enrico
-
10 set 2016 alle 19:23
Noureddine Bouzidi
Posti22674Data di registrazionegiovedì 19 marzo 2009StatoModeratoreUltimo interventogiovedì 7 gennaio 2021
-
16 set 2016 alle 15:56
Ciao,
sono stato colpito da una ransom virus che mi ha criptato gran parte dei miei files. fortunatamente ho un back up non troppo vecchio per recuperare i files.
prima di farlo vorrei eradicare il virus dal pc. ho fatto girare più volte diversi programmi (kwrt, rkill, combofix, adw cleaner, zhp cleaner, malwarebytes anti-malware) ma non sono certo di aver eliminato il virus ancje perchè il file segnalati sospetti potevano essere anche falsi positivi o virus che non avevano niente a che vedere con il problema. da ultimo ho lanciato roguekille che alla fine della scansione ha individuato una quarantina di threats ( di seguito).
1) Qualcuno sa indicarmi come fare ad essere certo di aver eliminato il virus?
2) qualcuno sa dirmi quali di questi threats devo eliminare?
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\UCBrowser -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\UCBrowserPID -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\AutoTime -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\UCBrowser -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\UCBrowserPID -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\AutoTime -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\UCBrowser -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\UCBrowserPID -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ALSysIO (\??\C:\Users\an43656\AppData\Local\Temp\ALSysIO64.sys) -> Found
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BridgeMP (system32\DRIVERS\bridge.sys) -> Found
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\ComboFix\catchme.sys) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UCGuard (system32\DRIVERS\ucguard.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALSysIO (\??\C:\Users\an43656\AppData\Local\Temp\ALSysIO64.sys) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UCGuard (system32\DRIVERS\ucguard.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ALSysIO (\??\C:\Users\an43656\AppData\Local\Temp\ALSysIO64.sys) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\UCGuard (system32\DRIVERS\ucguard.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.google.com/?gws_rd=ssl -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.google.com/?gws_rd=ssl -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.google.com/?gws_rd=ssl -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.google.com/?gws_rd=ssl -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\Microsoft\Internet Explorer\Main | Start Page : about:Tabs -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\Microsoft\Internet Explorer\Main | Start Page : about:Tabs -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{00BD8CDE-0DE4-4221-9CB8-2A28EE5FE12C} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 ([-][-][-][-][-][-][X][X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{25240685-9BBA-4D17-B51A-839087277EBE} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 ([-][-][-][-][-][-][X][X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7E49C282-4F4A-426E-B988-504C80577469} | DhcpNameServer : 10.224.110.22 10.20.18.132 ([X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{00BD8CDE-0DE4-4221-9CB8-2A28EE5FE12C} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 ([-][-][-][-][-][-][X][X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{25240685-9BBA-4D17-B51A-839087277EBE} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 ([-][-][-][-][-][-][X][X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7E49C282-4F4A-426E-B988-504C80577469} | DhcpNameServer : 10.224.110.22 10.20.18.132 ([X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{00BD8CDE-0DE4-4221-9CB8-2A28EE5FE12C} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 ([-][-][-][-][-][-][X][X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{25240685-9BBA-4D17-B51A-839087277EBE} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 ([-][-][-][-][-][-][X][X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7E49C282-4F4A-426E-B988-504C80577469} | DhcpNameServer : 10.224.110.22 10.20.18.132 ([X][X]) -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-449593118-792223576-2353584006-1900\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
chiedo scusa se sono entrto in una discussione non corretta ho ho caricato troppe informazioni
Grazie
Enrico
Noureddine Bouzidi
Posti22674Data di registrazionegiovedì 19 marzo 2009StatoModeratoreUltimo interventogiovedì 7 gennaio 202115.404 16 set 2016 alle 15:56
ciao,
"1) Qualcuno sa indicarmi come fare ad essere certo di aver eliminato il virus?"
per essere sicuro io farei formattare o ripristinare il sistema
comunque nell'elenco che hai postato vedo solo adware PUP e PUM (programmi indesiderati) che non sono veramente virus quindi non c'entrano con il ransomware