small.kl impossibile da rimuovere

[pecelina]

Ciao a tutti.
Sto da giorni combattendo contro un trojan, denominato small.kl
Pare giacente nel file lotus-checker.exe, un eseguibile che però non riesco a togliere.
Questa, scusate il termine, carogna, viene regolarmente rilevata costantemente dall'AV (AntiVir Guard), ma nessuno dei sistemi che ho sino ad ora adoperato (non me li ricordo nemmeno tutti) sembra in grado di sradicarlo. l'AV non riesce nemmeno a metterlo in quarantena.
- Premetto che non sono una "scaricatrice selvaggia" e che il PC viene quasi sempre adoperato solo da me
- che tutte le volte che provo a togliere o solo che semplicemente a modificare il detto carognone (togliendo, per esempio, la modalità di sola lettura) suonano tutti gli allarmi possibili ed immaginabili
- di avere già provato scansioni in modalità provvisoria e tools come ho letto per altre situazioni sul forum
- di non riuscire a trovare i files riportati al seguente link: http://www.avira.com/it/threats/sect...all.ki.2.html, che dovrebbero essere quelli relativi a 'sto trojan
- Che nulla di particolare viene rilevato da Spybot e ad-aware, mentre viene trovato da Ewindo
- Infine, vi allego il log di hijackthis e più sotto il log della scansione con l'AV

Potete darmi un'ulteriore dritta? Come posso sradicarlo manualmente?
E' cinque giorni che ci combatto, non ne posso veramente più.
Grazie

Logfile of HijackThis v1.99.1
Scan saved at 8.27.03, on 18/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\ESTsoft\ALZip\ALZip.exe
C:\Programmi\ESTsoft\ALZip\ALZip.exe
C:\Documents and Settings\SEMPRON\Impostazioni locali\Temp\_AZTMP2_\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://picasa.google.com/help/welcome.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PicBlock] C:\Programmi\PickBlock\picblock.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [PeerGuardian] C:\Programmi\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ScanPanel.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Programmi\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared Files\RichVideo.exe



AntiVir PersonalEdition Classic
Report file date: sabato 18 novembre 2006 10:41

Scanning for 556459 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SEMPRON
Computer name: SEMPRON-636FAA0

Version information:
AVSCAN.EXE : 7.0.0.47 200744 16/09/2006 06:26:04
AVSCAN.DLL : 7.0.0.45 41000 16/09/2006 06:26:04
LUKE.DLL : 7.0.0.47 118824 16/09/2006 06:26:04
LUKERES.DLL : 7.0.0.47 9256 16/09/2006 06:26:04
ANTIVIR0.VDF : 6.35.0.1 7371264 31/05/2006 17:42:18
ANTIVIR1.VDF : 6.36.1.24 2212864 14/11/2006 18:19:45
ANTIVIR2.VDF : 6.36.1.25 2048 14/11/2006 18:19:45
ANTIVIR3.VDF : 6.36.1.51 40448 17/11/2006 05:56:31
AVEWIN32.DLL : 7.2.0.39 1909248 08/11/2006 19:29:18
AVPREF.DLL : 7.0.0.2 23592 16/09/2006 06:26:04
AVREP.DLL : 6.36.1.1 925736 08/11/2006 19:29:17
AVRPBASE.DLL : 7.0.0.0 2162728 05/05/2006 15:24:50
AVPACK32.DLL : 7.2.0.5 368680 25/10/2006 18:10:51
AVREG.DLL : 6.31.0.90 27688 28/07/2005 10:06:36
NETNT.DLL : 6.32.0.0 6696 27/09/2005 07:56:50
NETNW.DLL : 7.0.0.0 9768 16/09/2006 06:26:04
RCIMAGE.DLL : 7.0.0.74 1642536 16/09/2006 06:26:01
RCTEXT.DLL : 7.0.1.4 77864 28/09/2006 15:46:44

Configuration settings for the scan:
Jobname.......................: ShlExt
Configuration file............: C:\DOCUME~1\SEMPRON\IMPOST~1\Temp\b2bc2664.avp
Boot sectors..................: C
Scan memory...................: 1
Process scan..................: 0
Scan all files................: 1
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Macro heuristic...............: 1
File heuristic................: 0
Primary action................: 1
Secondary action..............: 0

Start of the scan: sabato 18 novembre 2006 10:41


Start scanning boot sectors:

Boot sector 'C:\'
[NOTE] No virus was found!

Starting the file scan:

C:\WINDOWS\lotus-checker.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\atapi.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd9181.sys
[WARNING] The file could not be opened!


End of the scan: sabato 18 novembre 2006 10:47
Used time: 06:26 min

The scan has been done completely.

1251 Scanning directories
41523 Files were scanned
0 viruses and/or unwanted programs were found
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
295 Archives were scanned
14 Warnings
0 Notes

[Topdrake]

prova con questo:
http://www.spywaredb.com/remove-troj...in32-small-kl/