Franceskina
18-07-2008, 14:01
come da guida letta su questo forum ho utilizzato elibagla e avenger per eliminare un bagle. sembrerebbe tutto sistemato perchè su C:\WINDOWS\system32\drivers non mi compaiono più i due file hldrrr.exe e mdelk.exe.
adesso cosa devo fare? sono già stati cancellati definitivamente? perchè nella cartella muestras c'è il file hldrrr.exe, l'altro non so dove sia finito.
in ogni caso, vi posto i file log che sono usciti da elibagla e avenger così mi dite se finalmente è stato eliminato del tutto.
grazie!
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "C:\WINDOWS\system32\drivers\srosa.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\srosa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\wintems.exe" not found!
Deletion of file "C:\WINDOWS\system32\wintems.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\drivers\hldrrr.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\drivers\mdelk.exe" deleted successfully.
Error: file "C:\WINDOWS\system32\mdelk.exe" not found!
Deletion of file "C:\WINDOWS\system32\mdelk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\SYSTEM32\BAN_LIST.TXT" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\BAN_LIST.TXT" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: folder "C:\Documents and Settings\Giuseppe & Francesca\Dati applicazioni\m" not found!
Deletion of folder "C:\Documents and Settings\Giuseppe & Francesca\Dati applicazioni\m" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Folder "C:\WINDOWS\system32\drivers\downld" deleted successfully.
Error: could not open folder "C:\Documents and Settings\Giuseppe & Francesca\Dati applicazioni\Roaming\m"
Deletion of folder "C:\Documents and Settings\Giuseppe & Francesca\Dati applicazioni\Roaming\m" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: folder "C:\WINDOWS\System32\drivers\down" not found!
Deletion of folder "C:\WINDOWS\System32\drivers\down" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA" deleted successfully.
Error: registry key "HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|drvsyskit"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|drvsyskit" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|mule_st_key"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|mule_st_key" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
Fri Jul 18 12:21:15 2008
EliBagle v11.60 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 11 de Julio del 2008)
----------------------------------------------
Lista de Acciones (por Acción Directa):
Por favor, envienos una muestra del fichero
C:\Muestras\HLDRRR.EXE.Muestra EliBagle v11.60
a "[email protected]". Gracias.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Eliminado Bagle
Fri Jul 18 12:22:44 2008
EliBagle v11.60 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 11 de Julio del 2008)
----------------------------------------------
Lista de Acciones (por Acción Directa):
Restaurada Clave: "SafeBoot\Minimal y Network"
Restaurada Clave: "SafeBoot\Minimal y Network"
Fri Jul 18 12:23:10 2008
EliBagle v11.60 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 11 de Julio del 2008)
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
Nº Total de Directorios: 7611
Nº Total de Ficheros: 98522
Nº de Ficheros Analizados: 13281
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0
adesso cosa devo fare? sono già stati cancellati definitivamente? perchè nella cartella muestras c'è il file hldrrr.exe, l'altro non so dove sia finito.
in ogni caso, vi posto i file log che sono usciti da elibagla e avenger così mi dite se finalmente è stato eliminato del tutto.
grazie!
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "C:\WINDOWS\system32\drivers\srosa.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\srosa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\wintems.exe" not found!
Deletion of file "C:\WINDOWS\system32\wintems.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\drivers\hldrrr.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\drivers\mdelk.exe" deleted successfully.
Error: file "C:\WINDOWS\system32\mdelk.exe" not found!
Deletion of file "C:\WINDOWS\system32\mdelk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\SYSTEM32\BAN_LIST.TXT" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\BAN_LIST.TXT" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: folder "C:\Documents and Settings\Giuseppe & Francesca\Dati applicazioni\m" not found!
Deletion of folder "C:\Documents and Settings\Giuseppe & Francesca\Dati applicazioni\m" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Folder "C:\WINDOWS\system32\drivers\downld" deleted successfully.
Error: could not open folder "C:\Documents and Settings\Giuseppe & Francesca\Dati applicazioni\Roaming\m"
Deletion of folder "C:\Documents and Settings\Giuseppe & Francesca\Dati applicazioni\Roaming\m" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: folder "C:\WINDOWS\System32\drivers\down" not found!
Deletion of folder "C:\WINDOWS\System32\drivers\down" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA" deleted successfully.
Error: registry key "HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|drvsyskit"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|drvsyskit" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|mule_st_key"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|mule_st_key" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
Fri Jul 18 12:21:15 2008
EliBagle v11.60 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 11 de Julio del 2008)
----------------------------------------------
Lista de Acciones (por Acción Directa):
Por favor, envienos una muestra del fichero
C:\Muestras\HLDRRR.EXE.Muestra EliBagle v11.60
a "[email protected]". Gracias.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Eliminado Bagle
Fri Jul 18 12:22:44 2008
EliBagle v11.60 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 11 de Julio del 2008)
----------------------------------------------
Lista de Acciones (por Acción Directa):
Restaurada Clave: "SafeBoot\Minimal y Network"
Restaurada Clave: "SafeBoot\Minimal y Network"
Fri Jul 18 12:23:10 2008
EliBagle v11.60 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 11 de Julio del 2008)
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
Nº Total de Directorios: 7611
Nº Total de Ficheros: 98522
Nº de Ficheros Analizados: 13281
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0