Condividi:        

Possibile worm Bagle

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Re: Possibile worm Bagle

Postdi akrod80 » 12/05/08 21:29

Ciao.

Ho anch'io lo stesso problema: non riesco a installare nessun antivirus e mi dà sempre messaggi di errore sulla schermata blu e mi si riavvia il pc. Visto che siete riusciti a risolverli a Stiff, potete aiutare anche me?
Intanto sto procedendo con il primo link:
http://forum.wininizio.it/index.php?showtopic=36981&hl

ma richiederà davvero tanto tempo?
P.S. Ho un Vista. Influisce in qualche modo?

Grazie, Akrod80
akrod80
Utente Junior
 
Post: 11
Iscritto il: 12/05/08 21:21

Sponsor
 

Re: Possibile worm Bagle

Postdi Luke57 » 14/05/08 10:48

Ciao, se hai fatto lo scan posta il report.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi akrod80 » 14/05/08 17:18

Ecco il report:


Tuesday, May 13, 2008 6:56:20 AM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/05/2008
Kaspersky Anti-Virus database records: 765113


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 105027
Number of viruses found 7
Number of infected objects 30
Number of suspicious objects 0
Duration of the scan process 00:59:15

Infected Object Name Virus Name Last Action
C:\$RECYCLE.BIN\S-1-5-21-184211186-978450651-2080225839-1000\$RVV0BBO.rar/Setup + Patch.exe Infected: Trojan.Win32.Pakes.bzo skipped

C:\$RECYCLE.BIN\S-1-5-21-184211186-978450651-2080225839-1000\$RVV0BBO.rar CAB: infected - 1 skipped

C:\boot\bcd Object is locked skipped

C:\boot\BCD.LOG Object is locked skipped

C:\Muestras\HLDRRR.EXE.Muestra EliBagle v11.33 Infected: Trojan-Downloader.Win32.Bagle.ow skipped

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe Infected: Trojan-Downloader.Win32.Bagle.ow skipped

C:\ProgramData\CyberLink\TinyDB\EPGSignal Object is locked skipped

C:\ProgramData\CyberLink\TinyDB\Schedule Object is locked skipped

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\373f89741ab268343e295394d793e011_07147a92-0ac8-4099-8d20-c10030c80ec8 Object is locked skipped

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.69.Crwl Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.69.gthr Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.ci Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wsb Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001F.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010022.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010025.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy24.gthr Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfA84F.tmp Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfA850.tmp Object is locked skipped

C:\SwSetup\MMFlash\Setup.exe Infected: Trojan-Clicker.MSIL.Xone.ai skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\Users\Doriana\AppData\Local\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Messenger\akrod80@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Messenger\akrod80@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Messenger\akrod80@hotmail.com\SharingMetadata\Working\database_3130_7CFE_75CA_8F4F\dfsr.db Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Messenger\akrod80@hotmail.com\SharingMetadata\Working\database_3130_7CFE_75CA_8F4F\fsr.log Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Messenger\akrod80@hotmail.com\SharingMetadata\Working\database_3130_7CFE_75CA_8F4F\fsrtmp.log Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Messenger\akrod80@hotmail.com\SharingMetadata\Working\database_3130_7CFE_75CA_8F4F\tmp.edb Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008051220080513\index.dat Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EJR0M8C2\b64_3[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RNHK8QP5\b64[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RNHK8QP5\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RNHK8QP5\b64_2[3].jpg Infected: Email-Worm.Win32.Bagle.vr skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S1J933BS\b64_1[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S1J933BS\b64_1[2].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S1J933BS\b64_1[3].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S1J933BS\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T91I0AV1\b64[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T91I0AV1\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T91I0AV1\b64_3[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\UsrClass.dat{dba4aa51-e59f-11dc-ac2e-001b24e394ab}.TM.blf Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\UsrClass.dat{dba4aa51-e59f-11dc-ac2e-001b24e394ab}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows\UsrClass.dat{dba4aa51-e59f-11dc-ac2e-001b24e394ab}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows Live Contacts\akrod80@hotmail.com\real\members.stg Object is locked skipped

C:\Users\Doriana\AppData\Local\Microsoft\Windows Live Contacts\akrod80@hotmail.com\shadow\members.stg Object is locked skipped

C:\Users\Doriana\AppData\Local\Temp\ehmsas.txt Object is locked skipped

C:\Users\Doriana\AppData\Local\Temp\temp_01.exe Infected: Trojan.Win32.Agent.ecd skipped

C:\Users\Doriana\AppData\Local\Temp\~DF1DD3.tmp Object is locked skipped

C:\Users\Doriana\AppData\Local\Temp\~DF1DDF.tmp Object is locked skipped

C:\Users\Doriana\AppData\Local\Temp\~DF762A.tmp Object is locked skipped

C:\Users\Doriana\AppData\Local\Temp\~DF7634.tmp Object is locked skipped

C:\Users\Doriana\AppData\Local\Temp\~DF7D54.tmp Object is locked skipped

C:\Users\Doriana\AppData\Local\Temp\~DF7D5C.tmp Object is locked skipped

C:\Users\Doriana\AppData\Local\VirtualStore\Program Files\eMule\Incoming\AVG.Anti-Virus.Pro.v7.1.405a.791.Multilangages.Incl-Keygen.zip/AVG.Anti-Virus.Pro.v7.1.405a.791.Multilangages.Incl-Keygen.exe Infected: Trojan-Downloader.Win32.Bagle.ow skipped

C:\Users\Doriana\AppData\Local\VirtualStore\Program Files\eMule\Incoming\AVG.Anti-Virus.Pro.v7.1.405a.791.Multilangages.Incl-Keygen.zip ZIP: infected - 1 skipped

C:\Users\Doriana\AppData\Local\VirtualStore\Program Files\eMule\Incoming\AVG.Anti-Virus.Professional.Edition.7.5_SERIAL.zip/AVG.Anti-Virus.Professional.Edition.7.5_SERIAL.exe Infected: Trojan-Downloader.Win32.Bagle.ow skipped

C:\Users\Doriana\AppData\Local\VirtualStore\Program Files\eMule\Incoming\AVG.Anti-Virus.Professional.Edition.7.5_SERIAL.zip ZIP: infected - 1 skipped

C:\Users\Doriana\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped

C:\Users\Doriana\ntuser.dat Object is locked skipped

C:\Users\Doriana\ntuser.dat.LOG1 Object is locked skipped

C:\Users\Doriana\ntuser.dat.LOG2 Object is locked skipped

C:\Users\Doriana\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped

C:\Users\Doriana\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\Doriana\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\Debug\PASSWD.LOG Object is locked skipped

C:\Windows\Debug\sam.log Object is locked skipped

C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped

C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped

C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped

C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped

C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

C:\Windows\System32\catroot2\edb.log Object is locked skipped

C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped

C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped

C:\Windows\System32\config\COMPONENTS Object is locked skipped

C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped

C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped

C:\Windows\System32\config\DEFAULT Object is locked skipped

C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped

C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped

C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped

C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped

C:\Windows\System32\config\RegBack\SAM Object is locked skipped

C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped

C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped

C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped

C:\Windows\System32\config\SAM Object is locked skipped

C:\Windows\System32\config\SAM.LOG1 Object is locked skipped

C:\Windows\System32\config\SAM.LOG2 Object is locked skipped

C:\Windows\System32\config\SECURITY Object is locked skipped

C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped

C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped

C:\Windows\System32\config\SOFTWARE Object is locked skipped

C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped

C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped

C:\Windows\System32\config\SYSTEM Object is locked skipped

C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped

C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped

C:\Windows\System32\config\systemprofile\ntuser.dat Object is locked skipped

C:\Windows\System32\config\systemprofile\ntuser.dat.LOG1 Object is locked skipped

C:\Windows\System32\config\systemprofile\ntuser.dat.LOG2 Object is locked skipped

C:\Windows\System32\config\systemprofile\ntuser.dat{75702a57-6507-11da-810d-806e6f6e6963}.TM.blf Object is locked skipped

C:\Windows\System32\config\systemprofile\ntuser.dat{75702a57-6507-11da-810d-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Windows\System32\config\systemprofile\ntuser.dat{75702a57-6507-11da-810d-806e6f6e6963}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{5f014c7c-1f6c-11dd-ba33-001b24e394ab}.TxR.0.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{5f014c7c-1f6c-11dd-ba33-001b24e394ab}.TxR.1.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{5f014c7c-1f6c-11dd-ba33-001b24e394ab}.TxR.2.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{5f014c7c-1f6c-11dd-ba33-001b24e394ab}.TxR.blf Object is locked skipped

C:\Windows\System32\drivers\downld\1196480.exe Infected: Email-Worm.Win32.Bagle.vr skipped

C:\Windows\System32\drivers\downld\1392917.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\Windows\System32\drivers\downld\1462743.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\Windows\System32\drivers\downld\151320.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\Windows\System32\drivers\downld\641554.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\Windows\System32\drivers\downld\75504.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped

C:\Windows\System32\drivers\mdelk.exe Infected: Trojan-Downloader.Win32.Bagle.ow skipped

C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped

C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl Object is locked skipped

C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped

C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped

C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped

C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped

C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped

C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped

C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped

C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped

C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped

C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.003 Object is locked skipped

C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped

C:\Windows\System32\winevt\Logs\Antivirus.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped

C:\Windows\System32\WinPrint.exe Infected: Trojan.Win32.Pakes.bzo skipped

C:\Windows\System32\WINTEMS.EXE.VIR.VIR Infected: Email-Worm.Win32.Bagle.of skipped

C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped

D:\System Volume Information\Desktop.ini Object is locked skipped

D:\System Volume Information\Folder.htt Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\Protect.ed Object is locked skipped

Scan process completed.
akrod80
Utente Junior
 
Post: 11
Iscritto il: 12/05/08 21:21

Re: Possibile worm Bagle

Postdi Luke57 » 15/05/08 11:18

Ciao, disattiva il ripristino configurazione di sistema nel forum trovi come fare ,se non lo sai già, comunque clik tasto dx su risorse del computer>proprietà>ripristino configurazione di sistema, metti la spunta a "disattiva ripristino.....">OK.

Poi vai qui:
http://www.wikifortio.com/972370/pele86.rar
scarica il file (è avenger rinominato), scompattalo, eseguilo,
nello spazio bianco sotto "Input script here" copia e incolla questo script :

Files to delete:
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\drivers\pci32.sys
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\System32\mdelk.exe
C:\Users\Doriana\AppData\Local\VirtualStore\Program Files\eMule\Incoming\AVG.Anti-Virus.Pro.v7.1.405a.791.Multilangages.Incl-Keygen.zip
C:\WINDOWS\system32\drivers\mdelk.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Users\Doriana\AppData\Local\VirtualStore\Program Files\eMule\Incoming\AVG.Anti-Virus.Professional.Edition.7.5_SERIAL.zip

folders to delete:
C:\WINDOWS\exefnd
C:\WINDOWS\exefld
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\temp
C:\WINDOWS\Tasks
C:\WINDOWS\system32\drivers\downld
C:\Users\Doriana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Doriana\AppData\Local\Temp
C:\Muestras


registry keys to delete:
HKEY_LOCAL_MACHINE\system\ControlSet003\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32


Fatto ciò, Clicca sul pulsante Execute


Il pc dovrebbe riavviarsi da solo, se così non fosse riavvialo manualmente.
Allega poi il log generato da avenger, lo trovi in C:\avenger.txt è un file di testo.


Al riavvio, inoltre, Scarica ATF Cleaner
http://www.atribune.org/ccount/click.php?id=1
Avvia ATF Cleaner.exe con un doppio click
- clicca sul menu main
- seleziona la casella Select All
- clicca sul pulsante Empty selected
- aspetta l'avviso Done Cleaning.
(se non vuoi eliminare le password togli la spunta)
(se usi opera o firefox,spunta anche le loro sezioni)

Poi riattiva il ripristino, togliendo la spunta precedentemente immessa con la solita procedura.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi akrod80 » 16/05/08 10:43

Ciao,

non sono riuscita a fare quello che mi hai consigliato:

Avendo Vista, non ho risorse del computer, quindi per disattivare Ripristino configurazione del sistema ho proceduto cliccando col dx su Computer>Proprietà>impostazioni di sistema avanzate (nn ricordo se la voce è esattamente questa)>riprista configurazione di sistema>ho disattivato C:

Credo in questo modo di avere disattivato rispristino conf. di sistema.
Successivamente, quando ho cercato di eseguire lo script, non mi faceva procedere, dandomi un messaggio di errore che, se non ricordo male mi diceva che il comando per eseguire lo script non era corretto.

Scusa se non sono stata precisa, ma non ho davanti il portatile e scrivo dal lavoro. Volevo solo anticipare i tempi.
akrod80
Utente Junior
 
Post: 11
Iscritto il: 12/05/08 21:21

Re: Possibile worm Bagle

Postdi Luke57 » 16/05/08 11:40

Ciao, per il ripistino vedi qui:
http://www.p2pforum.it/forum/showthread.php?t=203477
per lo script, dopo avelo inserito nel box bianco, cancella e riscrivi tu la prima riga:

files to delete:
poi premi execute.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi akrod80 » 16/05/08 19:23

Niente da fare.
Ho incollato, cancellato la prima riga "files to delete" e riscritta e mi dà il seguente errore:

---------------------------
Error
---------------------------
Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!
---------------------------
OK
---------------------------


P.S. Ci sono due caselle sotto lo spazio bianco, una attiva di default. (Scan for rootkits). L'ho lasciata così.
akrod80
Utente Junior
 
Post: 11
Iscritto il: 12/05/08 21:21

Re: Possibile worm Bagle

Postdi Luke57 » 17/05/08 08:37

Ciao, riprova più volte. Se non va, fammi sapere.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi akrod80 » 17/05/08 13:04

Ok. Fatto.
Posto il log.
Allegati

[L’estensione txt è stata disattivata e non puó essere visualizzata.]

akrod80
Utente Junior
 
Post: 11
Iscritto il: 12/05/08 21:21

Re: Possibile worm Bagle

Postdi Luke57 » 17/05/08 14:31

Ciao, scarica elibagla:
http://www.zonavirus.com/datos/descarga ... ibagla.asp
in fondo alla pagina, spunta la casella "elimina ficheros automaticamente..", clicca su explorar. Al termine alle il log C:\infosat.txt.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi akrod80 » 17/05/08 14:37

Ok. lo sto facendo, mi mi dà il seguente messaggio dipo explorar:
---------------------------
ELIBAGLA.BF%D8EB%D8%D8H[1]
---------------------------
Acceso denegado a la carpeta:
C:\$RECYCLE.BIN\S-1-5-21-184211186-978450651-2080225839-500 (22)
---------------------------
OK
---------------------------
faccio OK e procedo.
mi dà
---------------------------
ELIBAGLA.BF%D8EB%D8%D8H[1]
---------------------------
Acceso denegado a la carpeta:
C:\$RECYCLE.BIN\S-1-5-21-2004131458-2375346887-250727269-500 (22)
---------------------------
ELIBAGLA.BF%D8EB%D8%D8H[1]
---------------------------
Acceso denegado a la carpeta:
C:\\MSOCache (8211)
---------------------------
ELIBAGLA.BF%D8EB%D8%D8H[1]
---------------------------
Acceso denegado a la carpeta:
C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys (16)
akrod80
Utente Junior
 
Post: 11
Iscritto il: 12/05/08 21:21

Re: Possibile worm Bagle

Postdi Luke57 » 17/05/08 14:44

Posta il tutto quando ha finito.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi akrod80 » 17/05/08 14:50

Scusa senza volerlo ho inviato il messaggio.
Ho smesso di incollare tutti i mess di accesso negato perchè saranno stati almeno 20 e penso che dal log si potranno dedurre...
Allegati

[L’estensione txt è stata disattivata e non puó essere visualizzata.]

akrod80
Utente Junior
 
Post: 11
Iscritto il: 12/05/08 21:21

Re: Possibile worm Bagle

Postdi Luke57 » 17/05/08 15:38

Ciao, qualcosa non mi convince, nel report è indicata la data del 12 maggio. Prova a rifare la scansione con elibagla.

Inoltre utilizza avenger con questo script:

files to delete:
C:\Windows\System32\WINTEMS.EXE.VIR.VIR
C:\Windows\System32\WINTEMS.EXE.VIR
C:\Windows\System32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys

folders to delete:
C:\Windows\System32\drivers\downld

registry keys to delete:
HKEY_LOCAL_MACHINE\system\ControlSet003\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi akrod80 » 17/05/08 19:08

Si, hai ragione.
In pratica, come ho scritto anche all'inizio di questo mio intervento, io ho cercato di esguire i comandi che avevi dato a Stiff prima di chiedere un consiglio. Quindi, il file è quello della scansione che avevo già fatto il 12. Infatti, stasera l'ho rifatto e mi dà 0 file infettati, mentre il 12 me ne dava 10.
Intanto riallego il file di avenger con i nuovi comandi.
Allegati

[L’estensione txt è stata disattivata e non puó essere visualizzata.]

akrod80
Utente Junior
 
Post: 11
Iscritto il: 12/05/08 21:21

Re: Possibile worm Bagle

Postdi Luke57 » 17/05/08 21:22

Ciao, adesso scarica ComboFix sul desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disconettiti da internet

Avvia il file ComboFix.exe
Digita 1 per avviare il tool (non fare altre manovre durante la scansione, se le icone del desktop spariscono è normale)
Segui le istruzioni e alla fine verrà generato un log.
collegati e posta il report (C:\combofix.txt)
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi akrod80 » 18/05/08 18:27

Ciao allego il log.
Allegati

[L’estensione txt è stata disattivata e non puó essere visualizzata.]

akrod80
Utente Junior
 
Post: 11
Iscritto il: 12/05/08 21:21

Re: Possibile worm Bagle

Postdi Luke57 » 19/05/08 09:40

Ciao, non c'è traccia del bagle, copia questo codice:

registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Windows Printing Driver"= -

incollalo in un file di testo (start>esegui>notepad.exe>OK), salvi il file obbligatoriamente con il nome CFScript.txt lo trascini con il puntatore del mouse sull'icona di combofx per una nuova scansione.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi akrod80 » 20/05/08 18:36

Ciao ho fatto quello che mi hai detto anche se per la prima parte mi sono fatta aiutare. Mi hanno copiato quel codice su un file di testo come mi hai detto tu e me lo hanno inviato. L'ho trascinato sull'icona di Combofix ed ecco il report.
Solo una cosa: la raccomandazione prima della scansione nella finestra di combofix è quella di chiudere tutte le altre finestre. Io non riesco a chiudere quella con il seguente messaggio. E quando lo faccio mi ricompare immediatamente:

Winprint
---------------------------
Patch applied succesfully! If your software is still trial maybe you need to install it before patch it.
---------------------------
OK
---------------------------

Mi si è scaricato quando con Emule ho scaricato un file nominato ESET NOD32, convinta che fosse appunto un file necessario per l'antivirus, visto che non riuscivo ad installarlo. Invece a quanto pare no.
Allegati

[L’estensione txt è stata disattivata e non puó essere visualizzata.]

akrod80
Utente Junior
 
Post: 11
Iscritto il: 12/05/08 21:21

Re: Possibile worm Bagle

Postdi akrod80 » 23/05/08 21:28

Credo di aver risolto in questo modo il problema del messaggio che mi dava ogni volta che accendevo il computer. adesso ho provato ad installare Avira, ma non mi fa fare gli agiornamenti perchè è una versione prova.
Qualche consiglio o link dal quale possa scaricare un antivirus?

Grazie.
akrod80
Utente Junior
 
Post: 11
Iscritto il: 12/05/08 21:21

PrecedenteProssimo

Torna a Sicurezza e Privacy


Topic correlati a "Possibile worm Bagle":

Possibile Virus???
Autore: danibi60
Forum: Sicurezza e Privacy
Risposte: 3

Chi c’è in linea

Visitano il forum: Nessuno e 28 ospiti