Virus su Service.exe W32/patched

[mr_fede]

Salve,
ho windows 7, antivirus Avira e mi rileva la presenza di questo trojan in service.exe. Ho eseguito il report con Combofix ottenendo questi risultati. Come posso procede adesso per eliminare il virus?
Grazie mille in anticipo,
Federico

ComboFix 13-03-10.02 - JD 10/03/2013 23:50:40.1.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.39.1040.18.8103.6146 [GMT 1:00]
Eseguito da: c:\users\JD\Downloads\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\@
c:\windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\L\00000004.@
c:\windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\L\201d3dde
c:\windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\L\76603ac3
c:\windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\U\00000004.@
c:\windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\U\00000008.@
c:\windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\U\000000cb.@
c:\windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\U\80000000.@
c:\windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\U\80000032.@
c:\windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\U\80000064.@
.
.
((((((((((((((((((((((((( Files Creati Da 2013-02-10 al 2013-03-10 )))))))))))))))))))))))))))))))))))
.
.
2013-03-10 22:55 . 2013-03-10 22:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-10 21:53 . 2013-03-10 21:53 -------- d-----w- c:\users\JD\AppData\Local\Programs
2013-03-10 21:51 . 2013-03-10 21:51 -------- d-----w- c:\users\JD\AppData\Roaming\Malwarebytes
2013-03-10 21:51 . 2013-03-10 21:51 -------- d-----w- c:\programdata\Malwarebytes
2013-03-10 20:31 . 2013-03-10 20:31 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2013-03-10 13:24 . 2013-03-10 13:24 -------- d-----w- c:\users\JD\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2013-03-10 10:37 . 2013-03-10 10:37 -------- d-----w- c:\program files (x86)\Adobe Download Assistant
2013-02-16 21:59 . 2013-02-16 21:59 -------- d-----w- c:\users\JD\AppData\Local\libimobiledevice
2013-02-16 13:34 . 2013-02-16 13:34 -------- d-----w- c:\program files (x86)\Penguin SR3
2013-02-16 12:52 . 2013-02-16 12:52 -------- d-----w- c:\users\JD\AppData\Local\3dmouse
2013-02-16 12:51 . 2013-02-16 12:51 -------- d-----w- c:\users\JD\AppData\Local\McNeel
2013-02-16 12:51 . 2013-02-16 13:34 -------- d-----w- c:\users\JD\AppData\Roaming\McNeel
2013-02-16 12:50 . 2013-02-16 12:50 400 ----a-w- c:\windows\SysWow64\drivers\fcompbg375.dat
2013-02-16 11:58 . 2013-02-16 11:58 -------- d-----w- c:\programdata\TSplines
2013-02-16 11:49 . 2013-02-16 13:34 -------- d-----w- c:\programdata\McNeel
2013-02-16 11:35 . 2013-02-16 11:35 -------- d-----w- c:\program files (x86)\Common Files\McNeel Shared
2013-02-16 11:35 . 2013-02-16 13:55 -------- d-----w- c:\program files (x86)\Rhinoceros 4.0
2013-02-14 16:32 . 2013-02-14 16:45 -------- d-----w- c:\programdata\Abvent
2013-02-14 16:32 . 2013-02-14 16:32 -------- d-----w- c:\users\JD\AppData\Roaming\Abvent
2013-02-14 16:29 . 2013-02-14 16:32 -------- d-----w- c:\program files\Artlantis Studio 4
2013-02-14 08:28 . 2013-01-09 01:10 996352 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-14 08:28 . 2013-01-08 22:01 768000 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 18:06 . 2013-01-05 05:53 5553512 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-02-13 18:06 . 2013-01-05 05:00 3967848 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-02-13 18:06 . 2013-01-05 05:00 3913064 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-02-13 18:06 . 2013-01-04 03:26 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-02-13 18:06 . 2013-01-04 05:46 215040 ----a-w- c:\windows\system32\winsrv.dll
2013-02-13 18:06 . 2013-01-04 04:51 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2013-02-13 18:06 . 2013-01-04 02:47 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2013-02-13 18:06 . 2013-01-04 02:47 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2013-02-13 18:06 . 2013-01-04 02:47 2048 ----a-w- c:\windows\SysWow64\user.exe
2013-02-13 18:06 . 2013-01-04 02:47 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2013-02-13 18:06 . 2013-01-03 06:00 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-02-13 18:06 . 2013-01-03 06:00 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2013-02-12 23:02 . 2013-03-10 16:24 -------- d-----w- c:\users\JD\AppData\Local\Spotify
2013-02-12 23:02 . 2013-03-10 16:33 -------- d-----w- c:\users\JD\AppData\Roaming\Spotify
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-27 14:14 . 2012-12-17 12:59 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-27 14:14 . 2012-12-17 12:59 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-14 08:32 . 2012-12-25 11:37 70004024 ----a-w- c:\windows\system32\MRT.exe
2013-01-28 22:31 . 2013-01-28 22:31 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2013-01-04 04:43 . 2013-02-13 18:06 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-12-21 10:04 . 2012-12-21 10:04 95184 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-12-21 10:04 . 2012-12-21 10:04 859072 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-12-21 10:04 . 2012-12-21 10:04 779704 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-12-18 14:49 . 2012-12-18 14:49 959976 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-18 14:49 . 2012-12-18 14:49 308200 ----a-w- c:\windows\system32\javaws.exe
2012-12-18 14:49 . 2012-12-18 14:49 1081320 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-12-18 14:49 . 2012-12-18 14:49 188392 ----a-w- c:\windows\system32\javaw.exe
2012-12-18 14:49 . 2012-12-18 14:49 188392 ----a-w- c:\windows\system32\java.exe
2012-12-18 14:49 . 2012-12-18 14:49 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2012-12-18 09:12 . 2012-12-18 09:12 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-12-18 09:12 . 2012-12-18 09:12 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-12-18 09:12 . 2012-12-18 09:12 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-12-18 09:12 . 2012-12-18 09:12 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-12-18 09:12 . 2012-12-18 09:12 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-12-18 09:12 . 2012-12-18 09:12 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-12-18 09:12 . 2012-12-18 09:12 65024 ----a-w- c:\windows\system32\pngfilt.dll
2012-12-18 09:12 . 2012-12-18 09:12 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-12-18 09:12 . 2012-12-18 09:12 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-12-18 09:12 . 2012-12-18 09:12 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-12-18 09:12 . 2012-12-18 09:12 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-12-18 09:12 . 2012-12-18 09:12 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-12-18 09:12 . 2012-12-18 09:12 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-12-18 09:12 . 2012-12-18 09:12 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-12-18 09:12 . 2012-12-18 09:12 267776 ----a-w- c:\windows\system32\ieaksie.dll
2012-12-18 09:12 . 2012-12-18 09:12 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-12-18 09:12 . 2012-12-18 09:12 222208 ----a-w- c:\windows\system32\msls31.dll
2012-12-18 09:12 . 2012-12-18 09:12 197120 ----a-w- c:\windows\system32\msrating.dll
2012-12-18 09:12 . 2012-12-18 09:12 163840 ----a-w- c:\windows\system32\ieakui.dll
2012-12-18 09:12 . 2012-12-18 09:12 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-12-18 09:12 . 2012-12-18 09:12 160256 ----a-w- c:\windows\system32\ieakeng.dll
2012-12-18 09:12 . 2012-12-18 09:12 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-12-18 09:12 . 2012-12-18 09:12 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-12-18 09:12 . 2012-12-18 09:12 149504 ----a-w- c:\windows\system32\occache.dll
2012-12-18 09:12 . 2012-12-18 09:12 145920 ----a-w- c:\windows\system32\iepeers.dll
2012-12-18 09:12 . 2012-12-18 09:12 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-12-18 09:12 . 2012-12-18 09:12 12288 ----a-w- c:\windows\system32\mshta.exe
2012-12-18 09:12 . 2012-12-18 09:12 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-12-18 09:12 . 2012-12-18 09:12 114176 ----a-w- c:\windows\system32\admparse.dll
2012-12-18 09:12 . 2012-12-18 09:12 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-12-18 09:12 . 2012-12-18 09:12 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-12-18 09:12 . 2012-12-18 09:12 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2012-12-18 09:12 . 2012-12-18 09:12 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-12-18 09:12 . 2012-12-18 09:12 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2012-12-18 09:12 . 2012-12-18 09:12 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-12-18 09:12 . 2012-12-18 09:12 82432 ----a-w- c:\windows\system32\icardie.dll
2012-12-18 09:12 . 2012-12-18 09:12 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-12-18 09:12 . 2012-12-18 09:12 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2012-12-18 09:12 . 2012-12-18 09:12 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2012-12-18 09:12 . 2012-12-18 09:12 448512 ----a-w- c:\windows\system32\html.iec
2012-12-18 09:12 . 2012-12-18 09:12 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2012-12-18 09:12 . 2012-12-18 09:12 39936 ----a-w- c:\windows\system32\iernonce.dll
2012-12-18 09:12 . 2012-12-18 09:12 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2012-12-18 09:12 . 2012-12-18 09:12 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-12-18 09:12 . 2012-12-18 09:12 282112 ----a-w- c:\windows\system32\dxtrans.dll
2012-12-18 09:12 . 2012-12-18 09:12 249344 ----a-w- c:\windows\system32\webcheck.dll
2012-12-18 09:12 . 2012-12-18 09:12 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-12-18 09:12 . 2012-12-18 09:12 160256 ----a-w- c:\windows\system32\wextract.exe
2012-12-18 09:12 . 2012-12-18 09:12 103936 ----a-w- c:\windows\system32\inseng.dll
2012-12-16 17:11 . 2012-12-21 09:25 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-21 09:25 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-21 09:25 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-21 09:25 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-14 01:39 . !HASH: COULD NOT OPEN FILE !!!!! . 329216 . . [------] .. c:\windows\system32\services.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\JD\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\JD\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\JD\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\JD\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2013-01-08 3674320]
"Spotify Web Helper"="c:\users\JD\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-02-12 1199000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-02-12 385248]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe" [2012-09-23 3477640]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-12-17 1436424]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-05-02 340240]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2012-03-26 22528]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUVStor.sys [2010-08-03 290920]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-28 53760]
R3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [2012-12-18 1255736]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [2012-10-08 30056]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-11-03 56208]
S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2011-05-25 17536]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2012-11-16 27800]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2013-01-28 283200]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2013-02-12 86752]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-02 15416]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2011-06-02 128488]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2011-06-02 401896]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2011-04-13 142632]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-13 413800]
.
.
--- Altri Servizi/Drivers In Memoria ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-05 21:10 1630672 ----a-w- c:\program files (x86)\Google\Chrome\Application\25.0.1364.152\Installer\chrmstp.exe
.
Contenuto della cartella 'Scheduled Tasks'
.
2013-03-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-17 14:14]
.
2013-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-17 11:29]
.
2013-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-17 11:29]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\JD\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\JD\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\JD\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\JD\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-05-02 1935120]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-10-10 171040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-10-10 399392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-10-10 441888]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-12-15 478984]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Scansione supplementare -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.babylon.com/?affID=117023 ... 04a64fa611
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.254
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe
.
.
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_USERS\S-1-5-21-1786445860-154473569-890872630-1000\Software\McNeel\Rhinoceros\4.0\Scheme: Default\Plug-ins\*rfp9]*]
@Class="REG_NONE"
.
[HKEY_USERS\S-1-5-21-1786445860-154473569-890872630-1000\Software\McNeel\Rhinoceros\4.0\Scheme: Default\Plug-ins\*rfp9]*\Settings]
@Class="REG_NONE"
"last_activation_day"="46"
.
[HKEY_USERS\S-1-5-21-1786445860-154473569-890872630-1000\Software\McNeel\Rhinoceros\4.0\Scheme: Default\Plug-ins\,*Tmøx*]
@Class="REG_NONE"
.
[HKEY_USERS\S-1-5-21-1786445860-154473569-890872630-1000\Software\McNeel\Rhinoceros\4.0\Scheme: Default\Plug-ins\,*Tmøx*\Settings]
@Class="REG_NONE"
"last_activation_day"="46"
.
[HKEY_USERS\S-1-5-21-1786445860-154473569-890872630-1000\Software\McNeel\Rhinoceros\4.0\Scheme: Default\Plug-ins\:*rf9k*]
@Class="REG_NONE"
.
[HKEY_USERS\S-1-5-21-1786445860-154473569-890872630-1000\Software\McNeel\Rhinoceros\4.0\Scheme: Default\Plug-ins\:*rf9k*\Settings]
@Class="REG_NONE"
"last_activation_day"="46"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:6f,21,79,a6,fd,e5,15,a8,13,61,89,29,ca,1a,4d,57,54,e6,83,46,94,
f4,20,14,98,ea,21,cc,70,2e,1a,24,ac,70,df,77,40,68,34,b9,4f,03,dd,b3,63,81,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:6f,21,79,a6,fd,e5,15,a8,13,61,89,29,ca,1a,4d,57,54,e6,83,46,94,
f4,20,14,98,ea,21,cc,70,2e,1a,24,ac,70,df,77,40,68,34,b9,4f,03,dd,b3,63,81,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
c:\program files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
.
**************************************************************************
.
Ora fine scansione: 2013-03-11 00:01:01 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2013-03-10 23:01
.
Pre-Run: 380.535.697.408 byte disponibili
Post-Run: 380.440.375.296 byte disponibili
.
- - End Of File - - C30F7FA5E78888F65710FCE16A7159CC

[Luke57]

Ciao, pare un'infezione da zeroaccess,
1)Scarica TDSS killer e salvalo sul desktop.
http://support.kaspersky.com/downloads/ ... killer.exe
Doppio click su TDSSKILLER.exe per avviare l'applicazione.In change parameters metti la spunta su "detect tdlfs file system" e "verify file digital signature"
Clicca su start scan.

Se un file infetto viene trovato,l'azione di default sarà cure,clicca su continua.
Se un file sospetto viene trovato,l'azione di default sarà skip,clicca su continua.
Se ti viene chiesto di riavviare il pc completa il processo.Clicca su riavvia ora.
Se nessun riavvio è richiesto clicca su report e salva il contenuto in un file di testo.
Allega il report che si trova in C in questa forma "TDSSKiller.[Date]_[Time]_log.txt"
2))Scarica OTL
http://oldtimer.geekstogo.com/OTL.exe
salvalo sul desktop,doppio click sulla sua icona.
Metti la spunta su SCAN ALL USERS.


Clicca su RUN SCAN
A fine scansione OTL produrrà due file di log (OTL.txt ed Extras.txt),
allega solo OTL.txt
siccome i report sono molto lunghi inseriscili qui:
http://wikisend.com/

dopo l'upload, indica i link per vedere i report.

[mr_fede]

Gentilissimo davvero. Ho fatto tutto. TDSSKILLER al termine mi ha chiesto di riavviare il pc.
A questo link ci sono i due file .txt: https://www.wetransfer.com/downloads/09 ... 133/431f75
Ho usato wetransfer.
Grazie mille in anticipo,
Federico

[Luke57]

Ciao, il report di tdsskiller è incompleto, controlla se ne hai lascito una parte, eventualmente riesegui il tool.
Apri olt.exe e copia il seguente script:

:OTL
[2013/03/10 23:48:59 | 000,000,000 | ---D | M] -- C:\Windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\L
[2013/03/10 23:48:59 | 000,000,000 | ---D | M] -- C:\Windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\U
[2009/07/14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
@Alternate Data Stream - 1165 bytes -> C:\ProgramData\Microsoft:YWQ8G3trsxA3CdFa5ZnKR
@Alternate Data Stream - 1155 bytes -> C:\ProgramData\Microsoft:K0tKcUcaYbPr6AmVitO
@Alternate Data Stream - 1023 bytes -> C:\Users\JD\AppData\Local\4fzUtZLa:XxK3vp9JzBhtUI5UpCB8zT

Files
C:\Windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\L
C:\Windows\Installer\{8fdc19e7-bf33-94d2-c03a-0fad55f3a59a}\U

:Commands
[emptytemp]


incollalo sul box bianco e premi runfix, riavia il computer e posta il report prodotto dalla scansione.

[mr_fede]

Il report di tdsskiller di prima era tutto quello che mi aveva lasciato scritto. Ho rieseguito il tool, non mi ha trovato thread.
Ecco qui i .txt del nuovo report di tdsskiller e di OTL:
https://www.wetransfer.com/downloads/c6 ... 548/2e7d3c

[Luke57]

Ok, hai sempre problemi?

[mr_fede]

Si, purtroppo Avira trova ancora un virus: TR/ATRAPS.Gen2

[Luke57]

Ciao, qual è il percorso del malware trovato ad Avira?