJK
Sapete darmi una dritta per levarli dalle p....?
Grazie

[Luke57]

Ciao, disattiva il ripristino configurazione di sistema:
http://service1.symantec.com/SUPPORT/IN ... 3151930924
riavvia, poi riattivalo sempre seguendo il link.

[pepper70]

Ciao Luke57 ho eseguito la procedura che mi hai suggerito.
Qual'è la prossima mossa?
Ciao e grazie

[pepper70]

Grande Luke57, ho seguito i tuoi preziosi consigli,
ho fatto ancora la scansione e nessun problema,
i file incriminati sono stati eliminati con AVG Free.
Ti chiedo ancora un consiglio: tra i vari antivirus gratuiti quale ti sembra migliore?
Io ho l' hd con due partizioni e su entrambe ho installato AVG Free.
Preferisco AVG perche non avendo la connessione veloce, in caso di aggiornamento di grosse dimensioni,
aggiorno tramite directory dopo aver scaricato l'aggiornamento dal pc del lavoro.
Parlano molto bene di Avira, cosa ne pensi? Dovrei passare a quello o mi consigli di lasciar perdere?
Eventualmente è possibile aggiornare tramite directory?
Ti ringrazio ancora per la tua disponibilità

[Lori_87]

Ciao,
ho avuto lo stesso problema, ho seguito la procedura su descritta e il rapporto è questo:

ComboFix 13-11-12.01 - Lorena 13/11/2013 19.14.10.1.8 - x64
Microsoft Windows 8 6.2.9200.0.1252.39.1040.18.6000.3844 [GMT 1:00]
Eseguito da: c:\users\Lorena\Downloads\ComboFix.exe
AV: Panda Cloud Antivirus *Disabled/Updated* {3456760B-FDAA-FFFD-06C2-7BB528D2066C}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Cloud Antivirus Firewall *Disabled* {0C6DF72E-B7C5-FEA5-2D9D-D280D6014117}
SP: Panda Cloud Antivirus *Disabled/Updated* {8F3797EF-DB90-F073-3C72-40C753554CD1}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
ADS - windows: deleted 192 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Lorena\AppData\Local\Google\Chrome\User Data\Default\bProtector Web Data
c:\users\Lorena\AppData\Local\Google\Chrome\User Data\Default\bProtectorPreferences
c:\windows\SysWow64\FlashPlayerApp.exe
.
.
((((((((((((((((((((((((( Files Creati Da 2013-10-13 al 2013-11-13 )))))))))))))))))))))))))))))))))))
.
.
2013-11-13 17:38 . 2013-11-13 17:38 -------- d-----w- c:\program files\CCleaner
2013-11-06 12:58 . 2013-11-06 12:58 342704 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10224.bin
2013-11-05 23:35 . 2013-04-29 07:17 58808 ----a-w- c:\windows\system32\drivers\PSKMAD.sys
2013-11-05 23:20 . 2013-11-05 23:20 -------- d-----w- c:\windows\SysWow64\GroupPolicy\Machine\Scripts\Shutdown\PanC520.tmp
2013-11-04 00:04 . 2013-07-22 17:17 197010 --sha-w- c:\users\Lorena\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ybogunuqhp.vbs
2013-10-21 03:48 . 2013-10-21 03:48 5105880 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\OFFICE15\CMigrate.exe
2013-10-21 03:48 . 2013-10-21 03:48 4870848 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\OFFICE15\Csi.dll
2013-10-21 03:19 . 2013-10-21 03:19 6832344 ----a-w- c:\program files\Common Files\Microsoft Shared\OFFICE15\CMigrate.exe
2013-10-21 03:19 . 2013-10-21 03:19 6610112 ----a-w- c:\program files\Common Files\Microsoft Shared\OFFICE15\Csi.dll
2013-10-14 21:04 . 2013-10-14 21:04 -------- d-----w- c:\program files\Microsoft.NET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-09 13:39 . 2013-07-24 14:48 80541720 ----a-w- c:\windows\system32\MRT.exe
2013-10-09 12:37 . 2013-07-13 21:00 17536 ----a-w- c:\programdata\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2013-10-02 01:38 . 2013-09-15 10:05 78296 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-22 23:28 . 2013-10-09 12:51 1767936 ----a-w- c:\windows\SysWow64\wininet.dll
2013-09-22 23:27 . 2013-10-09 12:50 2876928 ----a-w- c:\windows\SysWow64\jscript9.dll
2013-09-22 22:55 . 2013-10-09 12:51 51712 ----a-w- c:\windows\system32\ie4uinit.exe
2013-09-22 22:55 . 2013-10-09 12:51 2241024 ----a-w- c:\windows\system32\wininet.dll
2013-09-22 22:55 . 2013-10-09 12:51 1365504 ----a-w- c:\windows\system32\urlmon.dll
2013-09-22 22:54 . 2013-10-09 12:51 603136 ----a-w- c:\windows\system32\msfeeds.dll
2013-09-22 22:54 . 2013-10-09 12:51 19252224 ----a-w- c:\windows\system32\mshtml.dll
2013-09-22 22:54 . 2013-10-09 12:51 855552 ----a-w- c:\windows\system32\jscript.dll
2013-09-22 22:54 . 2013-10-09 12:50 3959296 ----a-w- c:\windows\system32\jscript9.dll
2013-09-22 22:54 . 2013-10-09 12:51 15404544 ----a-w- c:\windows\system32\ieframe.dll
2013-09-22 22:54 . 2013-10-09 12:50 2647552 ----a-w- c:\windows\system32\iertutil.dll
2013-09-14 10:57 . 2013-09-14 10:57 5856 ----a-w- c:\programdata\NanoRepository.bin
2013-09-12 16:00 . 2013-09-12 16:00 129536 ----a-w- c:\users\Public\AlexaNSISPlugin.5596.dll
2013-08-23 05:11 . 2013-10-09 12:49 4040192 ----a-w- c:\windows\system32\win32k.sys
2013-08-16 05:41 . 2013-09-14 11:19 58200 ----a-w- c:\windows\system32\drivers\dam.sys
2013-08-16 05:39 . 2013-09-14 11:19 2371728 ----a-w- c:\windows\system32\WSService.dll
2013-08-16 05:39 . 2013-09-14 11:19 59416 ----a-w- c:\windows\system32\wuauclt.exe
2013-08-16 05:32 . 2013-09-14 11:19 209200 ----a-w- c:\windows\system32\NotificationUI.exe
2013-08-16 05:22 . 2013-09-14 11:19 40448 ----a-w- c:\windows\system32\wuapp.exe
2013-08-16 05:22 . 2013-09-14 11:19 4917760 ----a-w- c:\windows\system32\sppsvc.exe
2013-08-16 05:21 . 2013-09-14 11:19 3275776 ----a-w- c:\windows\system32\wuaueng.dll
2013-08-16 05:21 . 2013-09-14 11:19 99328 ----a-w- c:\windows\system32\wudriver.dll
2013-08-16 05:21 . 2013-09-14 11:19 49664 ----a-w- c:\windows\system32\wups.dll
2013-08-16 05:21 . 2013-09-14 11:19 49152 ----a-w- c:\windows\system32\wups2.dll
2013-08-16 05:21 . 2013-09-14 11:19 252416 ----a-w- c:\windows\system32\WUSettingsProvider.dll
2013-08-16 05:21 . 2013-09-14 11:19 1621504 ----a-w- c:\windows\system32\wucltux.dll
2013-08-16 05:21 . 2013-09-14 11:19 142848 ----a-w- c:\windows\system32\wuwebv.dll
2013-08-16 05:21 . 2013-09-14 11:19 773120 ----a-w- c:\windows\system32\wuapi.dll
2013-08-16 05:21 . 2013-09-14 11:19 688640 ----a-w- c:\windows\system32\WSShared.dll
2013-08-16 05:21 . 2013-09-14 11:19 183808 ----a-w- c:\windows\system32\WSSync.dll
2013-08-16 05:21 . 2013-09-14 11:19 204800 ----a-w- c:\windows\system32\WSClient.dll
2013-08-16 05:21 . 2013-09-14 11:19 198656 ----a-w- c:\windows\system32\Windows.ApplicationModel.Store.dll
2013-08-16 05:21 . 2013-09-14 11:19 163840 ----a-w- c:\windows\system32\Windows.ApplicationModel.Store.TestingFramework.dll
2013-08-16 05:21 . 2013-09-14 11:19 174592 ----a-w- c:\windows\system32\storewuauth.dll
2013-08-16 05:21 . 2013-09-14 11:19 1164288 ----a-w- c:\windows\system32\sppobjs.dll
2013-08-16 05:21 . 2013-09-14 11:19 368640 ----a-w- c:\windows\system32\sppwinob.dll
2013-08-16 05:21 . 2013-09-14 11:19 81408 ----a-w- c:\windows\system32\setupcln.dll
2013-08-16 05:21 . 2013-09-14 11:19 120320 ----a-w- c:\windows\system32\sppc.dll
2013-08-16 05:20 . 2013-09-14 11:19 105984 ----a-w- c:\windows\system32\WinSetupUI.dll
2013-08-15 22:43 . 2013-09-14 11:19 35328 ----a-w- c:\windows\SysWow64\wuapp.exe
2013-08-15 22:43 . 2013-09-14 11:19 628736 ----a-w- c:\windows\SysWow64\wuapi.dll
2013-08-15 22:43 . 2013-09-14 11:19 20992 ----a-w- c:\windows\SysWow64\wups.dll
2013-08-15 22:43 . 2013-09-14 11:19 84992 ----a-w- c:\windows\SysWow64\wudriver.dll
2013-08-15 22:43 . 2013-09-14 11:19 126976 ----a-w- c:\windows\SysWow64\wuwebv.dll
2013-08-15 22:43 . 2013-09-14 11:19 562688 ----a-w- c:\windows\SysWow64\WSShared.dll
2013-08-15 22:43 . 2013-09-14 11:19 159232 ----a-w- c:\windows\SysWow64\WSSync.dll
2013-08-15 22:43 . 2013-09-14 11:19 167424 ----a-w- c:\windows\SysWow64\WSClient.dll
2013-08-15 22:43 . 2013-09-14 11:19 143872 ----a-w- c:\windows\SysWow64\Windows.ApplicationModel.Store.dll
2013-08-15 22:43 . 2013-09-14 11:19 124928 ----a-w- c:\windows\SysWow64\Windows.ApplicationModel.Store.TestingFramework.dll
2013-08-15 22:43 . 2013-09-14 11:19 83968 ----a-w- c:\windows\SysWow64\OEMLicense.dll
2013-08-15 22:42 . 2013-09-14 11:19 76800 ----a-w- c:\windows\SysWow64\setupcln.dll
2013-08-15 22:42 . 2013-09-14 11:19 91648 ----a-w- c:\windows\SysWow64\sppc.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{F443A627-5009-4323-9C1D-7FD598D0D712}]
2012-08-15 19:35 2162272 ----a-w- c:\program files (x86)\Amazon Browser Bar\AmazonBrowserBar.3.0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{EA582743-9076-4178-9AA6-7393FDF4D5CE}"= "c:\program files (x86)\Amazon Browser Bar\AmazonBrowserBar.3.0.dll" [2012-08-15 2162272]
.
[HKEY_CLASSES_ROOT\clsid\{ea582743-9076-4178-9aa6-7393fdf4d5ce}]
[HKEY_CLASSES_ROOT\TypeLib\{33D0AD98-3347-4A54-8929-5163EBEB9F72}]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2013-10-21 03:48 1725640 ----a-w- c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2013-10-21 03:48 1725640 ----a-w- c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2013-10-21 03:48 1725640 ----a-w- c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Lorena\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2013-08-27 138096]
"ybogunuqhp"="wscript.exe" [2012-07-26 131584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"YouCam Tray"="c:\program files (x86)\Lenovo\YouCam\YouCamTray.exe" [2012-10-31 168464]
"UpdateP2GShortCut"="c:\program files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" [2012-04-19 217088]
"RemoteControl10"="c:\program files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe" [2012-03-29 91432]
"Intel AppUp(SM) center"="c:\program files (x86)\Intel\IntelAppStore\bin\ismagent.exe" [2012-07-12 155488]
"PSUAMain"="c:\program files (x86)\Panda Security\Panda Cloud Antivirus\PSUAMain.exe" [2013-05-28 32736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Iminent"="c:\program files (x86)\Iminent\Iminent.exe" [2013-08-08 1074736]
"IminentMessenger"="c:\program files (x86)\Iminent\Iminent.Messengers.exe" [2013-08-08 884784]
"MobileConnect"="c:\program files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-07-04 2072576]
.
c:\users\Lorena\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Invia a OneNote.lnk - c:\program files\Microsoft Office\Office15\ONENOTEM.EXE /tsr [2013-10-17 220848]
ybogunuqhp.vbs [2013-7-22 197010]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NanoServiceMain]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSUAService]
@="Service"
.
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\System32\drivers\AcpiVpc.sys;c:\windows\SYSNATIVE\drivers\AcpiVpc.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-19 08:47 1185744 ----a-w- c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contenuto della cartella 'Scheduled Tasks'
.
2013-11-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3740118087-3271547114-2321689831-1002Core.job
- c:\users\Lorena\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-08-27 20:48]
.
2013-11-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3740118087-3271547114-2321689831-1002UA.job
- c:\users\Lorena\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-08-27 20:48]
.
2013-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-08-10 12:35]
.
2013-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-08-10 12:35]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2013-10-21 03:43 2328776 ----a-w- c:\progra~1\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2013-10-21 03:43 2328776 ----a-w- c:\progra~1\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2013-10-21 03:43 2328776 ----a-w- c:\progra~1\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2012-05-14 17:39 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2012-05-14 17:39 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2012-05-14 17:39 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2012-05-14 17:39 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-19 172168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-19 400008]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-19 441992]
"RtsFT"="RTFTrack.exe" [2012-10-17 6334096]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-12-07 13262480]
"RtHDVBg_Dolby"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2012-12-03 1256080]
"OnekeyStudio"="c:\program files\Lenovo\Onekey Theater\OnekeyStudio.exe" [2012-09-14 4196432]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2013-03-21 17080376]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\Utility.exe" [2013-03-21 191544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Scansione supplementare -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.amazon.it/gp/bit/amazonserp/ ... _IT_ie_sp_
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~1\Office15\EXCEL.EXE/3000
IE: I&nvia a OneNote - c:\progra~1\MICROS~1\Office15\ONBttnIE.dll/105
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe
.
.
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96d-e325-11ce-bfc1-08002be10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Ora fine scansione: 2013-11-13 19:25:44
ComboFix-quarantined-files.txt 2013-11-13 18:25
.
Pre-Run: 381.650.640.896 byte disponibili
Post-Run: 381.504.413.696 byte disponibili
.
- - End Of File - - F68B04C4A0F04067AF67D915C9A765E5


adesso cosa faccio?

[Luke57]

Ciao, scarica otl.exe sul desktop
http://oldtimer.geekstogo.com/OTL.exe
Metti la spunta su SCAN ALL USERS.
Sotto output spunta minimal output

Clicca sulla freccettina di File Age e seleziona 60 Days
Metti la spunta a LOP Check and Purity Check.
Clicca su Run scan

A fine scansione OTL produrrà due file di log (OTL.txt ed Extras.txt) che dovrai inserire qui:
http://wikisend.com/
per poterli vedere
(Clicca sul bottone "Sfoglia"
Seleziona il file appena salvato
Clicca su Upload file
Dopo qualche secondo, vieni spostato su una nuova pagina con il link in diversi formati:
Download Link / Forum Link
Seleziona Forum Link, copialo e incollalo in un nuovo messaggio per il forum).