LinkOptimizer nuova versione che blocca i tool di rimozione

[filivina]

Salve a tutti,
sono nuovo del forum ma ho notato che esistono moltissimi topic sul famigerato LinkOptimizer...purtroppo anch'io sono stato infettato da questo spyware, e non riesco a debellarlo! Ho provato a rimuovere manualmente le chiavi sospette che mi segnalavano sia adaware che HijackThis, ho rimosso un servizio generato da un file criptato che aveva questo percorso c:\programmi|windowsNT\jtc.exe e che ho cancellato (almeno così pare) con AGVPFIX...dopo aver fatto questo ho provato a cercare eventuali file infetti nascosti con l'utility Gmer, ma purtroppo non riesco a farla partire! Ho provato a rinominarla, ma non funziona! Anche i tool di rimozione della Symantec e di Prevx non partono. Attualmente non ho più il servizio sospetto, nè il file che lo generava, così come la cartella con nome generato a caso in Documenti, ma le chiavi si sono rigenerate e adaware mi rileva ancora LinkOptimizer sul PC, e ho gli stessi sintomi di prima, ovvero difficoltà nella navigazione, e finestre pop up che si aprono automaticamente quando faccio una ricerca su google. Tra l'altro, siccome sto parlando del PC su cui lavoro in ufficio, anche una collega ha lo stesso problema, e in più a lei appare un certo StrongestOptimizer tra le applicazioni installate. Se può essere utile, posto il log di HijackThis, io purtroppo non ci capisco molto.
Ringrazio in anticipo per l'aiuto.

Filippo.


Logfile of HijackThis v1.99.1
Scan saved at 11.29.33, on 27/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\lexmvservice.exe
C:\WINDOWS\SYSTEM32\LexWebService.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Skype\Phone\Skype.exe
D:\sysintc\valentina\conf_D\bin\swmenu.exe
D:\sysintc\valentina\conf_T\bin\swmenu.exe
C:\Programmi\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Programmi\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Documents and Settings\utente5\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seac.it/Portale/SeacInfo/default.asp?P=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-siemens.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fujitsu-siemens.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O1 - Hosts: 197.5.92.222 tl14
O1 - Hosts: 197.5.92.120 pc2
O1 - Hosts: 197.5.92.130 pc3
O1 - Hosts: 197.5.92.110 pc1
O1 - Hosts: 197.5.92.150 pc5
O1 - Hosts: 197.5.92.160 pc6
O1 - Hosts: 197.5.92.140 pc4
O1 - Hosts: 197.5.92.170 pc7
O1 - Hosts: 197.5.92.100 scosysv
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {4D6A9DDE-E05C-94C7-29EA-A01F89BE73A4} - C:\WINDOWS\eibpt1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: conf_D.lnk = D:\sysintc\valentina\conf_D\bin\swmenu.exe
O4 - Startup: conf_T.lnk = D:\sysintc\valentina\conf_T\bin\swmenu.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-siemens.com
O15 - Trusted Zone: http://mut.cnce.it
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://pc6/officescan/console/Clien...l/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://pc6/officescan/console/Clien...l/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://pc6/officescan/console/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://pc6/officescan/console/html/AtxEnc.cab
O16 - DPF: {469E2B4F-BEE2-4A0F-98FA-D07ACAFAFCEA} (XMLFileTRansfer.FileTransfer) - https://mutssl.cnce.it/FI00/denunce/...leTRansfer.CAB
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://pc6/officescan/console/Clien...RemoveCtrl.cab
O16 - DPF: {69B502DF-D12F-4FD7-9892-D8DFA2D96474} (OfficeScan Management Console) - https://pc6/officescan/console/html/AtxConsole.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://mutssl.cnce.it/FI00/denunce/dll/msxml4.CAB
O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://pc6/officescan/console/html/AtxPie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0ADE60A-C721-446C-BB1E-AC2730E18589}: NameServer = 151.99.125.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MarkVision Server (MvServer) - Unknown owner - C:\WINDOWS\SYSTEM32\lexmvservice.exe
O23 - Service: MarkVision Web Server (MvWebServer) - Unknown owner - C:\WINDOWS\SYSTEM32\LexWebService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe

[holifay]

Hai provato ad usare i tool dalla modalità provvisoria? Prova anche quelli che hanno nomi diversi http://forum.html.it/forum/showthrea...readid=1046884

[filivina]

Ciao e grazie per le indicazioni!
Sono riuscito a far partire in modalità provvisoria i tool prevx e symantec dopo averli rinominati. Ho lanciato anche virit, che mi ha rimosso una chiave di registro infetta. Questi sono i log dei tre programmi, più quello di HijackThis.

Symantec Trojan.Linkoptimizer Removal Tool 1.0.8
Restored SeDebugPrivilege to Administrators group

reg: ...\CLSID\{4D6A9DDE-E05C-94C7-29EA-A01F89BE73A4}\InprocServer32 (key deleted)
reg: ...\CLSID\{4D6A9DDE-E05C-94C7-29EA-A01F89BE73A4} (key deleted)
reg: ...\Internet Explorer\URLSearchHooks\{4D6A9DDE-E05C-94C7-29EA-A01F89BE73A4} (value deleted)
reg: ...\SOFTWARE\Microsoft\Windows\CurrentVersion\Expl orer\Browser Helper Objects\{4D6A9DDE-E05C-94C7-29EA-A01F89BE73A4} (key deleted)
C:\WINDOWS\eibpt1.dll: (deleted)

Trojan.Linkoptimizer has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 45319
The number of deleted threat files: 1
The number of threat processes terminated: 0
The number of threat threads terminated: 0
The number of registry entries fixed: 4

The tool initiated a system reboot.

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (cleared)

Removal tool loaded into memory
------------------------------------
Executing rootkit removal engine....
------------------------------------
Disabling rootkit file:
Resetting file permissions...
Clearing attributes...
Impossibile trovare il file - C:\_cleaned.tmp
Removing file...
Rootkit removed! Cleaning up...

Removing temp files...
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon Removed!

VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
27/10/2006 - 15:50:10

[SCANSIONE DEL REGISTRO]
{f250d521-225d-4d6b-8829-e064f944e180} Infetto da BHO.Agent.BM
* * * RIMOSSO * * *

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


Chiavi Registro infette: 1.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 34966.
Files Totali: 34966.
Chiavi Registro rimosse: 1.
Virus Rimossi: 0.

--------------------------------------------------------
27/10/2006 - 16:00:33

[SCANSIONE DEL REGISTRO]
OK

[D:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 9946.
Files Totali: 9946.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

[filivina]

Ecco il nuovo log di HijackThis.

Logfile of HijackThis v1.99.1
Scan saved at 16.13.29, on 27/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\lexmvservice.exe
C:\WINDOWS\SYSTEM32\LexWebService.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Skype\Phone\Skype.exe
D:\sysintc\valentina\conf_D\bin\swmenu.exe
D:\sysintc\valentina\conf_T\bin\swmenu.exe
C:\Programmi\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Programmi\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Programmi\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Documents and Settings\utente5\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seac.it/Portale/SeacInfo/default.asp?P=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-siemens.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fujitsu-siemens.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O1 - Hosts: 197.5.92.222 tl14
O1 - Hosts: 197.5.92.120 pc2
O1 - Hosts: 197.5.92.130 pc3
O1 - Hosts: 197.5.92.110 pc1
O1 - Hosts: 197.5.92.150 pc5
O1 - Hosts: 197.5.92.160 pc6
O1 - Hosts: 197.5.92.140 pc4
O1 - Hosts: 197.5.92.170 pc7
O1 - Hosts: 197.5.92.100 scosysv
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: conf_D.lnk = D:\sysintc\valentina\conf_D\bin\swmenu.exe
O4 - Startup: conf_T.lnk = D:\sysintc\valentina\conf_T\bin\swmenu.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-siemens.com
O15 - Trusted Zone: http://mut.cnce.it
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://pc6/officescan/console/Clien...l/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://pc6/officescan/console/Clien...l/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://pc6/officescan/console/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://pc6/officescan/console/html/AtxEnc.cab
O16 - DPF: {469E2B4F-BEE2-4A0F-98FA-D07ACAFAFCEA} (XMLFileTRansfer.FileTransfer) - https://mutssl.cnce.it/FI00/denunce/...leTRansfer.CAB
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://pc6/officescan/console/Clien...RemoveCtrl.cab
O16 - DPF: {69B502DF-D12F-4FD7-9892-D8DFA2D96474} (OfficeScan Management Console) - https://pc6/officescan/console/html/AtxConsole.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://mutssl.cnce.it/FI00/denunce/dll/msxml4.CAB
O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://pc6/officescan/console/html/AtxPie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0ADE60A-C721-446C-BB1E-AC2730E18589}: NameServer = 151.99.125.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MarkVision Server (MvServer) - Unknown owner - C:\WINDOWS\SYSTEM32\lexmvservice.exe
O23 - Service: MarkVision Web Server (MvWebServer) - Unknown owner - C:\WINDOWS\SYSTEM32\LexWebService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

[holifay]

Metti un segno di spunta nella casella accanto a questa voce e poi premi fix checked

R3 - Default URLSearchHook is missing

Ciao