aiuto.. virus bagle

[laser_uk]

salve a tutti, ieri tempo di aver preso questo ed altri virus scaricando alcuni file. i sintomi del mio pc:
non mi partono gli antivirus e dopo 5 minuti di attività schermata blu e il pc si spegne.
ho fatto una scansione con malwarebytes e con e mi ha trovato 220 file infetti...che devo fare? help!

ho qui il file log elibagla se puo servire: http://www.savefile.com/files/1842594

[hell's bells]

Vediamo se avenger ti parte e se si riesce a schiodarlo dal pc, segui la procedura:

scarica Avenger

Esegui avenger e nella finestra copia/incolla tutta la citazione:

files to delete:
C:\Windows\system32\drivers\srosa.sys
C:\Windows\system32\drivers\hldrrr.exe
C:\Windows\system32\wintems.exe
c:\Windows\System32\drivers\hldrrr.exe
c:\Windows\System32\drivers\mdelk.exe

folders to delete:
c:\Windows\System32\drivers\downld
c:\Windows\exefld
c:\Windows\exefnd
c:\Windows\exefqd

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s rosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\s rosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s rosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\s rosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\s rosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\s rosa

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato lo trovi in c:\avenger.

Se avenger non ti parte, dimmelo e ti mando un avenger modificato.

[laser_uk]

mi sa che alcune voci non le ha trovate perche ero riuscito ad eliminarli io un ora fa con smitfraud:
ecco il report:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Windows\system32\drivers\srosa.sys" not found!
Deletion of file "C:\Windows\system32\drivers\srosa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\drivers\hldrrr.exe" not found!
Deletion of file "C:\Windows\system32\drivers\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\wintems.exe" not found!
Deletion of file "C:\Windows\system32\wintems.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\Windows\System32\drivers\hldrrr.exe" not found!
Deletion of file "c:\Windows\System32\drivers\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\Windows\System32\drivers\mdelk.exe" not found!
Deletion of file "c:\Windows\System32\drivers\mdelk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "c:\Windows\System32\drivers\downld" not found!
Deletion of folder "c:\Windows\System32\drivers\downld" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "c:\Windows\exefld" not found!
Deletion of folder "c:\Windows\exefld" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "c:\Windows\exefnd" not found!
Deletion of folder "c:\Windows\exefnd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "c:\Windows\exefqd" not found!
Deletion of folder "c:\Windows\exefqd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\srosa" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ srosa" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ srosa" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ srosa" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\ srosa" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\ srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\ srosa" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\ srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\ srosa" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\ srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

[hell's bells]

Tranquillo ho usato la procedura standard, fammi una cortesia, elimina il vecchio rapporto di elbagle, lo trovi in c:\infosat, poi rifai la scansione con elibagle e ripostami il report per cortesia, vediamo cosa è rimasto di attivo.

[laser_uk]

Originariamente inviato da hell's bells
Tranquillo ho usato la procedura standard, fammi una cortesia, elimina il vecchio rapporto di elbagle, lo trovi in c:\infosat, poi rifai la scansione con elibagle e ripostami il report per cortesia, vediamo cosa è rimasto di attivo.

eccolo:


Thu Oct 16 18:36:48 2008
EliBagle v11.83 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 10 de Octubre del 2008)
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS2\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle

Thu Oct 16 19:53:15 2008
EliBagle v11.83 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 10 de Octubre del 2008)
----------------------------------------------
Lista de Acciones (por Acción Directa):

Thu Oct 16 19:53:18 2008
EliBagle v11.83 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 10 de Octubre del 2008)
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Nº Total de Directorios: 15660
Nº Total de Ficheros: 171571
Nº de Ficheros Analizados: 20684
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

[hell's bells]

Sembra pulito, ora controlla queste cose:

1) se visulaizzi i files nascosti
2) se ti funziona la modalità provvisoria
3) se hai la wireless, se funziona

poi rifai una scansione con malewarebytes e posta il report.

[laser_uk]

Originariamente inviato da hell's bells


poi rifai una scansione con malewarebytes e posta il report.

rapida o completa?

[hell's bells]

Sempre completa.