Possibili virus...Ecco il log file

[eletto]

Salve ,
mi potete analizzare bene questo log file ?Credo di avere qualche virus...
grazie

LOGIFILE

Logfile of HijackThis v1.99.1
Scan saved at 18.18.58, on 18/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\Programmi\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\W32BRG55.EXE
C:\WINDOWS\System32\svchost.exe
c:\programmi\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\maurizio\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NXIECatcher Class - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Programmi\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Programmi\Xi\NetXfer\NXToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ZDWLan Utility.lnk = C:\Programmi\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: Salva oggetto con NetXfer - C:\Programmi\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Salva tutti gli oggetti con NetXfer - C:\Programmi\Xi\NetXfer\NXAddList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O15 - Trusted Zone: *.whataboutarabit.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{07379956-C621-4DC0-97EE-84BF78AE85F9}: NameServer = 62.211.69.150,212.48.4.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FC28948-6755-483F-B0E4-25A7ECEFD46A}: NameServer = 85.37.17.46 85.38.28.84
O17 - HKLM\System\CS1\Services\Tcpip\..\{07379956-C621-4DC0-97EE-84BF78AE85F9}: NameServer = 62.211.69.150,212.48.4.15
O17 - HKLM\System\CS2\Services\Tcpip\..\{07379956-C621-4DC0-97EE-84BF78AE85F9}: NameServer = 62.211.69.150,212.48.4.15
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Programmi\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe

[Luke57]

Ciao, scarica Findawf da qui:
http://noahdfear.geekstogo.com/FindAWF.exe

Esegui il file, si aprirà una finestra dos (schermata nera) , premi invio per continuare, finita la scansione, si aprirà il block notes, salva il file, copia il suo contenuto in un post nel forum

[eletto]

ecco qui:


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~

Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C82C-BD0F

Directory di C:\PROGRA~1\MESSEN~1\BAK

0 File 0 byte
2 Directory 1.616.429.056 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C82C-BD0F

Directory di C:\PROGRA~1\SPYWAR~1\BAK

03/11/2006 18.15 1.654.272 SpywareTerminatorShield.exe
1 File 1.654.272 byte
2 Directory 1.616.429.056 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C82C-BD0F

Directory di C:\WINDOWS\SYSTEM32\BAK

09/07/2001 11.50 155.648 NeroCheck.exe
1 File 155.648 byte
2 Directory 1.616.424.960 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C82C-BD0F

Directory di C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

07/12/2005 23.57 30.208 PDVDServ.exe
1 File 30.208 byte
2 Directory 1.616.424.960 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C82C-BD0F

Directory di C:\PROGRA~1\CYBERL~1\POWERDVD\LANGUAGE\BAK

18/05/2006 12.29 49.152 Language.exe
1 File 49.152 byte
2 Directory 1.616.424.960 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C82C-BD0F

Directory di C:\PROGRA~1\FILECO~1\REAL\UPDATE~1\BAK

12/01/2007 12.43 185.896 realsched.exe
1 File 185.896 byte
2 Directory 1.616.424.960 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C82C-BD0F

Directory di C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

10/12/2006 22.25 512.000 fppdis3a.exe
1 File 512.000 byte
2 Directory 1.616.424.960 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

9028720 13 Jun 2007 "C:\Programmi\Spyware Terminator\SpywareTerminator.Exe"
1654272 3 Nov 2006 "C:\Programmi\Spyware Terminator\bak\SpywareTerminatorShield.exe"
10334320 12 Jun 2007 "C:\Documents and Settings\maurizio\Desktop\Cose di maurizio\SpywareTerminatorSetup.exe"
2509488 25 Nov 2006 "C:\Documents and Settings\maurizio\Desktop\Cose di maurizio\Ripristino\SpywareTerminator.exe"
23568 23 May 2007 "C:\WINDOWS\system32\NeroCheck.exe"
155648 9 Jul 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
23568 23 May 2007 "C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe"
30208 7 Dec 2005 "C:\Programmi\CyberLink\PowerDVD\bak\PDVDServ.exe"
23568 23 May 2007 "C:\Programmi\CyberLink\PowerDVD\Language\Language.exe"
49152 18 May 2006 "C:\Programmi\CyberLink\PowerDVD\Language\bak\Language.exe"
23568 23 May 2007 "C:\Programmi\File comuni\Real\Update_OB\realsched.exe"
185896 12 Jan 2007 "C:\Programmi\File comuni\Real\Update_OB\bak\realsched.exe"
23568 23 May 2007 "C:\WINDOWS\system32\spool\drivers\w32x86\3\fppdis3a.exe"
512000 10 Dec 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\fppdis3a.exe"


end of report

[Luke57]

Ciao, scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla (ctl+v)le scritte in neretto:

files to move:
C:\Programmi\Spyware Terminator\bak\SpywareTerminatorShield.exe | C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\bak\NeroCheck.exe | C:\WINDOWS\system32\NeroCheck.exe
C:\Programmi\CyberLink\PowerDVD\bak\PDVDServ.exe | C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\CyberLink\PowerDVD\Language\bak\Language.exe | C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
C:\Programmi\File comuni\Real\Update_OB\bak\realsched.exe | C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\fppdis3a.exe | C:\WINDOWS\system32\spool\drivers\w32x86\3\fppdis3a.exe



Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

Il programma rilascia un log con le operazioni eseguite.

Posta il log di Avenger (C:/avenger.txt) con l´esito dello script.

Inoltre, apri hijackthis, premi " do a system scan only", cerca e spunta la voce seguente:
O15 - Trusted Zone: *.whataboutarabit.com

premi fix checked.

Poi apri il pannello di controllo>impostazioni di rete>elimina la connessione aggiunta dal malware.

[eletto]

ecco il log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qkftoqbl

*******************

Script file located at: \??\C:\nsquejbx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File move operation C:\Programmi\Spyware Terminator\bak\SpywareTerminatorShield.exe|C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe completed successfully.
File move operation C:\WINDOWS\system32\bak\NeroCheck.exe|C:\WINDOWS\system32\NeroCheck.exe completed successfully.
File move operation C:\Programmi\CyberLink\PowerDVD\bak\PDVDServ.exe|C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe completed successfully.
File move operation C:\Programmi\CyberLink\PowerDVD\Language\bak\Language.exe|C:\Programmi\CyberLink\PowerDVD\Language\Language.exe completed successfully.
File move operation C:\Programmi\File comuni\Real\Update_OB\bak\realsched.exe|C:\Programmi\File comuni\Real\Update_OB\realsched.exe completed successfully.
File move operation C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\fppdis3a.exe|C:\WINDOWS\system32\spool\drivers\w32x86\3\fppdis3a.exe completed successfully.

Completed script processing.

*******************

Finished! Terminate.


....questo punto però nn l'ho fatto,perchè credo che non c'è nessun'altra connessione:

"Poi apri il pannello di controllo>impostazioni di rete>elimina la connessione aggiunta dal malware."