MegaLab.it


http://www.megalab.it/forum/

virus bagle..qualcuno che mi aiuti a fare lo script x aveger

./viewtopic.php?f=33&t=36517&start=0

Pagina 1 di 1

virus bagle..qualcuno che mi aiuti a fare lo script x aveger

MessaggioInviato: sab nov 03, 2007 12:40 pm
da xxxtonyxxx
Ciao a tutti questo รจ il mio primo post quindi brevemente faccio un rigraziamento a tutti x l'aiuto che ci date...
comunque adesso vi post i log di hijackthis.log e gmer.log


---- System - GMER 1.0.13 ----

SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[25]
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys SSDT[37]
SSDT a347bus.sys SSDT[41]
SSDT a347bus.sys SSDT[45]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[47]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[48]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[50]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[52]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[53]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[68]
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys SSDT[71]
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys SSDT[73]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[97]
SSDT a347bus.sys SSDT[116]
SSDT a347bus.sys SSDT[119]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys

.........
.......
........
SSDT \WINDOWS\system32\ntoskrnl.exe [80586691] PUSH 0000009C; RET SSDT[0]
SSDT \WINDOWS\system32\ntoskrnl.exe SSDT[1]
SSDT \WINDOWS\system32\ntoskrnl.exe SSDT[2]
SSDT \WINDOWS\system32\ntoskrnl.exe SSDT[3]
SSDT \WINDOWS\system32\ntoskrnl.exe SSDT[4]
SSDT \WINDOWS\system32\ntoskrnl.exe SSDT[5]
SSDT \WINDOWS\system32\ntoskrnl.exe SSDT[6]
SSDT \WINDOWS\system32\ntoskrnl.exe SSDT[7]
SSDT \WINDOWS\system32\ntoskrnl.exe [8057641C] PUSH 000000B4; RET SSDT[8]
............
...........
.............
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3540] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7C883FEC] C:\WINDOWS\system32\kernel32.dll
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3540] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [7C883F9C] C:\WINDOWS\system32\kernel32.dll
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3540] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [7C883FC4] C:\WINDOWS\system32\kernel32.dll
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3540] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [7C883FEC] C:\WINDOWS\system32\kernel32.dll
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3540] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [7C883F9C] C:\WINDOWS\system32\kernel32.dll
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3540] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [7C883FC4] C:\WINDOWS\system32\kernel32.dll
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3540] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [7C883FEC] C:\WINDOWS\system32\kernel32.dll
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3540] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [7C883FD8] C:\WINDOWS\system32\kernel32.dll
.............
............
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [B9F56FA0] klif.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [B9F56FA0] klif.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [B9F56FA0] klif.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [B9F56FA0] klif.sys
..................
..................
Device \Driver\Gpc \Device\Gpc IRP_MJ_CREATE [F79C6886] msgpc.sys
Device \Driver\Gpc \Device\Gpc IRP_MJ_CREATE_NAMED_PIPE [F79C6886] msgpc.sys
Device \Driver\Gpc \Device\Gpc IRP_MJ_CLOSE [F79C6886] msgpc.sys
................
................
File C:\Programmi\Movie Maker\Shared
File C:\Programmi\Movie Maker\Shared\Profiles
File C:\WINDOWS\ime\shared
File C:\WINDOWS\ime\shared\res
File C:\WINDOWS\system32\drivers\hidr.exe
File C:\WINDOWS\system32\drivers\srosa.sys
File C:\WINDOWS\system32\wintems.exe

questo e gmer
mentre questo che vi posto adesso e hijackthis.log
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\eMule\emule.exe
C:\Documents and Settings\Padrone\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferito portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C51CDAE7-5E9E-4AE6-8E9E-4E08385FF188}: NameServer = 151.99.0.100,151.99.125.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe

il log della scansione online di kaspersky

MessaggioInviato: sab nov 03, 2007 12:47 pm
da xxxtonyxxx
il log della scansione online di kaspersky

C:\avenger\backup-03.11.2007-11.58.54,06.zip/avenger/hidr.exe Infected: Trojan-Downloader.Win32.Bagle.fi skipped

C:\avenger\backup-03.11.2007-11.58.54,06.zip ZIP: infected - 1 skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Padrone\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Padrone\Dati applicazioni\$_hpcst$.hpc Object is locked skipped

C:\Documents and Settings\Padrone\Dati applicazioni\Skype\tonyxxx1985\contactgroup256.dbb Object is locked skipped

C:\Documents and Settings\Padrone\Dati applicazioni\Skype\tonyxxx1985\dyncontent\bundle.dat Object is locked skipped

C:\Documents and Settings\Padrone\Dati applicazioni\Skype\tonyxxx1985\index2.dat Object is locked skipped

C:\Documents and Settings\Padrone\Dati applicazioni\Skype\tonyxxx1985\profile16384.dbb Object is locked skipped

C:\Documents and Settings\Padrone\Dati applicazioni\Skype\tonyxxx1985\user1024.dbb Object is locked skipped

C:\Documents and Settings\Padrone\Dati applicazioni\Skype\tonyxxx1985\user16384.dbb Object is locked skipped

C:\Documents and Settings\Padrone\Dati applicazioni\Skype\tonyxxx1985\user256.dbb Object is locked skipped

C:\Documents and Settings\Padrone\Dati applicazioni\Skype\tonyxxx1985\user4096.dbb Object is locked skipped

C:\Documents and Settings\Padrone\Desktop\500\spdlr140\setup.exe/SP Dialer.dll Infected: not-a-virus:Server-Proxy.Win32.SPDialer.a skipped

C:\Documents and Settings\Padrone\Desktop\500\spdlr140\setup.exe CreateInstall: infected - 1 skipped

C:\Documents and Settings\Padrone\Desktop\500\spdlr140.zip/setup.exe/SP Dialer.dll Infected: not-a-virus:Server-Proxy.Win32.SPDialer.a skipped

C:\Documents and Settings\Padrone\Desktop\500\spdlr140.zip/setup.exe Infected: not-a-virus:Server-Proxy.Win32.SPDialer.a skipped

C:\Documents and Settings\Padrone\Desktop\500\spdlr140.zip ZIP: infected - 2 skipped

C:\Documents and Settings\Padrone\Desktop\key\Kaspersky Antivirus v7.0.0.125 - License Key(1).rar/setup.exe Infected: P2P-Worm.Win32.Kapucen.b skipped

C:\Documents and Settings\Padrone\Desktop\key\Kaspersky Antivirus v7.0.0.125 - License Key(1).rar RAR: infected - 1 skipped

C:\Documents and Settings\Padrone\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Padrone\Impostazioni locali\Cronologia\History.IE5\MSHist012007110320071104\index.dat Object is locked skipped

C:\Documents and Settings\Padrone\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Padrone\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Padrone\Impostazioni locali\Temp\WCESLog.log Object is locked skipped

C:\Documents and Settings\Padrone\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Padrone\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Padrone\NTUSER.DAT.LOG Object is locked skipped

C:\Programmi\Analog Devices\SoundMAX\SMTray.exe Infected: Trojan-Downloader.Win32.Bagle.fi skipped

C:\Programmi\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

MessaggioInviato: sab nov 03, 2007 12:54 pm
da crazy.cat
Files to delete:
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\drivers\pci32.sys
C:\avenger\backup-03.11.2007-11.58.54,06.zip
C:\Documents and Settings\Padrone\Desktop\500\spdlr140\setup.exe
C:\Documents and Settings\Padrone\Desktop\500\spdlr140.zip
C:\Documents and Settings\Padrone\Desktop\key\Kaspersky Antivirus v7.0.0.125 - License Key(1).rar
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe Infected: Trojan-Downloader.Win32.Bagle.fi skipped

folders to delete:
C:\WINDOWS\exefnd
C:\WINDOWS\exefld

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Tutti gli orari sono UTC + 1 ora [ ora legale ]
Pagina 1 di 1
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/