www.MegaLab.it

[kuabba82]

Salve. Il pc di mio zio ha preso l'ultima variante del Bagle descritta qui: http://www.MegaLab.it/2657/7

Ho eseguito the avenger mettendogli lo script segnato in quella pagina, ma non tutto è stato trovato e l'antivirus ancora non parte.
Allego il log.
Cos'altro posso fare?

[kuabba82]

Edit: non riesco a caricare il txt del log. Ve lo posto qui:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\drivers\srosa.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\srosa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist

File "C:\WINDOWS\system32\wintems.exe" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\hldrrr.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist

File "C:\WINDOWS\system32\mdelk.exe" deleted successfully.
File "C:\WINDOWS\system32\drivers\mdelk.exe" deleted successfully.
Folder "C:\WINDOWS\system32\drivers\downld" deleted successfully.
Folder "C:\Documents and Settings\Windows\Dati Applicazioni\m" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist


Completed script processing.

*******************

Finished! Terminate.

[crazy.cat]

e allora non ti rimane che un bel scan online sul sito della kaspersky per trovare gli atri file infetti che ci possono essere

[kuabba82]

Ok ora provo. Per completezza faccio una scansione anche con gmer.

Edit: ecco il log di gmer, mi pare non ci sia molto...

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-22 19:38:29
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.14 ----

? ssxbhbwd.sys Impossibile trovare il file specificato. !

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts@Asphodel\x2122 (TrueType) ASPHODEL.TTF
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{65722674-B9C2-332B-D149-74BDEE5E7F39}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{65722674-B9C2-332B-D149-74BDEE5E7F39}@iaonddcnbdhlnjhein 0x6B 0x61 0x65 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{65722674-B9C2-332B-D149-74BDEE5E7F39}@haapnmbjnicjomhm 0x6B 0x61 0x65 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8E5C8142-01D0-B92E-D232-9F6FE8C45EB9}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8E5C8142-01D0-B92E-D232-9F6FE8C45EB9}@oaachfjipipngbbbdbndcheboajdjh 0x62 0x61 0x63 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8E5C8142-01D0-B92E-D232-9F6FE8C45EB9}@oamgpiilmfadpibipamdojhnelkaid 0x6A 0x61 0x64 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8E5C8142-01D0-B92E-D232-9F6FE8C45EB9}@nagbjeahojjaekpiinjkahljflhl 0x6A 0x61 0x61 0x69 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8E5C8142-01D0-B92E-D232-9F6FE8C45EB9}@eaebpcdobo 0x61 0x61 0x00 0xCD
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8E5C8142-01D0-B92E-D232-9F6FE8C45EB9}@cabcoj 0x6B 0x62 0x6F 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A9AE5B88-6B65-8288-414B-02A3577F6361}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A9AE5B88-6B65-8288-414B-02A3577F6361}@iadkdhpcioechfhabm 0x6B 0x61 0x62 0x6C ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A9AE5B88-6B65-8288-414B-02A3577F6361}@hanljoaeeobmfnfa 0x6B 0x61 0x62 0x6C ...

---- EOF - GMER 1.0.14 ----

[ste_95]

Questo sembra un altro rootkit, quando ha finito la scansione online e avremo rimosso Bagle penseremo anche a questo:

ssxbhbwd.sys

[kuabba82]

Mio zio sta facendo la scansione, ora però sono a casa mia e non posso vedere. Gli ho detto di salvare il log, domani pomeriggio lo allego e provo a togliere i files infetti.