PDA

Просмотр полной версии : W32bagle



papoose
13.06.2008, 19:24
W32 bagle virus
Reboots windows when try some task and many other things like hidden files and folder option unavailable.
Long time to open internet explorer and connect to the web. Before the infection it was very faster than now.
I have manually deleted files srosa.sys, hldrr.exe, mdelk.exe, the refs in the register and the infected file with the red cross icon but the computer is still slow and reboot.
Thank you very much

kps
13.06.2008, 21:10
I did not found anything suspicious in your log.
However i recommend to execute the folllowing script to delete possible remains of the worm
AVZ - File - Custom scripts
Execute the following script (copy it, paste it in the script window of AVZ and execute):

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('%System32%\drivers\hldrrr.exe');
DeleteFile('%System32%\drivers\srosa.sys');
DeleteFile('%System32%\wintems.exe');
DeleteFile('%System32%\drivers\mdelk.exe');
DeleteFile('%System32%\mdelk.exe');
BC_ImportALL;
ExecuteSysClean;
If DirectoryExists('%System32%\drivers\down') then
begin
DeleteFileMask('%System32%\drivers\down', '*.*', true);
DeleteDirectory('%System32%\drivers\down');
If DirectoryExists('%System32%\drivers\down') then
AddToLog('Папка down не удалена') else AddToLog('Папка down удалена');
end
else
AddToLog('Папки down нет');
If DirectoryExists('%System32%\drivers\downld') then
begin
DeleteFileMask('%System32%\drivers\downld', '*.*', true);
DeleteDirectory('%System32%\drivers\downld');
If DirectoryExists('%System32%\drivers\downld') then
AddToLog('Папка downld не удалена') else AddToLog('Папка downld удалена');
end
else
AddToLog('Папки downld нет');
If RegKeyParamExists('HKEY_CURRENT_USER', 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run', 'drvsyskit') then
begin
AddToLog('Обнаружен параметр в реестре drvsyskit');
RegKeyParamDel('HKEY_CURRENT_USER', 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run', 'drvsyskit');
If RegKeyParamExists('HKEY_CURRENT_USER', 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run', 'drvsyskit') then
AddToLog('Ошибка удаления параметра drvsyskit') else
AddToLog('Параметр drvsyskit успешно удален');
end;
If RegKeyParamExists('HKEY_CURRENT_USER', 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run', 'german.exe') then
begin
AddToLog('Обнаружен параметр в реестре german.exe');
RegKeyParamDel('HKEY_CURRENT_USER', 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run', 'german.exe');
If RegKeyParamExists('HKEY_CURRENT_USER', 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run', 'german.exe') then
AddToLog('Ошибка удаления параметра german.exe') else
AddToLog('Параметр german.exe успешно удален');
end;
if RegKeyExists('HKEY_CURRENT_USER', 'Software\FirstRRRun') then
begin
AddToLog('Найден ключ реестра FirstRRRun');
RegKeyDel('HKEY_CURRENT_USER', 'Software\FirstRRRun');
If RegKeyExists('HKEY_CURRENT_USER', 'Software\FirstRRRun') then
AddToLog('Ошибка удаления ключа реестра FirstRRRun') else
AddToLog('ключ реестра FirstRRRun успешно удален');
end;
BC_DeleteSvc('srosa');
BC_LogFile('c:\boot_clr_B_d.log');
If BC_Activate then AddToLog('BootCleaner успешно активирован') else AddToLog('Внимание!!! BootCleaner не активирован!');
SaveLog('c:\B_d.txt');
RebootWindows(true);
end.
Your computer will reboot.

Attach here the file c:\B_d.txt.

Check your PC with
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Full system check.

papoose
13.06.2008, 23:41
I did not found anything suspicious in your log.
However i recommend to execute the folllowing script to delete possible remains of the worm
AVZ - File - Custom scripts
Execute the following script (copy it, paste it in the script window of AVZ and execute):
[Your computer will reboot.

Attach here the file c:\B_d.txt.

Check your PC with
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Full system check.

Thank you very much, I have executed the script in AVZ.
Here the report log

I can not download the file on the "infected" computer. :shocked:
I have dowloaded it to another one.