ho preso bagle sul pc di lavoro...

[dejan_11]

salve a tutti...è la prima volta che scrivo...come si evince dal titolo ho preso bagle sul pc di lavoro. ho fatto una scansione con bagle remover, e dopo con avenger, e il file di log successivo è questo:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sat Aug 30 11:37:40 2008

11:37:34: Error: Invalid syntax in command:
"replace with dummy:"
Skipping line. (Registry value deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open driver "%SystemDrive%\WINDOWS\system32\drivers\hidr.e xe"
Disablement of driver "%SystemDrive%\WINDOWS\system32\drivers\hidr.e xe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "%SystemDrive%\WINDOWS\system32\drivers\srosa. sys"
Disablement of driver "%SystemDrive%\WINDOWS\system32\drivers\srosa. sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "%SystemDrive%\WINDOWS\system32\drivers\pci32. sys"
Disablement of driver "%SystemDrive%\WINDOWS\system32\drivers\pci32. sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "%SystemDrive%\WINDOWS\system32\drivers\hldrrr.exe "
Disablement of driver "%SystemDrive%\WINDOWS\system32\drivers\hldrrr.exe " failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "%SystemDrive%\WINDOWS\system32\drivers\mdelk. exe"
Disablement of driver "%SystemDrive%\WINDOWS\system32\drivers\mdelk. exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

[dejan_11]

Error: file "C:\WINDOWS\system32\drivers\hidr.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\hidr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\srosa.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\srosa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\wintems.exe" not found!
Deletion of file "C:\WINDOWS\system32\wintems.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\hldrrr.exe" not found!
Deletion of file "C:\WINDOWS\system32\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\trusted.exe" not found!
Deletion of file "C:\WINDOWS\system32\trusted.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\pci32.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\pci32.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "C:\Documents and Settings\Stefano\Dati applicazioni\hidires\hidr.exe"
Deletion of file "C:\Documents and Settings\Stefano\Dati applicazioni\hidires\hidr.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "C:\Documents and Settings\Stefano\Dati applicazioni\hidires\rosa.sys"
Deletion of file "C:\Documents and Settings\Stefano\Dati applicazioni\hidires\rosa.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "C:\Documents and Settings\Stefano\Dati applicazioni\m\list.oct"
Deletion of file "C:\Documents and Settings\Stefano\Dati applicazioni\m\list.oct" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "C:\Documents and Settings\Stefano\Dati applicazioni\m\data.oct"
Deletion of file "C:\Documents and Settings\Stefano\Dati applicazioni\m\data.oct" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "C:\Documents and Settings\Stefano\Dati applicazioni\m\flec006.exe"
Deletion of file "C:\Documents and Settings\Stefano\Dati applicazioni\m\flec006.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "C:\Documents and Settings\Stefano\Dati applicazioni\m\svrlist.oct"
Deletion of file "C:\Documents and Settings\Stefano\Dati applicazioni\m\svrlist.oct" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "C:\system32\re_file.exe"
Deletion of file "C:\system32\re_file.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: file "C:\elist.xpt" not found!
Deletion of file "C:\elist.xpt" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "C:\Documents and Settings\Stefano\Dati applicazioni\hidires\m_hook.sys"
Deletion of file "C:\Documents and Settings\Stefano\Dati applicazioni\hidires\m_hook.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: file "C:\WINDOWS\system32\drivers\hldrrr.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\hldrrr.ex_" not found!
Deletion of file "C:\WINDOWS\system32\drivers\hldrrr.ex_" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\mdelk.exe" not found!
Deletion of file "C:\WINDOWS\system32\mdelk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\mdelk.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\mdelk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\pci32.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\pci32.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\edlm.exe" not found!
Deletion of file "C:\WINDOWS\system32\edlm.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\edlm2.exe" not found!
Deletion of file "C:\WINDOWS\system32\edlm2.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\ldR64.dll" not found!
Deletion of file "C:\Windows\system32\ldR64.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\german.exe" not found!
Deletion of file "C:\WINDOWS\system32\german.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\srosa.sys.XXX" not found!
Deletion of file "C:\WINDOWS\system32\drivers\srosa.sys.XXX" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\mdelk.exe.XXX" not found!
Deletion of file "C:\WINDOWS\system32\mdelk.exe.XXX" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\wintems.exe.XXX" not found!
Deletion of file "C:\WINDOWS\system32\wintems.exe.XXX" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\1.exe" not found!
Deletion of file "C:\WINDOWS\system32\1.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\WINDOWS\exefqd" not found!
Deletion of folder "C:\WINDOWS\exefqd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\WINDOWS\exefnd" not found!
Deletion of folder "C:\WINDOWS\exefnd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\WINDOWS\exefld" not found!
Deletion of folder "C:\WINDOWS\exefld" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Documents and Settings\Stefano\Dati applicazioni\hidires" not found!
Deletion of folder "C:\Documents and Settings\Stefano\Dati applicazioni\hidires" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Documents and Settings\Stefano\Dati applicazioni\hidn" not found!
Deletion of folder "C:\Documents and Settings\Stefano\Dati applicazioni\hidn" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open folder "C:\Documents and Settings\Stefano\Dati applicazioni\m\shared"
Deletion of folder "C:\Documents and Settings\Stefano\Dati applicazioni\m\shared" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: folder "C:\Documents and Settings\Stefano\Dati applicazioni\m" not found!
Deletion of folder "C:\Documents and Settings\Stefano\Dati applicazioni\m" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\WINDOWS\System32\drivers\down" not found!
Deletion of folder "C:\WINDOWS\System32\drivers\down" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\WINDOWS\system32\drivers\downld" deleted successfully.
Folder "C:\WINDOWS\temp" deleted successfully.
Folder "C:\Documents and Settings\Stefano\Impostazioni locali\Temporary Internet Files\Content.IE5" deleted successfully.
Folder "C:\Documents and Settings\Stefano\Impostazioni locali\Temporary Internet Files" deleted successfully.
Folder "C:\Documents and Settings\Stefano\Impostazioni locali\Temp" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SR OSA" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\pci32" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\pci32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PC I32" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PC I32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\rosa" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\rosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ro sa" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ro sa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\m_hook " not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\m_hook " failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_ HOOK" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_ HOOK" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_SR OSA" deleted successfully.

Error: registry key "HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SR OSA" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SR OSA" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64" not found!
Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n|hldrrr"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n|hldrrr" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n|drvsyskit"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n|drvsyskit" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n|german.exe"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n|german.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n|drv_st_key"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n|drv_st_key" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Dopo la scansione il problema è sempre lo stesso: all'apertura del mio antivirus o dei miei programmi per spywaremi esce la dicitura : non è un'applicazionediwin32 valida. Come posso fare, visto che è il computer sul quale lavoro e avrei bisogno di risolvere senza formattare?

Grazie in anticipo....

[dejan_11]

scusate se ho diluito in due post ma mi diceva che la discussione era troppo lunga...

[hell's bells]

Per non sapere ne leggere ne scrivere...ricominciamo da capo se sei anche tu dell'idea e cerchiamo di fare le cose con un poco di ordine, non è mai una idea copiare gli script in giro, specialmente se hanno modifiche sul registro, questo lo dico non per compiacere la mia poca conoscenza di bagle ma per evitarti danni...detto questo, segui la procedura

scarica elibagla
lancia il programma e spunta '' ELIMINAR FICHEROS AUTOMATICAMENTE'' quando avra' finito salva il log che posterai qui nel forum

per postare il report, segui la scaletta:

1) andare sul sito http://www.savefile.com/
2) clicca su Upload My file
3) clicca su upload oppure registrarsi per avere più opzioni
4) clicca su browser e scegli il file di log, txt ecc dal tuo computer
5) compila i restanti campi e clicca su Upload File
6) copia ed incolla sul forum il link per il download che trovi sotto la voce [If you want to link directly to the file: ]

[Deifobe]

quale versione di vindows hai?

oltre a quello indicato da hell's

1) verifica se riesci ad andare in modalità provvisoria (unico metodo che devi usare per verificarlo: all'avvio del pc, prima che inizi a caricare Windows, premi ripetutamente F8. Uscirà la finestra del menu Opzioni avanzate di Windows => scegli modalità provvisoria - usa il tasto freccia ^)

2) verifica se visualizzi file e cartelle nascoste e se hai la possibilità di modificare quest'impostazione


edit: modificato

[dejan_11]

allora in modalità provvisorianon mi ci fa andare.....la visualizzazione di cartelle e file nascosti prima non si poteva attivare,ora dopo qualche modifica sullechiavidi registro fatta manualmente, si.....ho provato primacon elibagla e non mi ha dato risultati..ic riprovo e faccio sapere....grazie....

[dejan_11]

tra l'altro la cartella drivers di system32 ora la vedo, ma i file del bagle (hldrrr e srosa.sys) non si scorgono...

[hell's bells]

Aspetto il report poi cerco di capire che infezione sia o ci pensa Deifobe che è sicuramente molto più competente di me in materia, i files non li vedi se non hai attiva l'opzione della visualizzazione dei files nascosti sulla cartella.

[dejan_11]

mentre scorreva elibagla avg mi ha dato:


Potentially Unwanted Program

c:\wp\Windows XP Keygen.exe

e per ora l'ho messo in move to Vault...

[dejan_11]

ecco il logo di elibagla


http://www.savefile.com/files/1758898