spoolsv.exe

[marpioncino]

Credo di avere contratto il fastidiosissimo spoolsv, come devo fare per rimuoverlo?
Allego log di Hijack
Grazie

Logfile of HijackThis v1.99.1
Scan saved at 23.14.23, on 31/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Nicola\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: AmsServer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Alice - {6D4ECF0C-C1D7-4799-983C-FF2AEFF3CD84} - http://gw.aliceadsl.it/alice (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Spooler di stampa (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

[OYS]

Log pulito.

Spoolsv.exe non è un virus.

Prova ad installare il Resource Kit di Windows (2000, XP, Server 2003) e con l'utility Cleanspl.exe ripulisci lo spooler di stampa da eventuali driver danneggiati.
Fai attenzione a non far eliminare quelli delle stampanti di default (Standard TCP/IP Port e BJ Language Monitor).
Faiun reboot, tutto dovrebbe tornare al "proprio posto".

[marpioncino]

Ma allora come mai ad ogni riavvio avg me lo segnala come Trojan e dopo un pò mi si apre un dialer?

[marpioncino]

Per la precisione il Trojan che avg mi segnala si chiama clicker.fnv
Grazie

[OYS]

Ma in che cartella te lo trova?
C:\windows, C\temp ... ?

[marpioncino]

Lo trova in
C:\DOCUME~1\Nicola\IMPOST~1\Temp\spoolsv32.exe

[OYS]

Ok, si tratta del "RootKit DialCall".

Scarica Virit

Installalo, aggiornalo e fai uno scan completo del sistema.

Fai uno scan online con Kaspersky.

Posta il risultato dei due log.

[marpioncino]

Allego i due log

Virit:
VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
[Hidden Services]
xpdx - xpdx system driver - \??\C:\WINDOWS\system32\xpdx.sys

OK
--------------------------------------------------------
02/06/2007 - 13:39:36

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\WINDOWS\csrs.dll Infetto da Trojan.Win32.Small.QW
C:\WINDOWS\system32\monwuyan.exe Infetto da Trojan.Win32.Agent.ATQ
C:\WINDOWS\system32\svcjkski.exe Infetto da Trojan.Win32.Agent.AUF

Chiavi Registro infette: 0.
Files Infetti: 3.
Files Sospetti: 0.
Files Analizzati: 36323.
Files Totali: 36323.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

Kapersky:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 02, 2007 2:59:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/06/2007
Kaspersky Anti-Virus database records: 315505
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 36635
Number of viruses found: 2
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:44:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Dati applicazioni\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nicola\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nicola\Dati applicazioni\DLL_SYS_2recovery32.exe Infected: Trojan.Win32.Agent.qc skipped
C:\Documents and Settings\Nicola\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nicola\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nicola\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nicola\Impostazioni locali\Temporary Internet Files\Content.IE5\21GTGPEN\index[2].htm Infected: Trojan-Downloader.JS.Psyme.gy skipped
C:\Documents and Settings\Nicola\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nicola\ntuser.dat Object is locked skipped
C:\Documents and Settings\Nicola\ntuser.dat.LOG Object is locked skipped
C:\Programmi\File comuni\deL.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Paramete.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\IdeChnDr.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xpdx.sys Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Grazie

[OYS]

scarica http://swandog46.geekstogo.com/avenger.zip

Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente d'ingrandimento

Ti si apre lafinestra "View/edit script"
All'interno del box bianco, copia e incolla il seguente scritp in verde:


files to delete:
C:\WINDOWS\csrs.dll
C:\WINDOWS\system32\monwuyan.exe
C:\WINDOWS\system32\svcjkski.exe
C:\Documents and Settings\Nicola\Dati applicazioni\DLL_SYS_2recovery32.exe
C:\Documents and Settings\Nicola\Impostazioni locali\Temporary Internet Files\Content.IE5\21GTGPEN\index[2].htm


Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes
Il pc dovrebbe riavviarsi da solo, diversamente riavvialo manualmente. Portati in C:\ copia ed incolla il log generato da The Avenger



Infine controlla su www.virustotal.com se questo file è infetto:

C:\WINDOWS\system32\xpdx.sys

[marpioncino]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\fwwbklyd

*******************

Script file located at: \??\C:\qfjcvhwy.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\csrs.dll deleted successfully.
File C:\WINDOWS\system32\monwuyan.exe deleted successfully.
File C:\WINDOWS\system32\svcjkski.exe deleted successfully.
File C:\Documents and Settings\Nicola\Dati applicazioni\DLL_SYS_2recovery32.exe deleted successfully.
File C:\Documents and Settings\Nicola\Impostazioni locali\Temporary Internet Files\Content.IE5\21GTGPEN\index[2].htm deleted successfully.

Completed script processing.

*******************

Finished! Terminate.