Trojan ineliminabile

[Dejan82]

Salve ho un maledetto trojan che non riesco ad eliminare sul PC con l'antivirus ANTIVR (che puntalmente me lo individua ma non lo rimuove). Con cosa potrei rimuoverlo?

il trojan si chiama TR/Dlrd.small.asd; è dannoso?

[SkunkWorks 68]

...Provato da provvisoria??...Disabilitato il ripristino???...Puoi provare con lo scanner gratuito di Bitdefender...Posta poi il log di Hijackthis ...Ciao

[Dejan82]

ora provo...in ogni caso sapreste consigliarmi un buon antitrojan?

[bluepix]

Sicuramente si. Non è lì per fare un picnic

Metti il log di Hijackthis che vediamo di risolvere.

ciao

[Dejan82]

scusate che intedete per log di Hijackthis

[SkunkWorks 68]

Quote:

Originariamente inviato da bluepix

Sicuramente si. Non è lì per fare un picnic ...

...Comunque qui...http://www.hwupgrade.it/forum/showthread.php?t=937676
..Ciao

[Dejan82]

ecco il log:

Logfile of HijackThis v1.99.1
Scan saved at 10.52.22, on 13/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\AVPersonal\AVGUARD.EXE
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe
C:\Programmi\Pocket USB ADSL Modem\CnxDslTb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Lexmark X1100 Series\lxbkbmon.exe
C:\Programmi\MSN Apps\Updater\01.02.3000.1001\it\msnappau.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmi\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Programmi\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
C:\WINDOWS\System32\mshta.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Program Files\OrCAD_Demo\PSpice\AppMgr.exe
C:\Program Files\OrCAD_Demo\PSpice\PDesign.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Documents and Settings\Crystal\Documenti\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 70.84.92.114 ultimaro.com
O1 - Hosts: 70.84.92.114 noobwars.gr
O1 - Hosts: 70.84.92.114 l2.noobwars.gr
O1 - Hosts: 70.84.92.114 forsakenl2.game-host.org
O1 - Hosts: 70.84.92.114 game-host.org
O1 - Hosts: 70.84.92.114 l2.gamersx.com.ar
O1 - Hosts: 70.84.92.114 gamersx.com.ar
O1 - Hosts: 70.84.92.114 gamersx.com
O1 - Hosts: 70.84.92.114 l2.icn.lt
O1 - Hosts: 70.84.92.114 icn.lt
O1 - Hosts: 70.84.92.114 katsu.no-ip.org
O1 - Hosts: 70.84.92.114 no-ip.org
O1 - Hosts: 70.84.92.114 la2.arax.md
O1 - Hosts: 70.84.92.114 arax.md
O1 - Hosts: 70.84.92.114 rofal2.lostomega.net
O1 - Hosts: 70.84.92.114 lostomega.net
O1 - Hosts: 70.84.92.114 lineage2.lt
O1 - Hosts: 70.84.92.114 q-ro.net
O1 - Hosts: 70.84.92.114 runnybunny.net
O1 - Hosts: 70.84.92.114 fuckingyu.com
O1 - Hosts: 70.84.92.114 myfriendsro.com
O1 - Hosts: 70.84.92.114 meukro.com
O1 - Hosts: 70.84.92.114 arcticsilverfox.com
O1 - Hosts: 70.84.92.114 brightro.com
O1 - Hosts: 70.84.92.114 undercovergames.net
O1 - Hosts: 70.84.92.114 projectro.com
O1 - Hosts: 70.84.92.114 rusro.ru
O1 - Hosts: 70.84.92.114 viral.no-ip.com
O1 - Hosts: 70.84.92.114 no-ip.com
O1 - Hosts: 70.84.92.114 sero2k.myftp.biz
O1 - Hosts: 70.84.92.114 myftp.biz
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Pocket USB ADSL Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [msnappau] "C:\Programmi\MSN Apps\Updater\01.02.3000.1001\it\msnappau.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVGCtrl] C:\Programmi\AVPersonal\AVGNT.EXE /min
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Samsung Internet Keyboard.lnk = ?
O4 - Global Startup: Windows Update.hta
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1112383838546
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61} (DownloaderActiveX Control) - http://atlantide.virgilio.it/c6/down...derActiveX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0A756FB-5C90-40F7-8CB1-E1C01DA7484C}: NameServer = 193.70.152.15 193.70.152.25
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programmi\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programmi\AVPersonal\AVWUPSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe

[SkunkWorks 68]

"O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll"
"O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll"
"O4 - Global Startup: Windows Update.hta"
...Questi sono molto sospetti,per cominciare...Aspettiamo Bluepix,o qualcuno d'altro...,per eventuali aggiunte o correzioni... ...ciao

[Dejan82]

il trojan dovrebbe stare in

C:\WINDOWS\System32\RUNDLL32.EXE


ma come si elimina poi una volta che lo avete individuato con il log?...intanto sto scansionando con BitDefender...

[bluepix]

Disabilita il system restore
Reboot in modalità provvisoria
Mostra i file nascosi

Lancia Hijackthis

metti il segno di spunta su le voce sotto elencate (leggi le istruzioni nel 3ad precedente)

O1 - Hosts: 70.84.92.114 ultimaro.com
O1 - Hosts: 70.84.92.114 noobwars.gr
O1 - Hosts: 70.84.92.114 l2.noobwars.gr
O1 - Hosts: 70.84.92.114 forsakenl2.game-host.org
O1 - Hosts: 70.84.92.114 game-host.org
O1 - Hosts: 70.84.92.114 l2.gamersx.com.ar
O1 - Hosts: 70.84.92.114 gamersx.com.ar
O1 - Hosts: 70.84.92.114 gamersx.com
O1 - Hosts: 70.84.92.114 l2.icn.lt
O1 - Hosts: 70.84.92.114 icn.lt
O1 - Hosts: 70.84.92.114 katsu.no-ip.org
O1 - Hosts: 70.84.92.114 no-ip.org
O1 - Hosts: 70.84.92.114 la2.arax.md
O1 - Hosts: 70.84.92.114 arax.md
O1 - Hosts: 70.84.92.114 rofal2.lostomega.net
O1 - Hosts: 70.84.92.114 lostomega.net
O1 - Hosts: 70.84.92.114 lineage2.lt
O1 - Hosts: 70.84.92.114 q-ro.net
O1 - Hosts: 70.84.92.114 runnybunny.net
O1 - Hosts: 70.84.92.114 fuckingyu.com
O1 - Hosts: 70.84.92.114 myfriendsro.com
O1 - Hosts: 70.84.92.114 meukro.com
O1 - Hosts: 70.84.92.114 arcticsilverfox.com
O1 - Hosts: 70.84.92.114 brightro.com
O1 - Hosts: 70.84.92.114 undercovergames.net
O1 - Hosts: 70.84.92.114 projectro.com
O1 - Hosts: 70.84.92.114 rusro.ru
O1 - Hosts: 70.84.92.114 viral.no-ip.com
O1 - Hosts: 70.84.92.114 no-ip.com
O1 - Hosts: 70.84.92.114 sero2k.myftp.biz
O1 - Hosts: 70.84.92.114 myftp.biz
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll

O4 - Global Startup: Windows Update.hta

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE

clikka Fix

scarica e lancia Ccleaner prelevabile dal sito http://www.ccleaner.com/

riabilita il syastem restore

riparti in modalità normale


fai uno scan on line con Panda

http://www.pandasoftware.com/product..._principal.htm

posta eventualmente il report di Panda e di Hijackthis

ciao

[Dejan82]

per system restore intendi il Ripristino di sistema?

[bluepix]

Si. Scusa la forma inglese.

[BravoGT83]

Quote:

Originariamente inviato da bluepix

Disabilita il system restore
Reboot in modalità provvisoria
Mostra i file nascosi

Lancia Hijackthis

metti il segno di spunta su le voce sotto elencate (leggi le istruzioni nel 3ad precedente)

O1 - Hosts: 70.84.92.114 ultimaro.com
O1 - Hosts: 70.84.92.114 noobwars.gr
O1 - Hosts: 70.84.92.114 l2.noobwars.gr
O1 - Hosts: 70.84.92.114 forsakenl2.game-host.org
O1 - Hosts: 70.84.92.114 game-host.org
O1 - Hosts: 70.84.92.114 l2.gamersx.com.ar
O1 - Hosts: 70.84.92.114 gamersx.com.ar
O1 - Hosts: 70.84.92.114 gamersx.com
O1 - Hosts: 70.84.92.114 l2.icn.lt
O1 - Hosts: 70.84.92.114 icn.lt
O1 - Hosts: 70.84.92.114 katsu.no-ip.org
O1 - Hosts: 70.84.92.114 no-ip.org
O1 - Hosts: 70.84.92.114 la2.arax.md
O1 - Hosts: 70.84.92.114 arax.md
O1 - Hosts: 70.84.92.114 rofal2.lostomega.net
O1 - Hosts: 70.84.92.114 lostomega.net
O1 - Hosts: 70.84.92.114 lineage2.lt
O1 - Hosts: 70.84.92.114 q-ro.net
O1 - Hosts: 70.84.92.114 runnybunny.net
O1 - Hosts: 70.84.92.114 fuckingyu.com
O1 - Hosts: 70.84.92.114 myfriendsro.com
O1 - Hosts: 70.84.92.114 meukro.com
O1 - Hosts: 70.84.92.114 arcticsilverfox.com
O1 - Hosts: 70.84.92.114 brightro.com
O1 - Hosts: 70.84.92.114 undercovergames.net
O1 - Hosts: 70.84.92.114 projectro.com
O1 - Hosts: 70.84.92.114 rusro.ru
O1 - Hosts: 70.84.92.114 viral.no-ip.com
O1 - Hosts: 70.84.92.114 no-ip.com
O1 - Hosts: 70.84.92.114 sero2k.myftp.biz
O1 - Hosts: 70.84.92.114 myftp.biz
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll

O4 - Global Startup: Windows Update.hta

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE

clikka Fix

scarica e lancia Ccleaner prelevabile dal sito http://www.ccleaner.com/

riabilita il syastem restore

riparti in modalità normale


fai uno scan on line con Panda

http://www.pandasoftware.com/product..._principal.htm

posta eventualmente il report di Panda e di Hijackthis

ciao

direi che hai tutto quello che ce da dire