help me with bagle

[URL]http://www.wikisend.com/download/653742/kasperskylog[/URL]

I'm disappointed. Where is the Bagle? :sad:

I scanned with malwarebytes and kaspersky and the report was Bagle!!
Some program cannot be opened, like vlc, and if I try to run eligabla it says that is not a valid win32 application.
I can't understand.....

[size="1"][color="#666686"][B][I]Добавлено через 16 минут[/I][/B][/color][/size]

kaspersky:win32.bagle.ceu

OK, read the [URL="http://virusinfo.info/showthread.php?t=9184"]rules[/URL] and make 3 logfiles (syscure, syscheck, hijackthis).

I must explain well;
in this order I run the following programs
1)Mbam
2)combofix
3)prevx3.0
I've log of both of them.

After these programs I run kaspersky removal tool.
It find win32.bagle.ceu.I read it just a moment before the program shut down and xp re-start.I've no log of this operation.

After this first check with the kaspersky removal tool I made another check (manually) and the result is in the file I've attached.Probably many malicious threaths had been removed.

If you want I can attach mbam-combofix-prevx3.0 log(s) when the infection was still in action totally!

I hope you can understand!!!

[size="1"][color="#666686"][B][I]Добавлено через 1 час 18 минут[/I][/B][/color][/size]

In the meantime I scanned the computer with Elibagla, result:UTIYODU4.SYS --> Bagle(rootkit).

also access denied to this folder:
c:\documents and settings\myname\impostazioni locali\dati applicazioni\microsoft\cardspace(8210)
c:\prgogrammi\adobe\reader8.0\resource\cmap(16)


log elibagla:
[url]http://www.wikisend.com/download/442036/elibaglalog[/url]

[QUOTE=Aleksandra;541515]OK, read the [URL="http://virusinfo.info/showthread.php?t=9184"]rules[/URL] and make 3 logfiles (syscure, syscheck, hijackthis).[/QUOTE]
:rtfm:

when I reboot pc, after eligabla scanning, notebook opened with this message:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

Please read the rules [url]http://virusinfo.info/showthread.php?t=9184[/url]

[QUOTE][COLOR="Red"][I]*Do not attach any other logfiles except for those of AVZ and HJT unless requested.[/I][/COLOR][/QUOTE]

I'm here again, sorry for misunderstanding, I have the three log but I can't undertsnd how to send it, sorry!!
I can't proced with appendix 2 and 3 (file search in AVZ and How to send us requested files).

[QUOTE=garigo;546910]
I can't proced with appendix 2 and 3 (file search in AVZ and How to send us requested files).[/QUOTE]Press the icon [IMG]http://virusinfo.info/images/buttonsen/reply.gif[/IMG], press the icon Manage Attachments (the 2nd field below answer window) ans attach the logs. If you're not able to do this, we'll be forced to close your topic because we cannot help you anyway without 3 logs.

ok....thank you!
I think it'd be more difficult to do...

Close/disable all the applications excluded AVZ and Internet Explorer.

- Disconnect your PC from network (internet/intranet)
- Disable antivirus, firewall and other memory resident security tools
- Disable System Restore

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL]
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
StopService('iMSPCLOj');
DeleteService('iMSPCLOj');
QuarantineFile('C:\DOCUME~1\pier\IMPOST~1\Temp\iMSPCLOj.sys','');
DeleteFile('C:\DOCUME~1\pier\IMPOST~1\Temp\iMSPCLOj.sys');
DeleteFileMask('C:\DOCUME~1\pier\IMPOST~1\Temp','*.*',true);
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
BC_DeleteSvc('iMSPCLOj');
CreateQurantineArchive('C:\quarantine.zip');
SetAVZPMStatus(True);
RebootWindows(true);
end.[/CODE]

[COLOR="Red"]If the system after reboot would try to install any unknown hardware, abort the installtion and remove unknown hardware over hardware manager[/COLOR]

After reboot:
- Replace file hosts: [url]http://virusinfo.info/showpost.php?p=514996&postcount=2[/url]
- Upload the C:\quarantine.zip over the link [COLOR="Red"][B]Upload quarantined files[/B][/COLOR] on the top of this page.
- Make new logs and attach them to the new posting.

script execute correctly, aborted installation and removed hardware.
I can't send quarantine.zip from "upload quarantined files" upload error this file was uploaded before (I used this link yesterday when I wasn't able to send file)...sorry!
Hosts file was FULL of very suspiciuos web adresses!!

here new logs:

Now I have only to send you quarantined files!

[QUOTE=garigo;547423]Hosts file was FULL of very suspiciuos web adresses!![/QUOTE]
Execute this script in AVZ:

[CODE]begin
ExecuteRepair(13);
end.[/CODE]

Make new logs: [B]virusinfo_syscheck[/B] and [B]hijackthis.[/B]

I have also some file ini not at their place, but I must search the exact translation in english to say where they are!

new logs

I can see nothing harmful in your logs.

then the problem is solved!very well but there is still a little problem with file ini;
I've one on the start menu, one on the prefered bar(?) and one on the desktop.
How can I place them in the right place?they can be last traces of the virus?
Can I post them?
Thank you very much for all!!!

I ask you sorry for this post but I've these 4 file desktop.ini not at thir place.
Since the virus modified the HOSTS file and, how you can see, these file desktop.ini concerne communication, I think that they should cause still any problem.
Can I delete them?


[.ShellClassInfo]
[email protected],-21786


[.ShellClassInfo]
LocalizedResourceName=@%windir%\System32\ieframe.dll.mui,-12385


[.ShellClassInfo]
[email protected],-21782
[LocalizedFileNames]
Assistenza remota.lnk=@%systemroot%\system32\rcbdyctl.dll,-152
Internet [email protected],-11001
Outlook [email protected],-11004.



[.ShellClassInfo]
[email protected],-21782
[LocalizedFileNames]
Windows Movie Maker.lnk=@C:\PROGRA~1\MOVIEM~1\wmm2res.dll,-61446

[QUOTE=garigo;548615]I ask you sorry for this post but I've these 4 file desktop.ini not at thir place.[/QUOTE]
I have 3 file desktop.ini. I need to remove them too?

[QUOTE=garigo;548615]Since the virus modified the HOSTS file and, how you can see, these file desktop.ini concerne communication, I think that they should cause still any problem.[/QUOTE]
I don't think so.

[QUOTE=garigo;548615]Can I delete them?[/QUOTE]
No.

[QUOTE=Alexsandra]I have 3 file desktop.ini. I need to remove them too?[/QUOTE]

but not everywhere, on the desktopo, among the program etc, I suppose!
At the right place...this is the problem....which is the right place of all this files...please?