Просмотр полной версии : Bagle virus attacking my computer
godsdsipl
13.02.2008, 11:50
My laptop has been infected with the Bagle and a couple other virus' and it wont allow me to install any antivirus or spyware software on my system to kill it. Please help
Execute script:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\wintems.exe',' ');
QuarantineFile('C:\WINDOWS\system32\drivers\hldrrr .exe','');
QuarantineFile('C:\Documents and Settings\Permit-It\Application Data\m\flec006.exe','');
BC_ImportquarantineList;
BC_Activate;
RebootWindows(true);
end. When the script runs. your system will restart - it's normal. After restart , upload quarantine using this link: http://virusinfo.info/upload_virus_eng.php?tid=17983 (see appendix 3 of the rules (http://virusinfo.info/showthread.php?t=9184) for details )
godsdsipl
14.02.2008, 11:47
I did this and it would not execute the script. I rebooted and rescanned and it found 596 infected files. So I tried to run the AVZ Antiviral Toolkit and nothing would happen so I tried to run HijackThis and it said it was not a valid win32 application
Try to scan your PC with AVPTool http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
godsdsipl
14.02.2008, 13:03
I ran the tool and here is the log ... it says it deleted the 3 files but they are still there when I re-scan
godsdsipl
14.02.2008, 13:26
Sorry here is the log file of the scan
Execute script in avptool :9 how -to -> http://avptool.virusinfo.info/en/AVPTool_helpdesk_curescript.htm )
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
StopService('srosa');
SetServiceStart('srosa', 4);
DeleteService('srosa');
QuarantineFile('C:\WINDOWS\system32\drivers\srosa. sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\hldrrr .exe','');
QuarantineFile('C:\WINDOWS\system32\wintems.exe',' ');
DeleteFile('c:\windows\system32\drivers\srosa.sys' );
DeleteFile('C:\WINDOWS\system32\drivers\hldrrr.exe ');
DeleteFile('C:\WINDOWS\system32\wintems.exe');
BC_DeleteSvc('srosa');
BC_ImportAll;
ExecuteSysClean;
ExecuteRepair(1);
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
ExecuteRepair(12);
BC_Activate;
RebootWindows(true);
end.
Do make a full scan of all disks with fresh cureit (#2 in our rules ) it should create a log after curing, please attach it to your next post.
*** When the script runs. your system will restart - it's normal. After restart , upload quarantine using this link: http://virusinfo.info/upload_virus_eng.php?tid=17983 (see appendix 3 of the rules for details )
__________________
godsdsipl
14.02.2008, 14:16
I pasted and executed this and it didn't do anything. It turned gray but didn't reboot.
Did you reboot manually? If no then do so.
godsdsipl
15.02.2008, 08:09
I zipped and uploaded the quarantine file and I rebooted. What next?
Trojan-Downloader.Win32.TSUpdate.n,
Trojan-Downloader.Win32.TSUpdate.f,
Trojan-Downloader.Win32.Adload.qy,
Trojan-Downloader.Win32.Delf.dlk
As I said in PM, we need new logs to tell what to do...
godsdsipl
15.02.2008, 09:30
So I need to rescan and upload the new logs?
No, do steps 8-13 only, and upload new logs.
godsdsipl
15.02.2008, 10:23
I am not sure what is going on but I can not start AVZ or HiJackThis. When I try to start both my computer freezes. I even deleted them both twice and redownloaded them and still the same thing. What can I do?
godsdsipl
15.02.2008, 10:30
No... it says "Not Responding" .. I can run DrWeb and Kaspersky Lab Tool but it will not let me run AVZ or HiJackThis
Reboot to Safe Mode, and make logs from there. But this time, do only steps #10-13.
godsdsipl
15.02.2008, 10:37
I tried that but this is the weirdest thing ... when I try to boot in safe mode, it loads the files and then reboots. It other words it willo not let me boot in safe mode it is just a loop
Run the Recovery Console. To do so, boot with the Windows XP CD and select "R" at the Welcome Screen.
From there try to delete the following files:
c:\windows\system32\drivers\srosa.sys
c:\windows\system32\drivers\hldrrr.exe
c:\windows\system32\wintems.exe
c:\windows\system32\mdelk.exe
No... it says "Not Responding" .. I can run DrWeb and Kaspersky Lab Tool but it will not let me run AVZ or HiJackThis
Does it mean that you can run the AVPTool ? You answered "No" and then you said that you can do it :)
godsdsipl
15.02.2008, 14:10
Ok here are the logs ... Adware Alert just did a scan and it claimes to have just found 3679 infected files. I amnot sure which one is correct but here are the logs
All malicious registry entries seem to be here again :( Let's try again: before execute script, disconnect your network connection and stop the anti-virus monitor.
Execute script:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
SetServiceStart('srosa', 4);
BC_DeleteSvc('srosa');
BC_DeleteFile('C:\WINDOWS\system32\drivers\srosa.s ys');
DeleteFile('C:\WINDOWS\system32\drivers\hldrrr.exe ');
BC_DeleteFile('C:\WINDOWS\system32\drivers\hldrrr. exe');
DeleteFile('C:\WINDOWS\system32\wintems.exe');
BC_DeleteFile('C:\WINDOWS\system32\wintems.exe');
BC_Activate;
ExecuteSysClean;
RebootWindows(false);
end.. If script works correctly, your system will restart. After restart, turn on your antivirus monitor and network connection, make the step 10 of the rules (http://virusinfo.info/showthread.php?t=9184) and attach the log here.
godsdsipl
15.02.2008, 23:37
I ran the Kaspersky Lab Tool and it does nothing. It wont reboot so I manually rebooted. I am going to try and do the Recovery Console again but I am not sure that I am doing it right. Once I get in to the console and get to the C:\Windows what do I type to delete these and how do I know if it worked? :( I am getting frustrated I have been working on this virus for going on 4 days now
Run the Recovery Console. To do so, boot with the Windows XP CD and select "R" at the Welcome Screen.
From there try to delete the following files:
c:\windows\system32\drivers\srosa.sys
c:\windows\system32\drivers\hldrrr.exe
c:\windows\system32\wintems.exe
c:\windows\system32\mdelk.exe
Does it mean that you can run the AVPTool ? You answered "No" and then you said that you can do it :)
Clear your internet cache.
Run the AVPTool http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
Go to the "Manual Cure" window.
Copy and paste the following script (how to do this: read here http://avptool.virusinfo.info/en/AVPTool_helpdesk_curescript.htm)
Execute it.
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
StopService('srosa');
SetServiceStart('srosa', 4);
DeleteService('srosa');
QuarantineFile('C:\WINDOWS\system32\drivers\srosa. sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\hldrrr .exe','');
QuarantineFile('C:\WINDOWS\system32\wintems.exe',' ');
DeleteFile('c:\windows\system32\drivers\srosa.sys' );
DeleteFile('C:\WINDOWS\system32\drivers\hldrrr.exe ');
DeleteFile('C:\WINDOWS\system32\wintems.exe');
DeleteFileMask('c:\WINDOWS\system32\drivers\down', '*.*', true);
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
Do and paste new log files http://avptool.virusinfo.info/en/AVPTool_manual.htm and paste them here.
godsdsipl
16.02.2008, 02:20
OK here you go
godsdsipl
16.02.2008, 08:31
Any Help?
Execute the following script:
begin
ClearQuarantine;
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\kasperskyLive3 2.exe','');
DeleteFile('C:\WINDOWS\system32\kasperskyLive32.ex e');
RegKeyParamDel( 'HKEY_CURRENT_USER', 'Software\Microsoft\Windows\CurrentVersion\Run', 'drvsyskit');
RegKeyParamDel( 'HKEY_CURRENT_USER', 'Software\Microsoft\Windows\CurrentVersion\Run', 'german.exe');
BC_ImportALL;
BC_DeleteSvc('srosa');
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
After your system reboots, upload new quarantine according to appendix #3 of Rules and make a new "syscheck" logfile.
vBulletin® v4.2.5, Copyright ©2000-2024, Jelsoft Enterprises Ltd. Перевод: zCarot