Eliminare Ransom virus [Risolto/Chiuso]

Segnala
-
Posti
22670
Data di registrazione
giovedì 19 marzo 2009
Stato
Moderatore
Ultimo intervento
lunedì 29 giugno 2020
-
Ciao,
sono stato colpito da una ransom virus che mi ha criptato gran parte dei miei files. fortunatamente ho un back up non troppo vecchio per recuperare i files.
prima di farlo vorrei eradicare il virus dal pc. ho fatto girare più volte diversi programmi (kwrt, rkill, combofix, adw cleaner, zhp cleaner, malwarebytes anti-malware) ma non sono certo di aver eliminato il virus ancje perchè il file segnalati sospetti potevano essere anche falsi positivi o virus che non avevano niente a che vedere con il problema. da ultimo ho lanciato roguekille che alla fine della scansione ha individuato una quarantina di threats ( di seguito).
1) Qualcuno sa indicarmi come fare ad essere certo di aver eliminato il virus?
2) qualcuno sa dirmi quali di questi threats devo eliminare?

[PUP] (X86) HKEY_LOCAL_MACHINE\Software\UCBrowser -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\UCBrowserPID -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\AutoTime -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\UCBrowser -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\UCBrowserPID -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\AutoTime -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\UCBrowser -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\UCBrowserPID -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ALSysIO (\??\C:\Users\an43656\AppData\Local\Temp\ALSysIO64.sys) -> Found
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BridgeMP (system32\DRIVERS\bridge.sys) -> Found
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\ComboFix\catchme.sys) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UCGuard (system32\DRIVERS\ucguard.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALSysIO (\??\C:\Users\an43656\AppData\Local\Temp\ALSysIO64.sys) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UCGuard (system32\DRIVERS\ucguard.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ALSysIO (\??\C:\Users\an43656\AppData\Local\Temp\ALSysIO64.sys) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\UCGuard (system32\DRIVERS\ucguard.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.google.com/?gws_rd=ssl -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.google.com/?gws_rd=ssl -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.google.com/?gws_rd=ssl -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.google.com/?gws_rd=ssl -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\Microsoft\Internet Explorer\Main | Start Page : about:Tabs -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\Microsoft\Internet Explorer\Main | Start Page : about:Tabs -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{00BD8CDE-0DE4-4221-9CB8-2A28EE5FE12C} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 ([-][-][-][-][-][-][X][X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{25240685-9BBA-4D17-B51A-839087277EBE} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 ([-][-][-][-][-][-][X][X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7E49C282-4F4A-426E-B988-504C80577469} | DhcpNameServer : 10.224.110.22 10.20.18.132 ([X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{00BD8CDE-0DE4-4221-9CB8-2A28EE5FE12C} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 ([-][-][-][-][-][-][X][X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{25240685-9BBA-4D17-B51A-839087277EBE} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 ([-][-][-][-][-][-][X][X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7E49C282-4F4A-426E-B988-504C80577469} | DhcpNameServer : 10.224.110.22 10.20.18.132 ([X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{00BD8CDE-0DE4-4221-9CB8-2A28EE5FE12C} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 ([-][-][-][-][-][-][X][X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{25240685-9BBA-4D17-B51A-839087277EBE} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 ([-][-][-][-][-][-][X][X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7E49C282-4F4A-426E-B988-504C80577469} | DhcpNameServer : 10.224.110.22 10.20.18.132 ([X][X]) -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found

chiedo scusa se sono entrto in una discussione non corretta ho ho caricato troppe informazioni
Grazie
Enrico

1 risposta

Posti
22670
Data di registrazione
giovedì 19 marzo 2009
Stato
Moderatore
Ultimo intervento
lunedì 29 giugno 2020
12.439
ciao,
"1) Qualcuno sa indicarmi come fare ad essere certo di aver eliminato il virus?"
per essere sicuro io farei formattare o ripristinare il sistema

comunque nell'elenco che hai postato vedo solo adware PUP e PUM (programmi indesiderati) che non sono veramente virus quindi non c'entrano con il ransomware