| Precedente :: Successivo |
| Autore |
Messaggio |
francescomi
Mortale devoto
Registrato: 05/04/14 12:53
Messaggi: 8
|
 Inviato: 05 Apr 2014 12:56 Oggetto: Updater.vbe |
 |
|
Salve a tutti, ho questo malware che non riesco proprio ad eliminare.
Questo malware modifica tutto ciò che è all'interno delle penne usb in collegamenti anche dopo aver formattato la chiavetta e si chiama come da titolo Updater.vbe.
Spero possiate aiutarmi, ciao. Grazie. |
|
| Top |
|
 |
R16
Dio maturo
Registrato: 07/03/08 22:58
Messaggi: 10129
|
| Inviato: 05 Apr 2014 14:25 Oggetto: |
|
|
Ciao.
Scarica RougeKiller sul desktop.
link (per S.O 32 bit)
link(per S.O 64 bit)
Chiudi tutti i programmi in esecuzione.
Avvia RogueKiller.exe.
Il tool farà una pre-scansione in automatico.
Finita la pre-scansione,si apre una finestra: clicca su " Accept".
Adesso clicca su "Scan".
Finita la scansione, clicca su "Report" troverai il log sul desktop.
Postalo qui |
|
| Top |
|
|
francescomi
Mortale devoto
Registrato: 05/04/14 12:53
Messaggi: 8
|
| Inviato: 05 Apr 2014 14:36 Oggetto: |
|
|
| Codice: | RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Francesco [Admin rights]
Mode : Scan -- Date : 04/05/2014 14:34:21
| ARK || FAK || MBR |
¤¤¤ Bad processes : 1 ¤¤¤
[PUP][BLPATH] cacaoweb.exe -- C:\Users\Francesco\AppData\Roaming\cacaoweb\cacaoweb.exe [-] -> Chiuso [TermProc]
¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][PUP] HKCU\[...]\Run : cacaoweb ("C:\Users\Francesco\AppData\Roaming\cacaoweb\cacaoweb.exe" -noplayer [-]) -> Trovato
[RUN][PUP] HKUS\S-1-5-21-217505692-3784118851-2384356451-1000\[...]\Run : cacaoweb ("C:\Users\Francesco\AppData\Roaming\cacaoweb\cacaoweb.exe" -noplayer [-]) -> Trovato
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> Trovato
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> Trovato
¤¤¤ Le attività pianificate : 0 ¤¤¤
¤¤¤ voci di avvio : 0 ¤¤¤
¤¤¤ I browser Web : 0 ¤¤¤
¤¤¤ Browser Addons : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
¤¤¤ Extern Hives: ¤¤¤
¤¤¤ Infection : PUP ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
127.0.0.1 validation.sls.microsoft.com
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SAMSUNG HM251JI ATA Device +++++
--- User ---
[MBR] 0fa3431d476a9b372aeb1123b2f3ed68
[BSP] 93a24f4bb035732f60d0b13d4d9bf0b7 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 227827 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 466591744 | Size: 10644 MB
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[0]_S_04052014_143421.txt >>
|
|
|
| Top |
|
|
R16
Dio maturo
Registrato: 07/03/08 22:58
Messaggi: 10129
|
| Inviato: 05 Apr 2014 14:47 Oggetto: |
|
|
Riesegui RougeKiller
Finita la scansione,
Clicca su "Delete". (Cancella)
Finita l'eliminazione clicca su "Report".
Postalo qui.
Rifai una nuova scansione con RougeKiller.
Posta il log.
Poi:
Fai questa scansione con OTL.
http://forum.zeusnews.com/viewtopic.php?t=51382
Posta i log con Wikisend o similari. |
|
| Top |
|
|
francescomi
Mortale devoto
Registrato: 05/04/14 12:53
Messaggi: 8
|
| Inviato: 05 Apr 2014 14:53 Oggetto: |
|
|
Log dopo Delete:
| Codice: |
RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Francesco [Admin rights]
Mode : Remove -- Date : 04/05/2014 14:51:51
| ARK || FAK || MBR |
¤¤¤ Bad processes : 1 ¤¤¤
[PUP][BLPATH] cacaoweb.exe -- C:\Users\Francesco\AppData\Roaming\cacaoweb\cacaoweb.exe [-] -> Chiuso [TermProc]
¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][PUP] HKCU\[...]\Run : cacaoweb ("C:\Users\Francesco\AppData\Roaming\cacaoweb\cacaoweb.exe" -noplayer [-]) -> Cancellato
[RUN][PUP] HKUS\S-1-5-21-217505692-3784118851-2384356451-1000\[...]\Run : cacaoweb ("C:\Users\Francesco\AppData\Roaming\cacaoweb\cacaoweb.exe" -noplayer [-]) -> [0x2] Impossibile trovare il file specificato.
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> Sostituito (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> Sostituito (0)
¤¤¤ Le attività pianificate : 0 ¤¤¤
¤¤¤ voci di avvio : 0 ¤¤¤
¤¤¤ I browser Web : 0 ¤¤¤
¤¤¤ Browser Addons : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
¤¤¤ Extern Hives: ¤¤¤
¤¤¤ Infection : PUP ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
127.0.0.1 validation.sls.microsoft.com
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SAMSUNG HM251JI ATA Device +++++
--- User ---
[MBR] 0fa3431d476a9b372aeb1123b2f3ed68
[BSP] 93a24f4bb035732f60d0b13d4d9bf0b7 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 227827 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 466591744 | Size: 10644 MB
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[0]_D_04052014_145151.txt >>
RKreport[0]_S_04052014_143421.txt
|
|
|
| Top |
|
|
francescomi
Mortale devoto
Registrato: 05/04/14 12:53
Messaggi: 8
|
| Inviato: 05 Apr 2014 15:04 Oggetto: |
|
|
Seconda Scansione:
| Codice: |
RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Francesco [Admin rights]
Mode : Scan -- Date : 04/05/2014 14:55:32
| ARK || FAK || MBR |
¤¤¤ Bad processes : 1 ¤¤¤
[PUP][BLPATH] cacaoweb.exe -- C:\Users\Francesco\AppData\Roaming\cacaoweb\cacaoweb.exe [-] -> Chiuso [TermProc]
¤¤¤ Registry Entries : 0 ¤¤¤
¤¤¤ Le attività pianificate : 0 ¤¤¤
¤¤¤ voci di avvio : 0 ¤¤¤
¤¤¤ I browser Web : 0 ¤¤¤
¤¤¤ Browser Addons : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
¤¤¤ Extern Hives: ¤¤¤
¤¤¤ Infection : PUP ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
127.0.0.1 validation.sls.microsoft.com
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SAMSUNG HM251JI ATA Device +++++
--- User ---
[MBR] 0fa3431d476a9b372aeb1123b2f3ed68
[BSP] 93a24f4bb035732f60d0b13d4d9bf0b7 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 227827 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 466591744 | Size: 10644 MB
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[0]_S_04052014_145532.txt >>
RKreport[0]_D_04052014_145151.txt;RKreport[0]_S_04052014_143421.txt
|
|
|
| Top |
|
|
francescomi
Mortale devoto
Registrato: 05/04/14 12:53
Messaggi: 8
|
| Inviato: 05 Apr 2014 15:29 Oggetto: |
|
|
OTL.txt:
link
Extras.txt:
link |
|
| Top |
|
|
R16
Dio maturo
Registrato: 07/03/08 22:58
Messaggi: 10129
|
| Inviato: 05 Apr 2014 15:56 Oggetto: |
|
|
Avvia OTL.
Sotto "Custom Scans\Fixes" copia-incolla questo codice:
| Codice: | :OTL
O4 - HKU\S-1-5-21-217505692-3784118851-2384356451-1000..\Run: [Updater] wscript.exe //B "C:\Users\Francesco\Updater.vbe" File not found
O4 - Startup: C:\Users\Francesco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.vbe ()
2014/04/05 12:48:18 | 000,471,552 | ---- | M] () -- C:\Users\Francesco\Desktop\cacaoweb.exe
[2014/04/05 13:21:50 | 000,000,000 | ---D | M] -- C:\Users\Francesco\AppData\Roaming\cacaoweb
:Files
C:\Users\Francesco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.vbe
ipconfig /flushdns /c
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"
:commands
[purity]
[emptytemp]
[Emptyjava]
[RESETHOSTS]
[EMPTYFLASH]
[start explorer]
[Reboot] |
Clicca sul pulsante RUN FIX.
Lascia fare la scansione senza interferire.
Posta il log.
Poi:
Scarica Adwcleaner sul desktop:
link
Chiudi tutti i browser (è importante che siano chiusi: IE,Firefox, Chrome ecc...)
Clicca sul pulsante "Scan".
Finita la scansione clicca su "Clean"
Conferma con OK le varie finestre che ti compariranno.
Il pc si riavvierà, e uscirà il log con le eliminazioni.
Postalo qui.
Dopo queste operazioni formatta le pennette.
Dimmi se il problema persiste. |
|
| Top |
|
|
francescomi
Mortale devoto
Registrato: 05/04/14 12:53
Messaggi: 8
|
| Inviato: 05 Apr 2014 16:40 Oggetto: |
|
|
Nuovo log OTL:
| Codice: |
All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-217505692-3784118851-2384356451-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Updater deleted successfully.
C:\Users\Francesco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.vbe moved successfully.
C:\Users\Francesco\AppData\Roaming\cacaoweb folder moved successfully.
========== FILES ==========
File\Folder C:\Users\Francesco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.vbe not found.
[color=#A23BEC]< ipconfig /flushdns /c >[/color]
Configurazione IP di Windows
Cache del resolver DNS svuotata.
C:\Users\Francesco\Desktop\cmd.bat deleted successfully.
C:\Users\Francesco\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Francesco
->Temp folder emptied: 6565181 bytes
->Temporary Internet Files folder emptied: 7288575 bytes
->Java cache emptied: 741412 bytes
->FireFox cache emptied: 22631553 bytes
->Google Chrome cache emptied: 430812264 bytes
->Flash cache emptied: 680 bytes
User: Prova
->Temp folder emptied: 44419 bytes
->Temporary Internet Files folder emptied: 258 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 204208988 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 37460 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 79320084 bytes
RecycleBin emptied: 13730407266 bytes
Total Files Cleaned = 13.811,00 mb
[EMPTYJAVA]
User: All Users
User: Default
User: Default User
User: Francesco
->Java cache emptied: 0 bytes
User: Prova
User: Public
Total Java Files Cleaned = 0,00 mb
File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.
Error: Unble to create default HOSTS file!
[EMPTYFLASH]
User: All Users
User: Default
User: Default User
User: Francesco
->Flash cache emptied: 0 bytes
User: Prova
User: Public
Total Flash Files Cleaned = 0,00 mb
Error: Unable to interpret <[Reboot] - See more at: http://forum.zeusnews.com/viewtopic.php?p=616287#616287> in the current context!
OTL by OldTimer - Version 3.2.69.0 log created on 04052014_163417
Files\Folders moved on Reboot...
C:\Users\Francesco\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Francesco\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
|
|
|
| Top |
|
|
francescomi
Mortale devoto
Registrato: 05/04/14 12:53
Messaggi: 8
|
| Inviato: 05 Apr 2014 17:38 Oggetto: |
|
|
Niente non ho risolto 
Tutto come prima. |
|
| Top |
|
|
R16
Dio maturo
Registrato: 07/03/08 22:58
Messaggi: 10129
|
| Inviato: 05 Apr 2014 21:07 Oggetto: |
|
|
Scarica SystemLook:
link (per S.O a 32 bit)
link (per S.O a 64 bit)
Doppio clic su SystemLook.exe per avviarlo
Copia il seguente codice nella schermata principale:
:filefind
Updater.vbe
wscript.exe
:regfind
Updater.vbe
Clicca Look e aspetta il log che si aprirà sul desktop.
Postalo qui. |
|
| Top |
|
|
francescomi
Mortale devoto
Registrato: 05/04/14 12:53
Messaggi: 8
|
| Inviato: 11 Apr 2014 18:40 Oggetto: |
 |
|
| Risolto. Si elimina facilmente con kaspersky. Nel caso a qualcuno dovesse servire. |
|
| Top |
|
|
|
FAQ
Cerca
Lista utenti
Gruppi
Registrati
Profilo
Messaggi privati
Log in
