www.MegaLab.it

[starshine.utopia]

Salve a tutti e buon anno! ho letto un po' delle vostre discussioni riguardo al mio problema...ho preso un bagle worm e non riesco più a installare nessun antivirus...ho fatto la scansione del sistema con gmer, come consigliato nella vostra procedura, di cui vi riporto i log, ma con avast qualcosa non ha funzionato... non sono molto pratica in queste cose...qualcuno potrebbe aiutarmi dicendomi come devo impostare lo script per favore?non vorrei cancellare per sbaglio dei file importanti..
Grazie mille per l'aiuto!!!

-----------------------------------------

Rootkit

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2008-01-02 12:43:10
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwCreateFile
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQueryDirectoryFile
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQueryKey
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQuerySystemInformation

---- Kernel code sections - GMER 1.0.13 ----

? dkxwbyhn.sys Impossibile trovare il file specificato.

---- User code sections - GMER 1.0.13 ----

.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] kernel32.dll!LoadResource 7C809FB5 7 Bytes JMP 28001CC0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] kernel32.dll!FindResourceExW 7C80AC88 7 Bytes JMP 28001B00 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] kernel32.dll!FindResourceW 7C80BBCE 7 Bytes JMP 28001A80 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] kernel32.dll!SizeofResource 7C80BC69 7 Bytes JMP 28001D80 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] kernel32.dll!FindResourceA 7C80BE89 7 Bytes JMP 28001B90 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] kernel32.dll!LockResource 7C80CC97 5 Bytes JMP 28001DF0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] kernel32.dll!CreateEventA 7C8308AD 5 Bytes JMP 28001840 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] kernel32.dll!FindResourceExA 7C835F78 7 Bytes JMP 28001C20 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Programmi\MSN Messenger\MsnMsgr.Exe
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] kernel32.dll!OutputDebugStringW 7C85A42D 5 Bytes JMP 28001E50 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] ADVAPI32.dll!CryptDeriveKey 77F5A685 7 Bytes JMP 28001000 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] ADVAPI32.dll!CryptDecrypt 77F5A7B1 2 Bytes JMP 28001060 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] ADVAPI32.dll!CryptDecrypt + 3 77F5A7B4 4 Bytes [ 0A, B0, CC, CC ]
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] USER32.dll!PeekMessageW 7E39929B 5 Bytes JMP 28003F90 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] USER32.dll!CreateWindowExW 7E39FC25 5 Bytes JMP 280037C0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] USER32.dll!SetWindowRgn 7E39FFB2 7 Bytes JMP 28005880 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] USER32.dll!LoadIconW 7E3A0894 5 Bytes JMP 28006240 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] USER32.dll!LoadImageW 7E3A2CFE 5 Bytes JMP 28006050 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] USER32.dll!CreateDialogParamW 7E3A7D4F 5 Bytes JMP 28005A50 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] USER32.dll!SetWindowPlacement 7E3AD84C 5 Bytes JMP 28005740 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 28005C40 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] USER32.dll!TrackPopupMenuEx 7E3ECD28 5 Bytes JMP 28004870 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] WS2_32.dll!send 71A3428A 5 Bytes JMP 2800A360 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 2800A140 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] WS2_32.dll!recv 71A3615A 5 Bytes JMP 28009FA0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 2800A540 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 2800A780 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] SHELL32.dll!Shell_NotifyIconW 7CA31B6A 5 Bytes JMP 28002FE0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] ole32.dll!CoInitializeEx 774CEF6B 5 Bytes JMP 28002100 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] ole32.dll!CoRegisterClassObject 774E8720 5 Bytes JMP 28002200 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] WININET.dll!HttpOpenRequestA 771936CD 5 Bytes JMP 28008E60 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] WININET.dll!InternetCloseHandle 77194D8C 5 Bytes JMP 280091A0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] WININET.dll!HttpSendRequestA 77196269 5 Bytes JMP 280090D0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\MsnMsgr.Exe[324] WININET.dll!InternetReadFile 77198114 5 Bytes JMP 28008FF0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll

---- Processes - GMER 1.0.13 ----

Process C:\WINDOWS\system32\drivers\hldrrr.exe (*** hidden *** ) 448

[crazy.cat]

ho fatto la scansione del sistema con gmer, come consigliato nella vostra procedura, di cui vi riporto i log

Serve le scansione online sul sito di kaspersky.
http://www.MegaLab.it/forum/viewtopic.php?t=34966
gmer non mi dice niente di nuovo e utile.

[starshine.utopia]

Il risultato della scansione su kaspersky è il seguente:
---------

Wednesday, January 02, 2008 1:46:29 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/01/2008
Kaspersky Anti-Virus database records: 501530
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
D:\DOCUME~1\CRI~1.103\IMPOST~1\Temp\
Scan Statistics
Total number of scanned objects 19424
Number of viruses found 1
Number of infected objects 6
Number of suspicious objects 0
Duration of the scan process 00:12:27

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\DOCUME~1\CRI~1.103\IMPOST~1\Temp\~DF1094.tmp Object is locked skipped
D:\DOCUME~1\CRI~1.103\IMPOST~1\Temp\~DFACE4.tmp Object is locked skipped
D:\DOCUME~1\CRI~1.103\IMPOST~1\Temp\~DFACE9.tmp Object is locked skipped
D:\DOCUME~1\CRI~1.103\IMPOST~1\Temp\~ga6psetup.exe/file20 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
D:\DOCUME~1\CRI~1.103\IMPOST~1\Temp\~ga6psetup.exe/file23 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
D:\DOCUME~1\CRI~1.103\IMPOST~1\Temp\~ga6psetup.exe/file24 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
D:\DOCUME~1\CRI~1.103\IMPOST~1\Temp\~ga6psetup.exe/file34 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
D:\DOCUME~1\CRI~1.103\IMPOST~1\Temp\~ga6psetup.exe/file36 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
D:\DOCUME~1\CRI~1.103\IMPOST~1\Temp\~ga6psetup.exe Inno: infected - 5

[crazy.cat]

Scan Target Critical Areas
C:\WINDOWS
D:\DOCUME~1\CRI~1.103\IMPOST~1\Temp\

Serve la scansione di tutto il disco fisso, non solo delle aree critiche.
Infatti non ha trovato neanche un virus bagle, si nascondono in giro per il pc in file casuali.

[starshine.utopia]

D'accordo.Ecco la scansione del pc (scusa...non sono molto pratica in queste cose...grazie mille per la pazienza!)
-----------
Wednesday, January 02, 2008 3:30:06 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/01/2008
Kaspersky Anti-Virus database records: 501530
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics
Total number of scanned objects 129886
Number of viruses found 4
Number of infected objects 16
Number of suspicious objects 0
Duration of the scan process 01:39:04

Infected Object Name Virus Name Last Action
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Programmi\eMule\Incoming\Sharp World Clock 1.32 Crack.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Programmi\eMule\Incoming\Sharp World Clock 1.32 Crack.zip/Sharp World Clock 1.32 Crack.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Programmi\eMule\Incoming\Sharp World Clock 1.32 Crack.zip ZIP: infected - 1 skipped
C:\Programmi\eMule\Incoming\Sharp World Clock 1.32.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Programmi\eMule\Incoming\Sharp World Clock 1.32.zip/Sharp World Clock 1.32.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Programmi\eMule\Incoming\Sharp World Clock 1.32.zip ZIP: infected - 1 skipped
D:\Documents and Settings\Cri\Impostazioni locali\Temp\MNI.UWFX5T_0001_LP1710\setup.exe Infected: not-a-virus:FraudTool.Win32.WinFixer.2005 skipped
D:\Documents and Settings\Cri\Impostazioni locali\Temp\~wa6psetup.exe/file016 Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped
D:\Documents and Settings\Cri\Impostazioni locali\Temp\~wa6psetup.exe Inno: infected - 1 skipped
D:\Documents and Settings\Cri.1036010603196\Impostazioni locali\Temp\~ga6psetup.exe/file20 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
D:\Documents and Settings\Cri.1036010603196\Impostazioni locali\Temp\~ga6psetup.exe/file23 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
D:\Documents and Settings\Cri.1036010603196\Impostazioni locali\Temp\~ga6psetup.exe/file24 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
D:\Documents and Settings\Cri.1036010603196\Impostazioni locali\Temp\~ga6psetup.exe/file34 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
D:\Documents and Settings\Cri.1036010603196\Impostazioni locali\Temp\~ga6psetup.exe/file36 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
D:\Documents and Settings\Cri.1036010603196\Impostazioni locali\Temp\~ga6psetup.exe Inno: infected - 5 skipped

Scan process completed.

[crazy.cat]

Prova questo script, dopo il riavvio reinstalla l'antivirus e vedi se funziona.

Codice: Seleziona tutto

Files to delete:
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\drivers\pci32.sys
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe    
C:\Programmi\eMule\Incoming\Sharp World Clock 1.32 Crack.zip
C:\Programmi\eMule\Incoming\Sharp World Clock 1.32.exe    
D:\Documents and Settings\Cri\Impostazioni locali\Temp\MNI.UWFX5T_0001_LP1710\setup.exe
D:\Documents and Settings\Cri\Impostazioni locali\Temp\~wa6psetup.exe
D:\Documents and Settings\Cri.1036010603196\Impostazioni locali\Temp\~ga6psetup.exe

Folders to delete:
C:\WINDOWS\exefnd
C:\WINDOWS\exefld

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32

[starshine.utopia]

grazie mille per l'aiuto...ora sono riuscita a reinstallare l'anitvirus e sembra funzionare..grazie mille!!