Email-Worm.Win32.Bagle.of ---- mdelk.exe

**mari_marilu** · 21-03-2008, 13:59

Ho urgente bisogno di un aiuto da parte vostra.
Il pc ieri sera risultava rallentato all'enesima potenza (lo è ancora!!!). Ho seguito le istruzioni della Guida del forum e kaspersky-online ha trovato questo virus "mdelk.exe " "Email-Worm.Win32.Bagle.of ", così ho deciso di chiedervi aiuto.

Alcuni dei problemi che ho riscontrato sono questi:
Antivirus non parte
Firewall non parte
Il log di HiJackThis non riesco a farvelo avere, perchè il programma non parte.
La modalità provvisoria non funziona.

Aiutatemi vi prego!!!

**Deifobe** · 21-03-2008, 14:55

scarica elibagla, eseguilo e clicca su Explorar - riavvia il pc quando finisce. Posta il rapporto (C:\Infosat.txt)

**mari_marilu** · 21-03-2008, 16:32

Va leggermente meglio il pc, anche se credo che ci siano ancora dei problemi; infatti a volte il pc va in crash (il problema è di srosa.sys) e inoltre ogni volta che riparte si avvia una finestra che mi chiede: "Select file to crack " (task manager mi dice che è wintems.exe).
Ecco il log di elibagle:

Fri Mar 21 14:39:30 2008
EliBagle v11.18 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\WINDOWS\system32\MDELK.EXE --> Acceso Denegado, Bagle (Reiniciar para completar la Limpieza)
C:\Muestras\WINTEMS.EXE.MUESTRA ELIBAGLE V10.87 --> Eliminado Bagle
C:\Muestras\SROSA.SYS.MUESTRA ELIBAGLE V10.87 --> Eliminado Bagle (rootkit)

Nº Total de Directorios: 10284
Nº Total de Ficheros: 100837
Nº de Ficheros Analizados: 13305
Nº de Ficheros Infectados: 3
Nº de Ficheros Limpiados: 3

**mari_marilu** · 21-03-2008, 16:38

Credo che ci sia anche questo:

Fri Mar 21 15:14:19 2008
EliBagle v11.18 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
Por favor, envienos una muestra del fichero
C:\Muestras\HLDRRR.EXE.Muestra EliBagle v11.18
a "virus@satinfo.es". Gracias.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle Acceso Denegado.
Reinicie para Completar la Limpieza.

**Deifobe** · 21-03-2008, 22:39

hai riavviato dopo la scansione?

scarica
Avenger
e vedi se riesci ad eseguirlo. Se si, nel box bianco copia/incolla questo script:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

files to delete:
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\hidrrr.exe
C:\WINDOWS\system32\drivers\hldrrr.ex_
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\drivers\klif.sys
C:\WINDOWS\system32\drivers\pci32.sys
C:\WINDOWS\system32\wintems.exe
c:\WINDOWS\system32\hlpuybtr.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\mdelk.exe
c:\Documents and Settings\[red]user[/red]\Dati applicazioni\hidires\m_hook.sys
c:\Documents and Settings\[red]user[/red]\Dati applicazioni\hidires\hidr.exe
c:\Documents and Settings\[red]user[/red]\Dati applicazioni\hidires\srosa.sys
c:\Documents and Settings\[red]user[/red]\Dati applicazioni\hidn\hidn2.exe
c:\Documents and Settings\[red]user[/red]\Dati applicazioni\hidn\hldrrr.exe
c:\Documents and Settings\[red]user[/red]\Dati applicazioni\m\data.oct
c:\Documents and Settings\[red]user[/red]\Dati applicazioni\m\flec006.exe

folders to delete:
c:\WINDOWS\exefld
c:\WINDOWS\exefnd
C:\WINDOWS\exefqd
C:\WINDOWS\system32\drivers\down
c:\Documents and Settings\[red]user[/red]\Dati applicazioni\hidires
c:\Documents and Settings\[red]user[/red]\Dati applicazioni\hidn

drivers to disable:
m_hook
pci32
srosa

drivers to delete:
m_hook
pci32
srosa

registry values to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run | hldrrr

(Modifica mettendo al posto dello [red]"user" (in rosso)[/red] il tuo user. Non lasciare spazi)

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato
__ __ __ __ __ __
Se invece non funziona, entra in modalità provvisoria, visualizza i files nascosti e trova ed elimina manualmente i file e le cartelle indicate nelle script (non le hai tutte).
Poi scarica Kaspersky_trial e vedi se te lo fa installare. Se si, esegui una scansione (devi aggiornarlo).

ciao

**mari_marilu** · 22-03-2008, 00:16

Ho eseguito avenger; quando il pc è ripartito mi ha dato un errore riguardante isass.exe; in seguito si è riavviato da solo, poi tutto ok. Comunque ora la finestra, che prima si apriva all'avvio di windows, non c'è più; ottimo segnale...
Log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\WINDOWS\system32\drivers\hidr.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\hidr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\hidrrr.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\hidrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\hldrrr.ex_" not found!
Deletion of file "C:\WINDOWS\system32\drivers\hldrrr.ex_" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\hldrrr.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\srosa.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\srosa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\klif.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\klif.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\pci32.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\pci32.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\wintems.exe" not found!
Deletion of file "C:\WINDOWS\system32\wintems.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\WINDOWS\system32\hlpuybtr.exe" not found!
Deletion of file "c:\WINDOWS\system32\hlpuybtr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\hldrrr.exe" not found!
Deletion of file "C:\WINDOWS\system32\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\trusted.exe" not found!
Deletion of file "C:\WINDOWS\system32\trusted.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\mdelk.exe" not found!
Deletion of file "C:\WINDOWS\system32\mdelk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidires\m_hook.sys"
Deletion of file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidires\m_hook.sys" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name

Error: could not open file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidires\hidr.exe"
Deletion of file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidires\hidr.exe" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name

Error: could not open file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidires\srosa.sys"
Deletion of file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidires\srosa.sys" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name

Error: could not open file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidn\hidn2.exe"
Deletion of file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidn\hidn2.exe" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name

Error: could not open file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidn\hldrrr.exe"
Deletion of file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidn\hldrrr.exe" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name

Error: could not open file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\m\data.oct"
Deletion of file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\m\data.oct" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name

Error: could not open file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\m\flec006.exe"
Deletion of file "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\m\flec006.exe" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name

Error: folder "c:\WINDOWS\exefld" not found!
Deletion of folder "c:\WINDOWS\exefld" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: folder "c:\WINDOWS\exefnd" not found!
Deletion of folder "c:\WINDOWS\exefnd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: folder "C:\WINDOWS\exefqd" not found!
Deletion of folder "C:\WINDOWS\exefqd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\WINDOWS\system32\drivers\down" deleted successfully.

Error: could not open folder "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidires"
Deletion of folder "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidires" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name

Error: could not open folder "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidn"
Deletion of folder "c:\Documents and Settings\[red]Futurella[/red]\Dati applicazioni\hidn" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name

Error: could not open driver "m_hook"
Disablement of driver "m_hook" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open driver "pci32"
Disablement of driver "pci32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open driver "srosa"
Disablement of driver "srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\m_hook" not found!
Deletion of driver "m_hook" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\pci32" not found!
Deletion of driver "pci32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\srosa" not found!
Deletion of driver "srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs" replaced with dummy successfully.

Error: could not delete registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run|hldrrr"
Deletion of registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run|hldrrr" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

**Deifobe** · 22-03-2008, 01:31

uhmmm no...
riesegui lo script con questo avenger5.zip. E' già pronto, non devi modificarlo

Esegui avenger, seleziona l'opzione "Input Script Manually" e clicca sulla lente d'ingrandimento. Nel box bianco, copia/incolla:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\hidrrr.exe
C:\WINDOWS\system32\drivers\hldrrr.ex_
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\drivers\klif.sys
C:\WINDOWS\system32\drivers\pci32.sys
C:\WINDOWS\system32\wintems.exe
c:\WINDOWS\system32\hlpuybtr.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\mdelk.exe
c:\Documents and Settings\Futurella\Dati applicazioni\hidires\m_hook.sys
c:\Documents and Settings\Futurella\Dati applicazioni\hidires\hidr.exe
c:\Documents and Settings\Futurella\Dati applicazioni\hidires\srosa.sys
c:\Documents and Settings\Futurella\Dati applicazioni\hidn\hidn2.exe
c:\Documents and Settings\Futurella\Dati applicazioni\hidn\hldrrr.exe
c:\Documents and Settings\Futurella\Dati applicazioni\m\data.oct
c:\Documents and Settings\Futurella\Dati applicazioni\m\flec006.exe

folders to delete:
c:\WINDOWS\exefld
c:\WINDOWS\exefnd
C:\WINDOWS\exefqd
C:\WINDOWS\system32\drivers\down
c:\Documents and Settings\Futurella\Dati applicazioni\hidires
c:\Documents and Settings\Futurella\Dati applicazioni\hidn

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\m_hook
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\m _hook
HKEY_LOCAL_MACHINE\system\ControlSet002\Services\m _hook
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pci32
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\p ci32
HKEY_LOCAL_MACHINE\system\ControlSet002\Services\p ci32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\srosa
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s rosa
HKEY_LOCAL_MACHINE\system\ControlSet002\Services\s rosa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_M_HOOK
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_PCI32

Clicca sul pulsante "Done", poi sul semaforo verde.
Rispondi 2 volte Yes.
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu.

Fai una scansione su Kaspersky_virusscanner salva e posta il rapporto. Puoi disconnettere il pc da internet dopo aver selezionato "my compyter". NB: kaspersky non rimuove i files infetti.. lo faremo noi non appena posti il rapporto.

Fatto questo, prova a reinstallare il tuo antivirus.

**mari_marilu** · 22-03-2008, 15:01

Questo è il log di avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\grwlpcbm

*******************

Script file located at: \??\C:\WINDOWS\system32\atdacugw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\drivers\hidr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\hidrrr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\hidrrr.exe
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\hldrrr.ex_ not found!
Deletion of file C:\WINDOWS\system32\drivers\hldrrr.ex_ failed!

Could not process line:
C:\WINDOWS\system32\drivers\hldrrr.ex_
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hldrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\hldrrr.exe
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\srosa.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\srosa.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\srosa.sys
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\klif.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\klif.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\klif.sys
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034

File C:\WINDOWS\system32\wintems.exe not found!
Deletion of file C:\WINDOWS\system32\wintems.exe failed!

Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc0000034

File c:\WINDOWS\system32\hlpuybtr.exe not found!
Deletion of file c:\WINDOWS\system32\hlpuybtr.exe failed!

Could not process line:
c:\WINDOWS\system32\hlpuybtr.exe
Status: 0xc0000034

File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034

File C:\WINDOWS\system32\trusted.exe not found!
Deletion of file C:\WINDOWS\system32\trusted.exe failed!

Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc0000034

File C:\WINDOWS\system32\mdelk.exe not found!
Deletion of file C:\WINDOWS\system32\mdelk.exe failed!

Could not process line:
C:\WINDOWS\system32\mdelk.exe
Status: 0xc0000034

Could not open file c:\Documents and Settings\Futurella\Dati applicazioni\hidires\m_hook.sys for deletion
Deletion of file c:\Documents and Settings\Futurella\Dati applicazioni\hidires\m_hook.sys failed!

Could not process line:
c:\Documents and Settings\Futurella\Dati applicazioni\hidires\m_hook.sys
Status: 0xc000003a

Could not open file c:\Documents and Settings\Futurella\Dati applicazioni\hidires\hidr.exe for deletion
Deletion of file c:\Documents and Settings\Futurella\Dati applicazioni\hidires\hidr.exe failed!

Could not process line:
c:\Documents and Settings\Futurella\Dati applicazioni\hidires\hidr.exe
Status: 0xc000003a

Could not open file c:\Documents and Settings\Futurella\Dati applicazioni\hidires\srosa.sys for deletion
Deletion of file c:\Documents and Settings\Futurella\Dati applicazioni\hidires\srosa.sys failed!

Could not process line:
c:\Documents and Settings\Futurella\Dati applicazioni\hidires\srosa.sys
Status: 0xc000003a

Could not open file c:\Documents and Settings\Futurella\Dati applicazioni\hidn\hidn2.exe for deletion
Deletion of file c:\Documents and Settings\Futurella\Dati applicazioni\hidn\hidn2.exe failed!

Could not process line:
c:\Documents and Settings\Futurella\Dati applicazioni\hidn\hidn2.exe
Status: 0xc000003a

Could not open file c:\Documents and Settings\Futurella\Dati applicazioni\hidn\hldrrr.exe for deletion
Deletion of file c:\Documents and Settings\Futurella\Dati applicazioni\hidn\hldrrr.exe failed!

Could not process line:
c:\Documents and Settings\Futurella\Dati applicazioni\hidn\hldrrr.exe
Status: 0xc000003a

Could not open file c:\Documents and Settings\Futurella\Dati applicazioni\m\data.oct for deletion
Deletion of file c:\Documents and Settings\Futurella\Dati applicazioni\m\data.oct failed!

Could not process line:
c:\Documents and Settings\Futurella\Dati applicazioni\m\data.oct
Status: 0xc000003a

Could not open file c:\Documents and Settings\Futurella\Dati applicazioni\m\flec006.exe for deletion
Deletion of file c:\Documents and Settings\Futurella\Dati applicazioni\m\flec006.exe failed!

Could not process line:
c:\Documents and Settings\Futurella\Dati applicazioni\m\flec006.exe
Status: 0xc000003a

Folder c:\WINDOWS\exefld not found!
Deletion of folder c:\WINDOWS\exefld failed!

Could not process line:
c:\WINDOWS\exefld
Status: 0xc0000034

Folder c:\WINDOWS\exefnd not found!
Deletion of folder c:\WINDOWS\exefnd failed!

Could not process line:
c:\WINDOWS\exefnd
Status: 0xc0000034

Folder C:\WINDOWS\exefqd not found!
Deletion of folder C:\WINDOWS\exefqd failed!

Could not process line:
C:\WINDOWS\exefqd
Status: 0xc0000034

Folder C:\WINDOWS\system32\drivers\down deleted successfully.

Folder c:\Documents and Settings\Futurella\Dati applicazioni\hidires not found!
Deletion of folder c:\Documents and Settings\Futurella\Dati applicazioni\hidires failed!

Could not process line:
c:\Documents and Settings\Futurella\Dati applicazioni\hidires
Status: 0xc0000034

Folder c:\Documents and Settings\Futurella\Dati applicazioni\hidn not found!
Deletion of folder c:\Documents and Settings\Futurella\Dati applicazioni\hidn failed!

Could not process line:
c:\Documents and Settings\Futurella\Dati applicazioni\hidn
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\m_hook not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\m_hook failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\m_hook
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\system\ControlSet001\Services\m _hook not found!
Deletion of registry key HKEY_LOCAL_MACHINE\system\ControlSet001\Services\m _hook failed!

Could not process line:
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\m _hook
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\system\ControlSet002\Services\m _hook not found!
Deletion of registry key HKEY_LOCAL_MACHINE\system\ControlSet002\Services\m _hook failed!

Could not process line:
HKEY_LOCAL_MACHINE\system\ControlSet002\Services\m _hook
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pci32 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pci32 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pci32
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\system\ControlSet001\Services\p ci32 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\system\ControlSet001\Services\p ci32 failed!

Could not process line:
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\p ci32
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\system\ControlSet002\Services\p ci32 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\system\ControlSet002\Services\p ci32 failed!

Could not process line:
HKEY_LOCAL_MACHINE\system\ControlSet002\Services\p ci32
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\srosa not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\srosa failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\srosa
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s rosa not found!
Deletion of registry key HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s rosa failed!

Could not process line:
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s rosa
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\system\ControlSet002\Services\s rosa deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_M_HOOK not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_M_HOOK failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_M_HOOK
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_SROSA deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_PCI32 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_PCI32 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_PCI32
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

**mari_marilu** · 22-03-2008, 15:08

Credo che CTZDetect.exe sia un falso positivo (fa parte di un programma della creative che ho installato qualche mese fa)

Rapporto di kaspersky:

KASPERSKY ONLINE SCANNER REPORT
Saturday, March 22, 2008 1:45:02 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/03/2008
Kaspersky Anti-Virus database records: 654440

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
H:\

Scan Statistics
Total number of scanned objects 106426
Number of viruses found 2
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 01:54:32

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\WindowsPowerShell.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.da t Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.da t Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Temp\usgthrsvc\ Ntf1.tmp Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Temp\usgthrsvc\ Ntf2.tmp Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Temp\usgthrsvc\ Perflib_Perfdata_96c.dat Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\Projects\SystemIndex\Indexer\CiFiles\INDEX.0 00 Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\Projects\SystemIndex\Indexer\CiFiles\0001000 D.ci Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\Projects\SystemIndex\Indexer\CiFiles\0001000 D.wid Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\Projects\SystemIndex\Indexer\CiFiles\0001000 D.wsb Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\Projects\SystemIndex\SystemIndex.Ntfy2.gthr Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\GatherLogs\SystemIndex\SystemIndex.7.gthr Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\GatherLogs\SystemIndex\SystemIndex.7.Crwl Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\Windows.edb Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\MSS.log Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Search\Data\Applications\Wi ndows\tmp.edb Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\Futurella\ntuser.dat Object is locked skipped

C:\Documents and Settings\Futurella\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Futurella\Impostazioni locali\Temp\WCESLog.log Object is locked skipped

C:\Documents and Settings\Futurella\Impostazioni locali\Temp\~DF695B.tmp Object is locked skipped

C:\Documents and Settings\Futurella\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Futurella\Impostazioni locali\Cronologia\History.IE5\MSHist01200803222008 0323\index.dat Object is locked skipped

C:\Documents and Settings\Futurella\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Futurella\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Futurella\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Futurella\Impostazioni locali\Dati applicazioni\Ahead\Nero Home\is2.db Object is locked skipped

C:\Documents and Settings\Futurella\Impostazioni locali\Dati applicazioni\Ahead\Nero Home\bl.db-journal Object is locked skipped

C:\Documents and Settings\Futurella\Impostazioni locali\Dati applicazioni\Ahead\Nero Home\bl.db Object is locked skipped

C:\Documents and Settings\Futurella\Impostazioni locali\Dati applicazioni\Ahead\Nero Home\is2.db-journal Object is locked skipped

C:\Documents and Settings\Futurella\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Futurella\Dati applicazioni\$_hpcst$.hpc Object is locked skipped

C:\Documents and Settings\Futurella\UserData\index.dat Object is locked skipped

C:\Programmi\Creative\Creative Media Lite\CTZDetec.exe Infected: Trojan-Downloader.Win32.Bagle.lv skipped

C:\Muestras\HLDRRR.EXE.Muestra EliBagle v10.87 Infected: Trojan-Downloader.Win32.Bagle.lv skipped

C:\Muestras\HLDRRR.EXE.Muestra EliBagle v11.18 Infected: Trojan-Downloader.Win32.Bagle.lv skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

**Deifobe** · 22-03-2008, 15:08

è stata "nuovamente" eliminata la cartella C:\WINDOWS\system32\drivers\down
fai la scansione con kaspersky, ora, e posta il raporto (se possibile, caricalo su Freefilehosting )

ciao

edit: abbiamo postato insieme.. ok..

edit2: solo C:\Programmi\Creative\Creative Media Lite\CTZDetec.exe è infetto. Ora devo assentarmi, quando rientro provo a vedere se puoi scaricarlo da internet (devo anche vedere a cosa serve). Esegui hjt e, se lo trovi in avvio (voci O4 o O23) fixa la voce.
Reinstalla l'antivirus e fai una scansione.
A dopo..

Discussione: Email-Worm.Win32.Bagle.of ---- mdelk.exe

Strumenti discussione

Ricerca discussione

Visualizza

HELP: Email-Worm.Win32.Bagle.of ---- mdelk.exe

Permessi di invio