cavallo di troia ma forse non solo

**sparwari** · 09-05-2008, 16:06

premesso che solitamente non navigo un certo genere di siti a richio (crack, eros...), è da circa 24 ore che noto un problema.
è un pc con windows XP sp " + tutti aggiornamenti.
all' avvio l' antivirus Avast Home edition mi avvisa che rileva un virus. e ad ogni avvio il segnale di alert viene ripetuto.
Avast mi dice che trova questo file:

nome file
C:\windows\system32\drivers\srosa.sys

nome malware
Win32:Beagle-AAW [trj]

tipo di malware
Cavallo di Troia

ho provato già alcune soluzioni:
- usare il ripristino configurazione di sistema , facendo riferimento a date di 10 giorni fa ma stranamente windows dopo tutta la procedura mi avvisa che non è stato fatto il ripristino visto che da quella data ad oggi non c'erano modifiche (e non è vero!)

- nella cartella documenti ho selezionato il menù strumenti=>opzioni cartella e volevo attivare "visualizza file nascosti " per cercare di andare a vedere il file "virus" che avast mi segnala ma la voce per visualizzare i file nascosti adesso non c'è più tra le varie voci!!!

- ho provato a riavviare windows in modalità provvisoria con f8 (volevo fare una scansione con avast) ma mi è impedito perchè poco dopo windows ripete l'avvio fin dall' inizio ...senza avviarsi in modalità provvisoria

come posso procedere?

**sparwari** · 09-05-2008, 16:15

ho appena fatto una scansione con HijackThis

-------------

Logfile of HijackThis v1.99.1
Scan saved at 16.11.31, on 09/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\Programmi\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Programmi\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Mixer.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\sm56hlpr.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programmi\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\Programmi\Eraser\eraser.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\Programmi\SpeedFan\speedfan.exe
C:\Programmi\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Alwil Software\Avast4\ashLogV.exe
C:\h\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://10.0.0.2/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: run=
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programmi\Orbitdownloader\orbitcth.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programmi\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: metaspinner GmbH - {7C7A8947-5935-4430-AC0E-E7D04697414E} - C:\PROGRA~1\BUYERT~1\IEBUTT~1.DLL (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NXIECatcher Class - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Programmi\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmi\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Programmi\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [FlashIcon] C:\Programmi\Generic\USB Card Reader Driver v2.3\FlashIcon.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe "
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Acronis_True_Image Monitor] "C:\Programmi\Acronis\TrueImage\TrueImageMonitor.e xe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\StarModem\StarModem USB Network\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\system32\winsyser.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Programmi\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Eraser] C:\Programmi\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Spamihilator] "C:\Programmi\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Programmi\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Programmi\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpeedFan.lnk = C:\Programmi\SpeedFan\speedfan.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Salva oggetto con NetXfer - C:\Programmi\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Salva tutti gli oggetti con NetXfer - C:\Programmi\Xi\NetXfer\NXAddList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Programmi\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1151918560046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1162043576875
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/z...ylomloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C40DA5DB-205E-4921-8638-FEA11997F518}: NameServer = 213.205.32.70,213.205.36.70
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Programmi\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Programmi\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Professional Home XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Professional Home XII\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

**Demonios@** · 09-05-2008, 16:31

Non serve HijackThis

Le ultime varianti di beagle bloccano avenger e

risolvi così:
http://www.p2pforum.it/forum/showthread.php?t=303329

**sparwari** · 09-05-2008, 16:34

Originariamente inviato da Demonios@
Non serve HijackThis

Le ultime varianti di beagle bloccano avenger e

risolvi così:
http://www.p2pforum.it/forum/showthread.php?t=303329

ciao

devo seguire le indicazioni che da l'utente DucaBianco in quel 3d?

**sparwari** · 09-05-2008, 16:52

nel 3d linkato, l'utente Duca Bianco invita ad andare su questo link
http://www.eset.com/onlinescan/scanner.php?i_agree=14
ma io non riesco ad andarci e mi si blocca il browser IE6

**sparwari** · 09-05-2008, 18:25

ecco cosa ho fatto sulla base del link
http://www.p2pforum.it/forum/showthread.php?t=303329
che mi è stato segnalato:

1 - ho disattivato il "ripristino configurazione sistema" ed ho provato ad eseguire
la scansione online http://www.eset.com/onlinescan/scanner.php?i_agree=14 NON va (mi si crasha IE6) ma sono andato avanti

2 - mi son disconesso da internet

3 - avviato elibagla
http://www.zonavirus.com/datos/desca...5/elibagla.asp
(per farlo avviare ho provato piàù volte perchè sembrava chiudersi da solo...)
e quindi ha fatto una scansione

4 - terminato, ho riavviato e usato poi nuovamente elibagla

5 - terminato, ho riavviato il S.O in modalità provvisoria (con f8) (adesso riesco ad avviare la modalità provvisoria!!)

6 - ho avviato OTMoveIT2.exe
http://download.bleepingcomputer.com.../OTMoveIt2.exe

Copia/incolla quanto segue nella finestra "Paste List of Files/Folders
to be moved"

%SystemDrive%\WINDOWS\system32\drivers\hidr.exe
%SystemDrive%\WINDOWS\system32\drivers\srosa.sys
%SystemDrive%\WINDOWS\system32\wintems.exe
%SystemDrive%\WINDOWS\system32\hldrrr.exe
%SystemDrive%\WINDOWS\system32\trusted.exe
%SystemDrive%\WINDOWS\system32\drivers\pci32.sys
%UserProfile%\Dati applicazioni\hidires\hidr.exe
%UserProfile%\Dati applicazioni\hidires\rosa.sys
%UserProfile%\Dati applicazioni\m\list.oct
%UserProfile%\Dati applicazioni\m\data.oct
%UserProfile%\Dati applicazioni\m\flec006.exe
%SystemDrive%\system32\re_file.exe
%SystemDrive%\elist.xpt
%UserProfile%\Dati applicazioni\hidires\m_hook.sys
%SystemDrive%\WINDOWS\system32\drivers\hldrrr.exe
%SystemDrive%\WINDOWS\system32\drivers\hldrrr.ex_
%SystemDrive%\WINDOWS\system32\mdelk.exe
%SystemDrive%\WINDOWS\system32\drivers\mdelk.exe
%SystemDrive%\WINDOWS\system32\drivers\pci32.sys
%SystemDrive%\WINDOWS\system32\edlm.exe
%SystemDrive%\WINDOWS\system32\edlm2.exe
%SystemDrive%\Windows\system32\ldR64.dll
%SystemDrive%\WINDOWS\system32\german.exe
%SystemDrive%\WINDOWS\system32\drivers\srosa.sys.
%SystemDrive%\WINDOWS\system32\mdelk.exe.
%SystemDrive%\WINDOWS\system32\wintems.exe.
%SystemDrive%\WINDOWS\system32\1.exe
%SystemDrive%\WINDOWS\exefqd
%SystemDrive%\WINDOWS\exefnd
%SystemDrive%\WINDOWS\exefld
%UserProfile%\Dati applicazioni\hidires
%UserProfile%\Dati applicazioni\hidn
%UserProfile%\Dati applicazioni\m
%SystemDrive%\WINDOWS\System32\drivers\down
%SystemDrive%\WINDOWS\system32\drivers\downld
%SystemDrive%\WINDOWS\temp\
%UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5
%UserProfile%\Impostazioni locali\Temporary Internet Files
%UserProfile%\Impostazioni locali\Temp

clicca su MoveIT e al termine dell' operazione se ti viene proposto il riavvio NON farlo !!

7 - ho usato nuovamete elibagla

8 - ho riavviato

9 - c'è un ultimo punto però che NON ho fatto: prova ad installare il tuo antivirus.
cioè?
ho provato a cliccare sul file setupo del mio antivirus, ma così facendo mi chiede di disinstallarlo dal pc...
che devo fare???

---------

aggiungo che adesso ho ovviamente ricollegato il pc ad internet (altrimenti come scrivevo sul forum?)

---------

segnalo poi che anche ADESSO nella cartella documenti ho selezionato il menù strumenti=>opzioni cartella e volevo attivare "visualizza file nascosti ", ma la voce per visualizzare i file nascosti adesso non c'è più tra le varie voci!!!
come mai ancora non c'è???

**sparwari** · 09-05-2008, 18:34

Vi posto inoltre il log di elibagla C:\InfoSat.txt e di OTMoveIt2 in C:\_OTMoveIt\MovedFiles

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \\\\\\\
C:\InfoSat.txt

Fri May 09 17:10:12 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Renombrado a .VIR

Fri May 09 17:11:24 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
Restaurada Clave: "SafeBoot\Minimal y Network"

Fri May 09 17:11:42 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Fri May 09 17:11:57 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
Restaurada Clave: "SafeBoot\Minimal y Network"

Fri May 09 17:12:05 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Fri May 09 17:12:24 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
Restaurada Clave: "SafeBoot\Minimal y Network"

Fri May 09 17:12:25 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Fri May 09 17:13:03 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
Restaurada Clave: "SafeBoot\Minimal y Network"

Fri May 09 17:13:04 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Fri May 09 17:16:47 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\Drivers\HLDRRR.EXE.VIR --> Eliminado
Restaurada Clave: "SafeBoot\Minimal y Network"

Fri May 09 17:17:18 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\Programmi\ATI Multimedia\main\ATIDTCT.EXE --> Eliminado Bagle.dldr
C:\WINDOWS\system32\drivers\MDELK.EXE --> Eliminado Bagle.dldr

Nº Total de Directorios: 14716
Nº Total de Ficheros: 211296
Nº de Ficheros Analizados: 13437
Nº de Ficheros Infectados: 2
Nº de Ficheros Limpiados: 2

Fri May 09 17:36:44 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Nº Total de Directorios: 124
Nº Total de Ficheros: 1131
Nº de Ficheros Analizados: 78
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0
Exploración Detenida por el Usuario.

Fri May 09 17:39:31 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):

Fri May 09 17:39:32 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Nº Total de Directorios: 724
Nº Total de Ficheros: 4169
Nº de Ficheros Analizados: 82
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0
Exploración Detenida por el Usuario.

Fri May 09 17:48:33 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):

Fri May 09 17:48:35 2008
EliBagle v11.33 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Nº Total de Directorios: 14728
Nº Total de Ficheros: 211695
Nº de Ficheros Analizados: 13432
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

**sparwari** · 09-05-2008, 18:35

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \\\\\\\\\\\\
C:\_OTMoveIt\MovedFiles\05092008_174530.log

< %SystemDrive%\WINDOWS\system32\drivers\hidr.exe >
Folder C:\WINDOWS\system32\drivers\hidr.exe not found.
< %SystemDrive%\WINDOWS\system32\drivers\srosa.sys >
Folder C:\WINDOWS\system32\drivers\srosa.sys not found.
< %SystemDrive%\WINDOWS\system32\wintems.exe >
Folder C:\WINDOWS\system32\wintems.exe not found.
< %SystemDrive%\WINDOWS\system32\hldrrr.exe >
Folder C:\WINDOWS\system32\hldrrr.exe not found.
< %SystemDrive%\WINDOWS\system32\trusted.exe >
Folder C:\WINDOWS\system32\trusted.exe not found.
< %SystemDrive%\WINDOWS\system32\drivers\pci32.sys >
Folder C:\WINDOWS\system32\drivers\pci32.sys not found.
< %UserProfile%\Dati applicazioni\hidires\hidr.exe >
Folder C:\Documents and Settings\utente1\Dati applicazioni\hidires\hidr.exe not found.
< %UserProfile%\Dati applicazioni\hidires\rosa.sys >
Folder C:\Documents and Settings\utente1\Dati applicazioni\hidires\rosa.sys not found.
< %UserProfile%\Dati applicazioni\m\list.oct >
Folder C:\Documents and Settings\utente1\Dati applicazioni\m\list.oct not found.
< %UserProfile%\Dati applicazioni\m\data.oct >
Folder C:\Documents and Settings\utente1\Dati applicazioni\m\data.oct not found.
< %UserProfile%\Dati applicazioni\m\flec006.exe >
Folder C:\Documents and Settings\utente1\Dati applicazioni\m\flec006.exe not found.
< %SystemDrive%\system32\re_file.exe >
Folder C:\system32\re_file.exe not found.
< %SystemDrive%\elist.xpt >
Folder C:\elist.xpt not found.
< %UserProfile%\Dati applicazioni\hidires\m_hook.sys >
Folder C:\Documents and Settings\utente1\Dati applicazioni\hidires\m_hook.sys not found.
< %SystemDrive%\WINDOWS\system32\drivers\hldrrr.exe >
Folder C:\WINDOWS\system32\drivers\hldrrr.exe not found.
< %SystemDrive%\WINDOWS\system32\drivers\hldrrr.ex_ >
Folder C:\WINDOWS\system32\drivers\hldrrr.ex_ not found.
< %SystemDrive%\WINDOWS\system32\mdelk.exe >
Folder C:\WINDOWS\system32\mdelk.exe not found.
< %SystemDrive%\WINDOWS\system32\drivers\mdelk.exe >
Folder C:\WINDOWS\system32\drivers\mdelk.exe not found.
< %SystemDrive%\WINDOWS\system32\drivers\pci32.sys >
Folder C:\WINDOWS\system32\drivers\pci32.sys not found.
< %SystemDrive%\WINDOWS\system32\edlm.exe >
Folder C:\WINDOWS\system32\edlm.exe not found.
< %SystemDrive%\WINDOWS\system32\edlm2.exe >
Folder C:\WINDOWS\system32\edlm2.exe not found.
< %SystemDrive%\Windows\system32\ldR64.dll >
Folder C:\Windows\system32\ldR64.dll not found.
< %SystemDrive%\WINDOWS\system32\german.exe >
Folder C:\WINDOWS\system32\german.exe not found.
< %SystemDrive%\WINDOWS\system32\drivers\srosa.sys. >
Folder C:\WINDOWS\system32\drivers\srosa.sys. not found.
< %SystemDrive%\WINDOWS\system32\mdelk.exe. >
Folder C:\WINDOWS\system32\mdelk.exe. not found.
< %SystemDrive%\WINDOWS\system32\wintems.exe. >
Folder C:\WINDOWS\system32\wintems.exe. not found.
< %SystemDrive%\WINDOWS\system32\1.exe >
Folder C:\WINDOWS\system32\1.exe not found.
< %SystemDrive%\WINDOWS\exefqd >
Folder C:\WINDOWS\exefqd not found.
< %SystemDrive%\WINDOWS\exefnd >
Folder C:\WINDOWS\exefnd not found.
< %SystemDrive%\WINDOWS\exefld >
Folder C:\WINDOWS\exefld not found.
< %UserProfile%\Dati applicazioni\hidires >
Folder C:\Documents and Settings\utente1\Dati applicazioni\hidires not found.
< %UserProfile%\Dati applicazioni\hidn >
Folder C:\Documents and Settings\utente1\Dati applicazioni\hidn not found.
< %UserProfile%\Dati applicazioni\m >
Folder C:\Documents and Settings\utente1\Dati applicazioni\m not found.
< %SystemDrive%\WINDOWS\System32\drivers\down >
Folder C:\WINDOWS\System32\drivers\down not found.
< %SystemDrive%\WINDOWS\system32\drivers\downld >
C:\WINDOWS\system32\drivers\downld moved successfully.
< %SystemDrive%\WINDOWS\temp\ >
Folder C:\WINDOWS\temp\ not found.
< %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5 >
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\ZTU3C1QV moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\XWC3D5O5 moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\XKP9B9XJ moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\XG11F1LN moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\X9W2OJPJ moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\WXMJGP2N moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\VYT0DNRJ moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\VKXRSOH1 moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\UMR1HJ57 moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\S1YV0P2B moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\QHO36DA5 moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\OPIRS56Z moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\O1UNWHAR moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\L239LEGQ moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\JF5TPLLQ moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\G1QV0HAF moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\ET7JINKN moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\EQYDTHCA moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\CF3JQSDX moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\CDMJ8HAR moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\BIY7YQGG moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\A7OZ1YVY moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\8PM7CLIN moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\8HE7SHQ3 moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\8DAN0PEJ moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\6Q2DTLOA moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\4DEFOTAZ moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5\2F8JLQ7E moved successfully.
Folder move failed. C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5 scheduled to be moved on reboot.
< %UserProfile%\Impostazioni locali\Temporary Internet Files >
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.Word moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.MSO moved successfully.
Folder move failed. C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5 scheduled to be moved on reboot.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\4P6N25BL\PN8SRZMS\Offline moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\4P6N25BL\PN8SRZMS moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\4P6N25BL moved successfully.
Folder move failed. C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files scheduled to be moved on reboot.
< %UserProfile%\Impostazioni locali\Temp >
Folder move failed. C:\Documents and Settings\utente1\Impostazioni locali\Temp scheduled to be moved on reboot.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05092008_174530

Files moved on Reboot...
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files\Content.IE5 moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temporary Internet Files moved successfully.
C:\Documents and Settings\utente1\Impostazioni locali\Temp moved successfully.

**sparwari** · 09-05-2008, 18:53

Aggiungo che prendendo spunto da qui
http://www.megalab.it/forum/viewtopic.php?t=42979

ho scaricato Avenger
http://swandog46.geekstogo.com/avenger.zip
e l'ho avviato. ho quindi incollato queste righe nella box bianca che si è aperta

Files to delete:
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\windows\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\1.exe
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\1.exe
C:\Avenger\hldrrr.exe
C:\Avenger\mdelk.exe
C:\Avenger\srosa.sys
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Users\Chiara\Supercartella\Internet\getrgt.exe

Folders to delete:
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\down

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRO SA

ho tolto il segno di spunta dalla voce Scan for Rootkits e poi premuto il pulsante Execute.
Risposto di Si alle due richieste di Avenger, il pc dovrebbe riavviarsi o nel caso non succedesse riavvialo tu manualmente.
[Se Avenger ti dice che lo script non è valido (Invalid script), riscrivi manualmente il primo comando (Files to delete

senza dimenticare i due punti finali.]

Al riavvio del computer, mi è apparso un file log in C:\avenger.txt il cui contenuto vi copio:

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: file "C:\WINDOWS\system32\drivers\srosa.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\srosa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\wintems.exe" not found!
Deletion of file "C:\WINDOWS\system32\wintems.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\windows\system32\drivers\hldrrr.exe" not found!
Deletion of file "C:\windows\system32\drivers\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\mdelk.exe" not found!
Deletion of file "C:\WINDOWS\system32\mdelk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\1.exe" not found!
Deletion of file "C:\WINDOWS\system32\1.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\mdelk.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\mdelk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\1.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\1.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Avenger\hldrrr.exe" not found!
Deletion of file "C:\Avenger\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Avenger\mdelk.exe" not found!
Deletion of file "C:\Avenger\mdelk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Avenger\srosa.sys" not found!
Deletion of file "C:\Avenger\srosa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open file "C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe"
Deletion of file "C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: could not open file "C:\Users\Chiara\Supercartella\Internet\getrgt.exe "
Deletion of file "C:\Users\Chiara\Supercartella\Internet\getrgt.exe " failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: folder "C:\WINDOWS\system32\drivers\downld" not found!
Deletion of folder "C:\WINDOWS\system32\drivers\downld" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: folder "C:\WINDOWS\system32\drivers\down" not found!
Deletion of folder "C:\WINDOWS\system32\drivers\down" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SR OSA" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SR OSA" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

**sparwari** · 09-05-2008, 19:24

nel frattempo che qualche anima pia venga in questo 3d a darmi una mano, sto eseguendo una scansione online di tutta l'unità C: con Kaspersky qui
http://www.kaspersky.com/kos/eng/par...avwebscan.html
ho momentaneamente disattivato il mio antivirus Avast home edition che pare NON aver avuto "danni" da Beagle ed infatti Avast mi risulta sempre essere installato e funzionante, ma vorrei capire:

A - potete dare un'occhiata ai vari log che ho postato per capire se c'è altro che devo fare per verificare che sia tutto ok?

B - come posso poter riavere la voce "visualizza cartelle e file nascosti"?

C - come potrò riutilizzare la funzione "ripristino configurazione di sistema" senza problemi?

Discussione: cavallo di troia ma forse non solo

Strumenti discussione

Ricerca discussione

Visualizza

cavallo di troia ma forse non solo

Permessi di invio