Trojan-Downloader.Win32.Agent [era: Problema grosso]

[8th Circle]

Ragazzi, ho provato con un file di mcAfee ma non mi risolve niente. Mi sembra che ho un trojan/backdoor, i 2 file che dovrebbero creare (bdn.com e mssecu.exe) ci sono e ci sono altri file di cui non conosco l'origine. Praticamente mi esce un errore tipo generic host win32........non so che fare

All'indirizzo http://silviobenvenuto.altervista.org/report.txt (è il mio sito) trovate il report di suspectfile, ma non ci capisco niente

Vi prego aiutatemi

[Deifobe]

il tempo di controllare systemscan e preparare lo script (ci vorrà un po')

ciao

[Deifobe]

segui tutti i punti, così come te li scrivo:

1) scarica Avenger, e CCleaner... e scarica in c:\ mbr.exe

2) Disconnetti il pc da internet e disattiva l'antivirus

3) apri un file di testo e copiaci dentro:

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\CLSID\{42532A31-5D50-6F4D-10B9-0333B767D7A5}]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Uninstall\mslagent]

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
;

salvalo sul desktop come:
nome: fix.reg
tipo di file: tutti i file
chiudi il file


4) Esegui avenger, nel box copia/incolla:

files to delete:
C:\WINDOWS\a.bat
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zipped.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\base64.tmp
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\winsystem.exe
C:\WINDOWS\bdn.com
C:\WINDOWS\system32\taack.exe
C:\WINDOWS\system32\VBIEWER.OCX
C:\WINDOWS\system32\ssurf022.dll
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\taack.dat
C:\WINDOWS\system32\ps1.exe
C:\WINDOWS\system32\mwin32.exe
C:\WINDOWS\system32\psoft1.exe
C:\WINDOWS\system32\psof1.exe
C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\winlogonpc.exe
C:\WINDOWS\system32\msnbho.dll
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\hxiwlgpm.dat
C:\WINDOWS\system32\sncntr.exe
C:\WINDOWS\system32\WINWGPX.EXE
C:\WINDOWS\system32\sysreq.exe
C:\WINDOWS\system32\ssvchost.com
C:\WINDOWS\system32\ssvchost.exe
C:\WINDOWS\system32\wini104552633.exe
C:\WINDOWS\system32\thun32.dll
C:\WINDOWS\system32\winsystem.exe
C:\WINDOWS\system32\vcatchpi.dll
C:\WINDOWS\system32\temp#01.exe
C:\WINDOWS\system32\vbsys2.dll
C:\WINDOWS\system32\thun.dll
C:\WINDOWS\system32\msvchost.exe
C:\WINDOWS\system32\mtr2.exe
C:\WINDOWS\system32\mssecu.exe
C:\WINDOWS\system32\newsd32.exe
C:\WINDOWS\system32\netode.exe
C:\WINDOWS\system32\h@tkeysh@@k.dll
C:\WINDOWS\system32\anticipator.dll
C:\WINDOWS\system32\msgp.exe
C:\WINDOWS\system32\dpcproxy.exe
C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\regc64.dll
C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\Rundl1.exe
C:\WINDOWS\system32\bdn.com
C:\Programmi\hsdmymc\EnUi.dll
C:\WINDOWS\system32\brastk.exe

folders to delete:
C:\Programmi\akl
C:\WINDOWS\system32\smp
C:\WINDOWS\mslagent
C:\Programmi\hsdmymc

registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad | EnUi

registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brastk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\MSConfig\startupreg\CfgDscDb

Spunta "Automatically disable any rootkits found" e clicca su "execute".Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato

5) Dopo il riavvio, esegui il file FIX.REG che hai salvato sul desktop

6) clicca su start => esegui => digita: c:\mbr.exe -f
attenzione!: c'è uno spazio prima di -f

7) Esegui CCleaner e ripulisci i file temporanei e i cookie.

8) Cerca un file in C:\WINDOWS\ simile a questo, se c'è h@tkeysh@@k.dll ed eliminalo.

9) Esegui un nuovo systemscan - Riattiva l'antivirus - Posta il rapporto caricandolo su Savefile e posta il link ottenuto

[8th Circle]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\a.bat" deleted successfully.
File "C:\WINDOWS\zip3.tmp" deleted successfully.
File "C:\WINDOWS\zip1.tmp" deleted successfully.
File "C:\WINDOWS\zipped.tmp" deleted successfully.
File "C:\WINDOWS\zip2.tmp" deleted successfully.
File "C:\WINDOWS\FVProtect.exe" deleted successfully.
File "C:\WINDOWS\userconfig9x.dll" deleted successfully.
File "C:\WINDOWS\base64.tmp" deleted successfully.
File "C:\WINDOWS\iTunesMusic.exe" deleted successfully.
File "C:\WINDOWS\mssecu.exe" deleted successfully.
File "C:\WINDOWS\winsystem.exe" deleted successfully.
File "C:\WINDOWS\bdn.com" deleted successfully.
File "C:\WINDOWS\system32\taack.exe" deleted successfully.
File "C:\WINDOWS\system32\VBIEWER.OCX" deleted successfully.
File "C:\WINDOWS\system32\ssurf022.dll" deleted successfully.
File "C:\WINDOWS\system32\bsva-egihsg52.exe" deleted successfully.
File "C:\WINDOWS\system32\taack.dat" deleted successfully.
File "C:\WINDOWS\system32\ps1.exe" deleted successfully.
File "C:\WINDOWS\system32\mwin32.exe" deleted successfully.
File "C:\WINDOWS\system32\psoft1.exe" deleted successfully.
File "C:\WINDOWS\system32\psof1.exe" deleted successfully.
File "C:\WINDOWS\system32\hoproxy.dll" deleted successfully.
File "C:\WINDOWS\system32\winlogonpc.exe" deleted successfully.
File "C:\WINDOWS\system32\msnbho.dll" deleted successfully.
File "C:\WINDOWS\system32\hxiwlgpm.exe" deleted successfully.
File "C:\WINDOWS\system32\hxiwlgpm.dat" deleted successfully.
File "C:\WINDOWS\system32\sncntr.exe" deleted successfully.
File "C:\WINDOWS\system32\WINWGPX.EXE" deleted successfully.
File "C:\WINDOWS\system32\sysreq.exe" deleted successfully.
File "C:\WINDOWS\system32\ssvchost.com" deleted successfully.
File "C:\WINDOWS\system32\ssvchost.exe" deleted successfully.
File "C:\WINDOWS\system32\wini104552633.exe" deleted successfully.
File "C:\WINDOWS\system32\thun32.dll" deleted successfully.
File "C:\WINDOWS\system32\winsystem.exe" deleted successfully.
File "C:\WINDOWS\system32\vcatchpi.dll" deleted successfully.
File "C:\WINDOWS\system32\temp#01.exe" deleted successfully.
File "C:\WINDOWS\system32\vbsys2.dll" deleted successfully.
File "C:\WINDOWS\system32\thun.dll" deleted successfully.
File "C:\WINDOWS\system32\msvchost.exe" deleted successfully.
File "C:\WINDOWS\system32\mtr2.exe" deleted successfully.
File "C:\WINDOWS\system32\mssecu.exe" deleted successfully.
File "C:\WINDOWS\system32\newsd32.exe" deleted successfully.
File "C:\WINDOWS\system32\netode.exe" deleted successfully.
File "C:\WINDOWS\system32\h@tkeysh@@k.dll" deleted successfully.
File "C:\WINDOWS\system32\anticipator.dll" deleted successfully.
File "C:\WINDOWS\system32\msgp.exe" deleted successfully.
File "C:\WINDOWS\system32\dpcproxy.exe" deleted successfully.
File "C:\WINDOWS\system32\regm64.dll" deleted successfully.
File "C:\WINDOWS\system32\regc64.dll" deleted successfully.
File "C:\WINDOWS\system32\akttzn.exe" deleted successfully.
File "C:\WINDOWS\system32\awtoolb.dll" deleted successfully.
File "C:\WINDOWS\system32\Rundl1.exe" deleted successfully.
File "C:\WINDOWS\system32\bdn.com" deleted successfully.
File "C:\Programmi\hsdmymc\EnUi.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\brastk.exe" not found!
Deletion of file "C:\WINDOWS\system32\brastk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\Programmi\akl" deleted successfully.
Folder "C:\WINDOWS\system32\smp" deleted successfully.
Folder "C:\WINDOWS\mslagent" deleted successfully.
Folder "C:\Programmi\hsdmymc" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ShellServiceObjectDelayLoad|EnUi" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brastk" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\MSConfig\startupreg\CfgDscDb" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

questo è il report di avenger, solo che al riavvio mi ha dato un messaggio di errore del tipo "disco non trovato" e il comando dopo l'avvio di fix.reg (quello in cui dovevo scrivere quelle cose in "esegui") non parte...

[8th Circle]

Ora ha funzionato, avevo sbagliato a fare una cosa. comunque sto facendo lo scan con l'antivirus...

[8th Circle]

Il report si può trovare su http://www.savefile.com/files/1892680

oppure è in un file rar su http://silviobenvenuto.altervista.org/report.rar

[Deifobe]

Originariamente inviato da Deifobe
9) Esegui un nuovo systemscan - Riattiva l'antivirus - Posta il rapporto caricandolo su Savefile e posta il link ottenuto

[8th Circle]

Scusami, avevo capito male

http://www.savefile.com/files/1892713

questo è il link esatto, oppure

http://silviobenvenuto.altervista.org/report2.rar

[Deifobe]

mi posti anche il rapportino di mbr.exe? lo trovi in c:\
(puoi postarlo direttamente sul forum)

[Deifobe]

allora... va un po' meglio, i file sono stati eliminati, il firewall è attivo e le notifiche anche.
L'mbr no, ma ci sono dei settori che non vengono ripristinati. Devi postarmi il file: mbr.log

andiamo anche avanti con la pulizia per quel che ancora resta da fare

Scarica e installa malwarebytes.
Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completa, posta il rapporto direttamente sul forum.

Per ora non rimuovere nulla