Chiedo assistenza per Win32 Bagle
Inviato: dom feb 03, 2008 1:20 pmGentilissimi redattori di MegaLab,
innanzitutto ringrazio Voi e il Vostro sito per la disponibilità e per l' aiuto.
Ho letto attentamente la Vostra guida, ma non sono sicuro al 100% di cosa includere nello script di avenger, soprattutto in riferimento al passaggio "Nel report di Kaspersky non è detto che sia sempre visibile il rootkit che si nasconde nella cartella C:\WINDOWS\system32\drivers\ includetelo lo stesso nello script. ". Dunque come procedere per l' individuazione ed eliminazione di suddetto rootkit?
Vi riporto lo scan di Kasperky online come ho visto fare ad altri utenti:
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\formhistory.dat Object is locked skipped
C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\XUL.mfl Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Muestras\HLDRRR.EXE.Muestra EliBagle v10.96 Infected: Trojan-Downloader.Win32.Bagle.jd skipped
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe Infected: Trojan-Downloader.Win32.Bagle.jd skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temp\Perflib_Perfdata_5d0.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Vi ringrazio anticipatamente per la cortese attenzione.
innanzitutto ringrazio Voi e il Vostro sito per la disponibilità e per l' aiuto.
Ho letto attentamente la Vostra guida, ma non sono sicuro al 100% di cosa includere nello script di avenger, soprattutto in riferimento al passaggio "Nel report di Kaspersky non è detto che sia sempre visibile il rootkit che si nasconde nella cartella C:\WINDOWS\system32\drivers\ includetelo lo stesso nello script. ". Dunque come procedere per l' individuazione ed eliminazione di suddetto rootkit?
Vi riporto lo scan di Kasperky online come ho visto fare ad altri utenti:
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\formhistory.dat Object is locked skipped
C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\pvoz51rr.Il Mago di Ot 2\XUL.mfl Object is locked skipped
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Muestras\HLDRRR.EXE.Muestra EliBagle v10.96 Infected: Trojan-Downloader.Win32.Bagle.jd skipped
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe Infected: Trojan-Downloader.Win32.Bagle.jd skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temp\Perflib_Perfdata_5d0.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Vi ringrazio anticipatamente per la cortese attenzione.