Problema con Virtumonde - Systemscan log, e poi?

[TeoB]

Salve a tutti, da un paio di giorni ho un problema con un virus, ho fatto un paio di scansioni con avast, poi ho provato un tool online segnalato su questo forum e mi ha rilevato la presenza del virtumonde. In effetti i sintomi sono quelli: crash random, la barra di google non funziona ecc ecc

Ho fatto allora una ricerca su questo forum, e sono saltati fuori diversi 3d in cui si consiglia una scansione con systemscan disconnettendo il pc da internet e chiudendo l'antivirus. Ho uppato il file report qua: http://www.savefile.com/files/1807431

Qualcuno mi dice come posso continuare per cortesia? La procedura segnalata nei 3d è standard oppure bisogna cambiare qualcosa di volta in volta?

Grazie anticipate.

[hell's bells]

Segui questa procedura, eliminiamo le voci principali poi ti faccio fare una ulteriore scansione:

Apri il blocco note di windows, copia al suo interno questo testo come lo vedi

Windows Registry Editor Version 5.00

[-HKCR\CLSID\{1f7f4db8-561e-4515-b592-16c754bf6a6c}]
[-HKCR\CLSID\{6584C510-924B-486A-A1A0-E380DE08C2DB}]
[-HKCR\CLSID\{E6C41BA3-A464-482C-A523-582043A8B990}]

ci deve essere una riga vuota dopo l'ultima scritta

salvalo in c:\ e chiamalo fix.reg (lo devi salvare come "tipo file - tutti i file")

scarica Avenger

Esegui avenger e nella finestra copia/incolla tutta la citazione:

files to delete:
C:\DOCUME~1\Matteo\IMPOST~1\Temp\x342z8uh.exe
C:\DOCUME~1\Matteo\IMPOST~1\Temp\IMT7.xml
C:\DOCUME~1\Matteo\IMPOST~1\Temp\IMT6.xml
C:\DOCUME~1\Matteo\IMPOST~1\Temp\IMT5.xml
C:\DOCUME~1\Matteo\IMPOST~1\Temp\removalfile.bat
C:\WINDOWS\BM97220340.xml
C:\WINDOWS\BM97220340.txt
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\JSYFPXyb.ini
C:\WINDOWS\system32\JSYFPXyb.ini2
C:\WINDOWS\system32\kagflnfe.ini
C:\WINDOWS\system32\fnycrvdt.dll
C:\WINDOWS\system32\mhumkk.dll
C:\WINDOWS\system32\efnlfgak.dll
C:\WINDOWS\system32\tmxboyhq.dll
C:\WINDOWS\system32\9f32f4a2-.txt
C:\WINDOWS\system32\byXPFYSJ.dll

registry keys to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyabxVn
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{1f7f4db8-561e-4515-b592-16c754bf6a6c}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{6584C510-924B-486A-A1A0-E380DE08C2DB}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{E6C41BA3-A464-482C-A523-582043A8B990}

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | BM97220340

programs to launch on reboot:
c:\fix.reg

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato lo trovi in c:\avenger.

poi esegui questa scansione:

scarica Malwarebytes
1) lo installi
2) lo aggiorni
3) fai una scansione scegliendo la modalità completa
4) NON eliminare le eventuali minacce che rileva
5) finita la scansione seleziona il tabellino log, apri il file di testo e postalo sul forum

Non fare altre scansioni con nessun programma e resta connesso il meno possibile, sicuramente ci sarà da rifare un systemscan di controllo per finire le pulizie.

Posta il report di avenger e quello di malewarebytes.

[TeoB]

Grazie, ora lo faccio, con avenger devo spuntare anche "scan for rootkits"?

[TeoB]

Piccolo problema.

Ho creato in c: il file fix.reg lasciando una riga vuota alla fine.
Ho fatto partire Avenger con quello script, reboot e il log è questo:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\DOCUME~1\Matteo\IMPOST~1\Temp\x342z8uh.exe " deleted successfully.
File "C:\DOCUME~1\Matteo\IMPOST~1\Temp\IMT7.xml" deleted successfully.
File "C:\DOCUME~1\Matteo\IMPOST~1\Temp\IMT6.xml" deleted successfully.
File "C:\DOCUME~1\Matteo\IMPOST~1\Temp\IMT5.xml" deleted successfully.
File "C:\DOCUME~1\Matteo\IMPOST~1\Temp\removalfile. bat" deleted successfully.
File "C:\WINDOWS\BM97220340.xml" deleted successfully.
File "C:\WINDOWS\BM97220340.txt" deleted successfully.
File "C:\WINDOWS\pskt.ini" deleted successfully.
File "C:\WINDOWS\system32\JSYFPXyb.ini" deleted successfully.
File "C:\WINDOWS\system32\JSYFPXyb.ini2" deleted successfully.
File "C:\WINDOWS\system32\kagflnfe.ini" deleted successfully.
File "C:\WINDOWS\system32\fnycrvdt.dll" deleted successfully.
File "C:\WINDOWS\system32\mhumkk.dll" deleted successfully.
File "C:\WINDOWS\system32\efnlfgak.dll" deleted successfully.
File "C:\WINDOWS\system32\tmxboyhq.dll" deleted successfully.
File "C:\WINDOWS\system32\9f32f4a2-.txt" deleted successfully.
File "C:\WINDOWS\system32\byXPFYSJ.dll" deleted successfully.
Registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyabxVn" deleted successfully.
Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\Browser Helper Objects\{1f7f4db8-561e-4515-b592-16c754bf6a6c}" deleted successfully.
Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\Browser Helper Objects\{6584C510-924B-486A-A1A0-E380DE08C2DB}" deleted successfully.
Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\Browser Helper Objects\{E6C41BA3-A464-482C-A523-582043A8B990}" deleted successfully.
Registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n|BM97220340" deleted successfully.
Program "c:\fix.reg" successfully queued to run on reboot.

Completed script processing.

*******************

Finished! Terminate.

Il problema è che mi compare anche una casellina che mi dice che non riesce a trovare il file fix.reg , eppure ho controllato prima di lanciare il programma ed era lí, ma ora non c'è piú in effetti

edit: vedo sul forum che è normale, allora procedo con la scansione col secondo programma.

[TeoB]

Ecco l'anti malware:

Malwarebytes' Anti-Malware 1.28
Versione del database: 1209
Windows 5.1.2600 Service Pack 2

26/09/2008 13.24.02
mbam-log-2008-09-26 (13-23-51).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi scansionati: 158460
Tempo trascorso: 1 hour(s), 24 minute(s), 15 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 16
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 3
File infetti: 13

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\hzfel1.bhoapp (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\hzfel1.bhoapp.1 (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{967a494a-6aec-4555-9caf-fa6eb00acf91} (Rogue.PestPatrol) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Rogue.PestPatrol) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2a8d06b4-1b40-009f-e531-629a59080f43} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Rogue.PestPatrol) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\altcompare (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvid er (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
C:\WINDOWS\system32\append.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\xlib254.dll (Trojan.Agent) -> No action taken.
C:\Programmi\altcmd (Trojan.Agent) -> No action taken.

File infetti:
C:\Documents and Settings\Matteo\Impostazioni locali\Temporary Internet Files\Content.IE5\ILH5TB0Z\nd82m0[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Matteo\Impostazioni locali\Temporary Internet Files\Content.IE5\WCHLYYKE\upd105320[1] (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP740\A0082237.sys (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP744\A0082423.sys (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP745\A0083372.sys (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP745\A0083378.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP745\A0083379.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP745\A0083382.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP745\A0083396.sys (Trojan.FakeAlert) -> No action taken.
C:\Programmi\altcmd\altcmd.inf (Trojan.Agent) -> No action taken.
C:\Programmi\altcmd\uninstall.bat (Trojan.Agent) -> No action taken.
C:\info.cmd (Trojan.Agent) -> No action taken.
C:\mui.cmd (Trojan.Agent) -> No action taken.

[hell's bells]

Rifai la scansione con malewarebytes, rimuovi tutto e rifai la scansione con systemscan e lascia il flag o segno di spunta solo su "Recent files" e su "Registry run keys"

Posta il report come quello precedente

[TeoB]

Intanto posto il log di malewarebytes:

Malwarebytes' Anti-Malware 1.28
Versione del database: 1209
Windows 5.1.2600 Service Pack 2

27/09/2008 11.57.33
mbam-log-2008-09-27 (11-57-33).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi scansionati: 158435
Tempo trascorso: 1 hour(s), 21 minute(s), 7 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 16
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 3
File infetti: 13

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\hzfel1.bhoapp (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hzfel1.bhoapp.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{967a494a-6aec-4555-9caf-fa6eb00acf91} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2a8d06b4-1b40-009f-e531-629a59080f43} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\altcompare (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvid er (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
C:\WINDOWS\system32\append.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xlib254.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Programmi\altcmd (Trojan.Agent) -> Quarantined and deleted successfully.

File infetti:
C:\Documents and Settings\Matteo\Impostazioni locali\Temporary Internet Files\Content.IE5\ILH5TB0Z\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matteo\Impostazioni locali\Temporary Internet Files\Content.IE5\WCHLYYKE\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP740\A0082237.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP744\A0082423.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP745\A0083372.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP745\A0083378.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP745\A0083379.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP745\A0083382.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DBEC2221-BAA0-49F2-9763-040F872416DF}\RP745\A0083396.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Programmi\altcmd\altcmd.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Programmi\altcmd\uninstall.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\info.cmd (Trojan.Agent) -> Quarantined and deleted successfully.
C:\mui.cmd (Trojan.Agent) -> Quarantined and deleted successfully.

E qua c'è quello di systemscan: http://www.savefile.com/files/1809413

Grazie

[hell's bells]

Esegui questa procedura:

scarica Atfcleaner

Avvia ATFCleaner.exe con un doppio click

1) seleziona la casella Select All
2) clicca sul pulsante Empty selected
3) aspetta l'avviso Done Cleaning.
(se non vuoi eliminare le password togli la spunta) - (se usi opera o firefox,spunta anche le loro sezioni)

poi

scarica Ccleaner

1) per il download dell'ultima versione clicca a destra in alto sotto la freccia verde
2) installalo
3) clicca su "avvia pulizia", ripeti il procedimento 2 volte

[TeoB]

Cancellato tutto, devo fare altro?

[hell's bells]

No abbiamo finito, buon week-end e alla prossima volta per una visita di cortesia.