log da controllare

[montesipc]

Salve sono montesipc,

ho trovato il forum in un momento di incertezza e spero che possiate aiutarmi... please!!!
Il mio nb ha preso un trojan linkoptimizer , che mi sta creando qualche problema!!!

Sintomi:
- ha cancellato dal menù di avvio il pannello di controllo;
- ha cancellato il task manager;
- blocca la connessione ad internet;
(rilevato e corretto da Spybot- Search & Destroy, ma tornano ad ogni riavvio)
- credo che abbia creato un altro utente (Administrator???);
- mi comunica sempre: "your pc is infected" e cerca di collegarsi continuamente ad un sito www.go.antivirus....
- mi chiede ogni 3 minuti!!! di installare (file che ho già fixato una prima volta con HijackThis) C:\WINDOWS\System32\printer.exe


Ho seguito alcune dei vostri consigli per eliminarlo, ma vorrei un aiuto.

Vi posto il log della scansione di Hijack 2.02 per un controllo da "esperti "

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.22.09, on 22/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\HijackThis\HiJackThis2.02.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {DA39029C-D291-A968-3FF4-D0990D5CB5FC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Policies\Explorer\Run: [asushlp] "c:\windows\asushlp.exe"
O4 - HKLM\..\Policies\Explorer\Run: [ibmjet] "c:\windows\ibmjet.exe"
O4 - HKLM\..\Policies\Explorer\Run: [lanmon] "c:\windows\lanmon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5ADE1E9F-F596-4CD7-A2AE-76BFF021B4A7}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{85C48D1A-CB2E-4665-911A-5F589EEEC100}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB8157E-8EE1-4E92-8BF9-3A15B3C9B118}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD4DAA1C-31C3-4E0A-965B-32D1459B4461}: NameServer = 85.255.114.109,85.255.112.153
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

--
End of file - 3931 bytes


Grazie per l'aiuto

[tecnico24]

avvia hijackthis,spunta a sinistra su queste voci:


O4 - HKLM\..\Policies\Explorer\Run: [asushlp] "c:\windows\asushlp.exe"
O4 - HKLM\..\Policies\Explorer\Run: [ibmjet] "c:\windows\ibmjet.exe"
O4 - HKLM\..\Policies\Explorer\Run: [lanmon] "c:\windows\lanmon.exe"
O2 - BHO: (no name) - {DA39029C-D291-A968-3FF4-D0990D5CB5FC} - (no file)

e clicca sotto su fix checked.

[montesipc]

grazie per l'aiuto.

Ho fixato i file che mi hai consigliato, ma purtroppo le funzionalità del computer nn sono ristabilite.

Ad una seconda scansione con HijackThis v2.02 l'esito è questo:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.58.11, on 22/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashSimpl.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\HijackThis\HiJackThis2.02.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {DA39029C-D291-A968-3FF4-D0990D5CB5FC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5ADE1E9F-F596-4CD7-A2AE-76BFF021B4A7}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{85C48D1A-CB2E-4665-911A-5F589EEEC100}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB8157E-8EE1-4E92-8BF9-3A15B3C9B118}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD4DAA1C-31C3-4E0A-965B-32D1459B4461}: NameServer = 85.255.114.109,85.255.112.153
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

--
End of file - 4033 bytes


Perchè "O2 - BHO: (no name) - {DA39029C-D291-A968-3FF4-D0990D5CB5FC} - (no file)" continua a replicarsi???
E come elimino l'utente che mi blocca alcune funzioni?
Come elimino l'indirizzamento a www.google.com?

[montesipc]

grazie per l'aiuto.

Ho fixato i file che mi hai consigliato, ma purtroppo le funzionalità del computer nn sono ristabilite.

Ad una seconda scansione con HijackThis v2.02 l'esito è questo:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.58.11, on 22/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashSimpl.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\HijackThis\HiJackThis2.02.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {DA39029C-D291-A968-3FF4-D0990D5CB5FC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5ADE1E9F-F596-4CD7-A2AE-76BFF021B4A7}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{85C48D1A-CB2E-4665-911A-5F589EEEC100}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB8157E-8EE1-4E92-8BF9-3A15B3C9B118}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD4DAA1C-31C3-4E0A-965B-32D1459B4461}: NameServer = 85.255.114.109,85.255.112.153
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

--
End of file - 4033 bytes


Perchè "O2 - BHO: (no name) - {DA39029C-D291-A968-3FF4-D0990D5CB5FC} - (no file)" continua a replicarsi???
E come elimino l'utente che mi blocca alcune funzioni?
Come elimino l'indirizzamento a www.google.com?

[tecnico24]

prova ad usare questi:

http://info.prevx.com/gromozon.asp
http://securityresponse.symantec.com...FixLinkopt.exe

[montesipc]

Niente da fare...

Gromozon non rileva rootkit component... in C:\Windows e in C:\Programmi\File comuni
Tojan.Gromozon does not exist...

FixLinkopt non rileva rootkit, perchè si chiude senza risultati...



Posto il LOG di Ad-Aware 2007
Log File Created on: 2007-08-23 09:31:56
Using Definitions File: C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware 2007\core.aawdef

System information
===========================
Number of processors: 1
Processor type: Intel(R) Celeron(R) M processor 1300MHz
Memory Available: 19%
Total Physical Memory: 251117568 Bytes
Available Physical Memory: 46534656 Bytes
Total Page File Size: 615845888 Bytes
Available On Page File: 281874432 Bytes
Total Virtual Memory: 2147352576 Bytes
Available Virtual Memory: 2006786048 Bytes
OS: Microsoft Windows XP Service Pack 1 (Build 2600)

Ad-Aware 2007 Settings
===========================
Skipping files larger than 1048576 kB
Ignoring infections with lower TAI than: 3


Extended Ad-Aware 2007 Settings
===========================
Unloading known modules during scan
Ignoring spanned files when scanning cab archives
Reanalyzing results after scanning before displaying results
Trying to unload modules prior to removal
Unloading Explorer if necessary during removal
Let Windows remove files currently in use at next reboot
Removing quarantined objects after restore
Deactivating Ad-Watch during scans
Writeprotecting system files after repairs
Include info about ignored objects in log file
Including basic settings in log file
Including advanced settings in log file
Including user and computer name in log file
Create and save WebUpdate log file

Scan Statistics
===========================
Method: Smart
Scan tracking cookies.............................: On
Scan ADS filestreams..............................: On

Item Scanned: 106003
Infections Detected: 3
Infections Ignored: 0

Scan detailed statistics
===========================
Type Critical Total
Process Scan....: 0 0
Registry Scan...: 1 1
Registry PE Scan: 0 0
Hosts File Scan.: 0 0
File Scan.......: 0 0
Folder Scan.....: 0 0
LSP Scan........: 0 0
ADS Scan........: 0 0
Cookie Scan.....: 0 0
File Hash Scan..: 0 0

Infections Found
===========================
Family Id: 109 Name: Adware.LinkOptimizer Category: Malware TAI:4
Item Id: 300002614 Value: Root: HKLM Path: software\microsoft\windows\currentversion\explorer \browser helper objects\{da39029c-d291-a968-3ff4-d0990d5cb5fc}
Family Id: 9999 Name: MRU Object Category: MRU Object TAI:0
Item Id: 1 Value: MRU Path: C:\Documents and Settings\Paolo\Recent Count: 1
Item Id: 2 Value: MRU Registry Key: S-1-5-21-1907411925-71594873-1131426265-1005\Software\Microsoft\Search Assistant\ACMru\5603 Count: 1


e il LOG di HijackThis 2.02

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10.21.41, on 23/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\WINDOWS\regedit.exe
C:\Programmi\HijackThis\HiJackThis2.02.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fgr-fc.it/Home.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {DA39029C-D291-A968-3FF4-D0990D5CB5FC} - (no file) O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5ADE1E9F-F596-4CD7-A2AE-76BFF021B4A7}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB8157E-8EE1-4E92-8BF9-3A15B3C9B118}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD4DAA1C-31C3-4E0A-965B-32D1459B4461}: NameServer = 85.255.114.109,85.255.112.153
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 3424 bytes

Io ho fixato O2 - BHO: (no name) - {DA39029C-D291-A968-3FF4-D0990D5CB5FC} - (no file) tutte le volte, ma lui si ripresenta continuamente...

Cosa dovrei fare ora???

[tecnico24]

Dai un occhiata a questi e dimmi se risolvi:

http://www.symantec.com/security_res...082416-2803-99

http://www.symantec.com/enterprise/s...an_spaghe.html

http://www.sophos.com/security/analy...optimizer.html

http://research.sunbelt-software.com...rea tid=46260

http://www.bleepingcomputer.com/secu...gory/gromozon/

http://forum.html.it/forum/showthrea...readid=1008361

http://www.suspectfile.com/forum/viewtopic.php?t=156

http://www.viritpro.info/articoli/rootkit_d-e.htm

[montesipc]

scusami per l'ignoranza...
ma i primi link che mi hai segnalato non sono selezionabili?

Ho provato Virit Explorer Lite 6.2.9 con il Lite Monitor

Ora rimuove Linkoptimizer.BHO.B , ma il Linkoptimizer.BHO.D non lo rimuove...

Ora sto provando con Rookitrelever

[tecnico24]

puo' darsi qualche errore di ortografia.continua a provare con gli altri,perche come penso io,i primi due non cambieranno la situazione.

[montesipc]

probabilmente sono incapace, ma non riesco ad averla vinta!!! :berto:

Ho fatto la scansione (ripetuta anche in modalità provvisoria) più volte di VirIT Explorer Lite 6.2.10. Una volta ha anche "rimosso" il BHO.LinkOptimizer.B (lasciando il BHO.LinkOptimizer.D intatto) e ha per la prima volta trovato e disinfettato 4 Trojan.gen

Poi ho rifatto la scansione con HijackThis e mi torna sempre sto minchia di: O2 - BHO: (no name) - {DA39029C-D291-A968-3FF4-D0990D5CB5FC} - (no file)

Ho anche notato che in C:\Document & settings che Administrator è stata creata nel giorno di infezione del virus...
Probabilmente è qui che ci saranno dei virus e da cui provengono le "Restrizioni" quando cerco di aprire le "proprietà" di molti menù?

Posso usare Avenger per cancellare questo utente creato dal virus?
magari non torna più "O2 - BHO: (no name) - {DA39029C-D291-A968-3FF4-D0990D5CB5FC} - (no file)"