I'm disappointed. Where is the Bagle?
Сердце решает кого любить... Судьба решает с кем быть...
I scanned with malwarebytes and kaspersky and the report was Bagle!!
Some program cannot be opened, like vlc, and if I try to run eligabla it says that is not a valid win32 application.
I can't understand.....
Добавлено через 16 минут
kaspersky:win32.bagle.ceu
Последний раз редактировалось garigo; 22.12.2009 в 02:43. Причина: Добавлено
OK, read the rules and make 3 logfiles (syscure, syscheck, hijackthis).
Сердце решает кого любить... Судьба решает с кем быть...
I must explain well;
in this order I run the following programs
1)Mbam
2)combofix
3)prevx3.0
I've log of both of them.
After these programs I run kaspersky removal tool.
It find win32.bagle.ceu.I read it just a moment before the program shut down and xp re-start.I've no log of this operation.
After this first check with the kaspersky removal tool I made another check (manually) and the result is in the file I've attached.Probably many malicious threaths had been removed.
If you want I can attach mbam-combofix-prevx3.0 log(s) when the infection was still in action totally!
I hope you can understand!!!
Добавлено через 1 час 18 минут
In the meantime I scanned the computer with Elibagla, result:UTIYODU4.SYS --> Bagle(rootkit).
also access denied to this folder:
c:\documents and settings\myname\impostazioni locali\dati applicazioni\microsoft\cardspace(8210)
c:\prgogrammi\adobe\reader8.0\resource\cmap(16)
log elibagla:
http://www.wikisend.com/download/442036/elibaglalog
Последний раз редактировалось garigo; 22.12.2009 в 17:30. Причина: Добавлено
when I reboot pc, after eligabla scanning, notebook opened with this message:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell 32.dll,-21787
Please read the rules http://virusinfo.info/showthread.php?t=9184
*Do not attach any other logfiles except for those of AVZ and HJT unless requested.
Сердце решает кого любить... Судьба решает с кем быть...
I'm here again, sorry for misunderstanding, I have the three log but I can't undertsnd how to send it, sorry!!
I can't proced with appendix 2 and 3 (file search in AVZ and How to send us requested files).
Последний раз редактировалось garigo; 27.12.2009 в 20:19.
ok....thank you!
I think it'd be more difficult to do...
Close/disable all the applications excluded AVZ and Internet Explorer.
- Disconnect your PC from network (internet/intranet)
- Disable antivirus, firewall and other memory resident security tools
- Disable System Restore
- Execute following script
If the system after reboot would try to install any unknown hardware, abort the installtion and remove unknown hardware over hardware managerКод:begin SearchRootkit(true, true); SetAVZGuardStatus(True); ClearQuarantine; StopService('iMSPCLOj'); DeleteService('iMSPCLOj'); QuarantineFile('C:\DOCUME~1\pier\IMPOST~1\Temp\iMSPCLOj.sys',''); DeleteFile('C:\DOCUME~1\pier\IMPOST~1\Temp\iMSPCLOj.sys'); DeleteFileMask('C:\DOCUME~1\pier\IMPOST~1\Temp','*.*',true); BC_ImportAll; ExecuteSysClean; BC_Activate; BC_DeleteSvc('iMSPCLOj'); CreateQurantineArchive('C:\quarantine.zip'); SetAVZPMStatus(True); RebootWindows(true); end.
After reboot:
- Replace file hosts: http://virusinfo.info/showpost.php?p=514996&postcount=2
- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
- Make new logs and attach them to the new posting.
script execute correctly, aborted installation and removed hardware.
I can't send quarantine.zip from "upload quarantined files" upload error this file was uploaded before (I used this link yesterday when I wasn't able to send file)...sorry!
Hosts file was FULL of very suspiciuos web adresses!!
here new logs:
Now I have only to send you quarantined files!
Последний раз редактировалось Rene-gad; 28.12.2009 в 20:37.
I have also some file ini not at their place, but I must search the exact translation in english to say where they are!
new logs
Последний раз редактировалось Rene-gad; 28.12.2009 в 20:38.
I can see nothing harmful in your logs.
Сердце решает кого любить... Судьба решает с кем быть...
then the problem is solved!very well but there is still a little problem with file ini;
I've one on the start menu, one on the prefered bar(?) and one on the desktop.
How can I place them in the right place?they can be last traces of the virus?
Can I post them?
Thank you very much for all!!!
Последний раз редактировалось garigo; 28.12.2009 в 23:20.
I ask you sorry for this post but I've these 4 file desktop.ini not at thir place.
Since the virus modified the HOSTS file and, how you can see, these file desktop.ini concerne communication, I think that they should cause still any problem.
Can I delete them?
[.ShellClassInfo]
[email protected],-21786
[.ShellClassInfo]
LocalizedResourceName=@%windir%\System32\ieframe.d ll.mui,-12385
[.ShellClassInfo]
[email protected],-21782
[LocalizedFileNames]
Assistenza remota.lnk=@%systemroot%\system32\rcbdyctl.dll,-152
Internet [email protected],-11001
Outlook [email protected],-11004.
[.ShellClassInfo]
[email protected],-21782
[LocalizedFileNames]
Windows Movie Maker.lnk=@C:\PROGRA~1\MOVIEM~1\wmm2res.dll,-61446
but not everywhere, on the desktopo, among the program etc, I suppose!Сообщение от Alexsandra
At the right place...this is the problem....which is the right place of all this files...please?
Последний раз редактировалось garigo; 30.12.2009 в 19:22.