Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

LINK OPTIMIZER AIUTOOOOOO

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

LINK OPTIMIZER AIUTOOOOOO

Postdi nero » 17/09/06 20:13

ragazzi ho beccato anche io il virus del momento....

norton mi avvisa che il trojan link optimizer è presente sotto windows/eckbx1.dll....

ho provato a cancellarlo ma ricompare sempre....ho cancellato con il comando control userpasswords2 l'account strano che si era salvato...non trovo cartelle con il nome linkoptimizer....

questo il log fatto con il programma gmer

GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-17 21:05:28
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.11 ----

SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwConnectPort
SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwOpenProcess

---- Devices - GMER 1.0.11 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F2D3DE90] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F2D3DE90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F2D3DE90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F2D3DE90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F2D3DE90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F2D3DE90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F2D3DE90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F2D3DE90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F2D3DE90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F2D3DE90] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CREATE [F2D37B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CLOSE [F2D37B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_DEVICE_CONTROL [F2D37B50] vsdatant.sys
Device \Driver\AFD \Device\Afd FastIoDeviceControl [F2D37510] vsdatant.sys

---- Processes - GMER 1.0.11 ----

Process svchost.exe (*** hidden *** ) [744] 81974BF8
Process alg.exe (*** hidden *** ) [1244] 81763630
Process lsass.exe (*** hidden *** ) [532] 8181B798
Process winlogon.exe (*** hidden *** ) [476] 81945168
Process svchost.exe (*** hidden *** ) [924] 81977920
Process svchost.exe (*** hidden *** ) [864] 81AE12B0
Process Navapsvc.exe (*** hidden *** ) [1332] 81758DA8
Process zlclient.exe (*** hidden *** ) [1664] 815DE7F8
Process services.exe (*** hidden *** ) [520] 81810508
Process svchost.exe (*** hidden *** ) [700] 81946020
Process vsmon.exe (*** hidden *** ) [1928] 81599B30
Process SAgent2.exe (*** hidden *** ) [1264] 8175F020
Process System (*** hidden *** ) [4] 81BCEA08
Process csrss.exe (*** hidden *** ) [452] 819929D8
Process spoolsv.exe (*** hidden *** ) [1152] 8176E320
Process MDM.EXE (*** hidden *** ) [1296] 8175CA38

---- Files - GMER 1.0.11 ----

ADS ...

---- EOF - GMER 1.0.11 ----


questo quello fatto con hijackthis
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59

Sponsor
 

Postdi andorra24 » 17/09/06 20:28

Ciao, devi fare la scansione con GMER anche dalla posizione ''autostart''.

PS: hai provato ad usare il tool di rimozione del LinkOptimizer?

Se non l'hai ancora usato fallo. Scarica il tool:
http://www.prevx.com/gromozon.asp
disattiva momentaneamente l'antivirus, con i programmi e applicazioni chiusi, esegui il tool.
Al riavvio del computer, il programma terminerà la scansione nelle restanti cartelle di windows. Al termine della scansione sarà rilasciato un report in C:\Gromzon_Removal.log.
Posta il report qui sul forum.
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi nero » 17/09/06 20:39

ecco la scansione gmer fatta da autostart....

GMER 1.0.11.11349 - http://www.gmer.net
Autostart 2006-09-17 21:37:17
Windows 5.1.2600 Service Pack 1


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
EPSONStatusAgent2 /*EPSON Printer Status Agent2*/@ = C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
navapsvc /*Servizio Norton AntiVirus Auto-Protect*/@ = C:\Programmi\Norton AntiVirus\navapsvc.exe
SBService /*ScriptBlocking Service*/@ = C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
SrvFfe /*SrvFfe*/@ = "C:\Programmi\File comuni\System\dEa.exe" /*file not found*/
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@EPSON Stylus C44 SeriesC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44" = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
@Zone Labs ClientC:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
@trustrastrustras.exe = trustras.exe
@CnxDslTaskBarC:\Programmi\Trust\CnxDslTb.exe = C:\Programmi\Trust\CnxDslTb.exe
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@NAV AgentC:\PROGRA~1\NORTON~1\navapw32.exe = C:\PROGRA~1\NORTON~1\navapw32.exe
@Share-to-Web Namespace DaemonC:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe = C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run@1 = C:\WINDOWS\service32.exe /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@System =

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD} /*Componente estensione della shell di CorelDRAW*/C:\Programmi\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll = C:\Programmi\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{B6122A50-EAB5-11D3-9E7F-EBF4F0595714} /*Tauscan Menu*/(null) =
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{3B8D9451-A521-9902-43B7-EF479988F67B}C:\WINDOWS\eckbx1.dll = C:\WINDOWS\eckbx1.dll
@{56E72898-2168-CB74-805D-9B966F5443CC}C:\WINDOWS\eckbx1.dll = C:\WINDOWS\eckbx1.dll
@(null) =
@{BDF3E430-B101-42AD-A544-FADC6B084872}C:\Programmi\Norton AntiVirus\NavShExt.dll = C:\Programmi\Norton AntiVirus\NavShExt.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.google.it/

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\System32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\System32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINDOWS\System32\Msdxm.ocx

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

---- EOF - GMER 1.0.11 ----


sto lanciando il tool linkoptimizer adesso...

ti faccio sapere cosa c'è nel log


grazie
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59

Postdi andorra24 » 17/09/06 20:47

scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio

Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\SrvFfe
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3B8D9451-A521-9902-43B7-EF479988F67B}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56E72898-2168-CB74-805D-9B966F5443CC}

Files to delete:
C:\Programmi\File comuni\System\dEa.exe
C:\WINDOWS\service32.exe
C:\WINDOWS\eckbx1.dll


Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

Una volta riavviato il pc, collegati e posta il contenuto del file C:\Avenger.txt


Lancia questo comando:
start>esegui>cmd>OK
Aperto il prompt dei comandi, digiti:
cd C:\Programmi\File comuni\System------- premi Invio
dir > C:\files.txt--------premi Invio
Chiudi il prompt e in C:\ trovi files.txt. Copi e incolli il contenuto in un post.
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi nero » 17/09/06 20:50

ecco il log del tool

Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59

Postdi nero » 17/09/06 20:58

ecco il log di avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kpeydpue

*******************

Script file located at: \??\C:\lkwqatac.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\SrvFfe deleted successfully.


File C:\Programmi\File comuni\System\dEa.exe not found!
Deletion of file C:\Programmi\File comuni\System\dEa.exe failed!

Could not process line:
C:\Programmi\File comuni\System\dEa.exe
Status: 0xc0000034



File C:\WINDOWS\service32.exe not found!
Deletion of file C:\WINDOWS\service32.exe failed!

Could not process line:
C:\WINDOWS\service32.exe
Status: 0xc0000034

File C:\WINDOWS\eckbx1.dll deleted successfully.


Could not get size of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs
Replacement with dummy of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs failed!
Status: 0xc0000034

e questo il file.txt

Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: B007-CD04

Directory di C:\Programmi\File comuni\System

17/09/2006 19.40 <DIR> .
17/09/2006 19.40 <DIR> ..
02/11/2005 00.07 <DIR> ado
16/10/2001 17.37 76.288 directdb.dll
02/11/2005 00.07 <DIR> msadc
25/05/2004 22.27 <DIR> MSMAPI
02/11/2005 00.07 <DIR> Ole DB
09/09/2002 22.51 459.776 wab32.dll
09/09/2002 22.48 254.464 wab32res.dll
3 File 790.528 byte
6 Directory 51.872.858.112 byte disponibili



Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1 not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1 failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3B8D9451-A521-9902-43B7-EF479988F67B} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56E72898-2168-CB74-805D-9B966F5443CC} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59

Postdi nero » 17/09/06 20:59

questo invece il contenuto del files.txt

Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: B007-CD04

Directory di C:\Programmi\File comuni\System

17/09/2006 19.40 <DIR> .
17/09/2006 19.40 <DIR> ..
02/11/2005 00.07 <DIR> ado
16/10/2001 17.37 76.288 directdb.dll
02/11/2005 00.07 <DIR> msadc
25/05/2004 22.27 <DIR> MSMAPI
02/11/2005 00.07 <DIR> Ole DB
09/09/2002 22.51 459.776 wab32.dll
09/09/2002 22.48 254.464 wab32res.dll
3 File 790.528 byte
6 Directory 51.872.858.112 byte disponibili
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59

Postdi nero » 17/09/06 21:00

questo il log di avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kpeydpue

*******************

Script file located at: \??\C:\lkwqatac.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\SrvFfe deleted successfully.


File C:\Programmi\File comuni\System\dEa.exe not found!
Deletion of file C:\Programmi\File comuni\System\dEa.exe failed!

Could not process line:
C:\Programmi\File comuni\System\dEa.exe
Status: 0xc0000034



File C:\WINDOWS\service32.exe not found!
Deletion of file C:\WINDOWS\service32.exe failed!

Could not process line:
C:\WINDOWS\service32.exe
Status: 0xc0000034

File C:\WINDOWS\eckbx1.dll deleted successfully.


Could not get size of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs
Replacement with dummy of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs failed!
Status: 0xc0000034



Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1 not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1 failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3B8D9451-A521-9902-43B7-EF479988F67B} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56E72898-2168-CB74-805D-9B966F5443CC} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59

Postdi andorra24 » 17/09/06 21:01

Fammi sapere anche il resoconto del tool di rimozione.
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi nero » 17/09/06 21:02

log files txt

questo invece il contenuto del files.txt

Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: B007-CD04

Directory di C:\Programmi\File comuni\System

17/09/2006 19.40 <DIR> .
17/09/2006 19.40 <DIR> ..
02/11/2005 00.07 <DIR> ado
16/10/2001 17.37 76.288 directdb.dll
02/11/2005 00.07 <DIR> msadc
25/05/2004 22.27 <DIR> MSMAPI
02/11/2005 00.07 <DIR> Ole DB
09/09/2002 22.51 459.776 wab32.dll
09/09/2002 22.48 254.464 wab32res.dll
3 File 790.528 byte
6 Directory 51.872.858.112 byte disponibili


log di prevxremovaltool

Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.


grazie ancora
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59

Postdi andorra24 » 17/09/06 21:45

Fai questi controlli. Vai nel Pannello di controllo e vedi se ci sono le voci LinkOptimizer e/o ConnectionServices ma se li vede non toccare nulla, fammelo sapere.

1)Start>esegui>control userpasswords2 (lo scrivi nello spazio bianco)>OK

Nella finestra Account utente, guarda se hai un'utenza sospetta con nome casuale (oltre le consuete Administrators e Utente, Aspnet), tipo XYZFG. Segnati il nome dell'utenza ed eliminala (click con il destro e scegli elimina);

2) Rendi visibili file e cartelle nascosti:

Vai su start/risorse del computer/strumenti/opzioni cartella/visualizzazione e metti la spunta su visualizza cartelle file nascosti e togli la spunta da ''nascondi i file protetti di sistema (consigliato)''.

Vai in C:\Documents and Settings, guarda se hai una cartella con lo stesso nome dell'utenza, elimina anch'essa.

Fammi sapere se il Norton ti trova ancora l'infezione oppure no.
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi nero » 17/09/06 21:57

in pannello di conmrollo non ci sono voci con quei nomi....

avevo già eliminato in precedenza l'utenza di tipo alfanumerica e la relativa cartella

al momento non mi appare nessuin messaggio di norton...ora magari lancio una scansione....

grazieee
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59

Postdi nero » 17/09/06 22:20

dopo lka scansione norton mi ha trovato ancora il file eckbx1.dll

Il file compresso eckbx1.dll all'interno di C:\avenger\backup.zip è infettato con il virus Trojan.Linkoptimizer.

l'ho messo in quarantena...lo elimino dalla quarantena o devo fare altro?
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59

Postdi andorra24 » 17/09/06 22:24

nero ha scritto:dopo lka scansione norton mi ha trovato ancora il file eckbx1.dll

Il file compresso eckbx1.dll all'interno di C:\avenger\backup.zip è infettato con il virus Trojan.Linkoptimizer.

l'ho messo in quarantena...lo elimino dalla quarantena o devo fare altro?

AH ok, non preoccuparti, elimina pure l'intera cartella di avenger con quel backup:

Scarica questo file
http://downloads.andymanchesta.com/Tools/IceSword1.zip
decomprimi l'archivio,avvia il file icesword.exe,sotto clicca sul pulsante "File" adesso clicca su "Local disk" dovresti visualizzare la cartella Avenger,selezionala,destro del mouse e scegli "Delete"
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi nero » 17/09/06 22:36

fatto....

ti rimando il log di gmer autostart

GMER 1.0.11.11349 - http://www.gmer.net
Autostart 2006-09-17 23:35:20
Windows 5.1.2600 Service Pack 1


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
EPSONStatusAgent2 /*EPSON Printer Status Agent2*/@ = C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
navapsvc /*Servizio Norton AntiVirus Auto-Protect*/@ = C:\Programmi\Norton AntiVirus\navapsvc.exe
SBService /*ScriptBlocking Service*/@ = C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@EPSON Stylus C44 SeriesC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44" = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
@Zone Labs ClientC:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
@trustrastrustras.exe = trustras.exe
@CnxDslTaskBarC:\Programmi\Trust\CnxDslTb.exe = C:\Programmi\Trust\CnxDslTb.exe
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@NAV AgentC:\PROGRA~1\NORTON~1\navapw32.exe = C:\PROGRA~1\NORTON~1\navapw32.exe
@Share-to-Web Namespace DaemonC:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe = C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe


HKCU\Software\Microsoft\Windows\CurrentVersion\Run@CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@System =

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD} /*Componente estensione della shell di CorelDRAW*/C:\Programmi\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll = C:\Programmi\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{B6122A50-EAB5-11D3-9E7F-EBF4F0595714} /*Tauscan Menu*/(null) =
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@(null) =
@{BDF3E430-B101-42AD-A544-FADC6B084872}C:\Programmi\Norton AntiVirus\NavShExt.dll = C:\Programmi\Norton AntiVirus\NavShExt.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.google.it/

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\System32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\System32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINDOWS\System32\Msdxm.ocx

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

---- EOF - GMER 1.0.11 ----


che faccio adesso? il mio pc è pulito???
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59

Postdi andorra24 » 17/09/06 22:57

Il tuo pc e' pulito. Vai in pace. :lol:
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi nero » 17/09/06 23:02

grazieeeeeeeeeeeeeeeeeeeeeeeeee
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59

Postdi andorra24 » 18/09/06 00:01

nero ha scritto:grazieeeeeeeeeeeeeeeeeeeeeeeeee

Prego. :)
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo


Torna a Sicurezza e Privacy


Topic correlati a "LINK OPTIMIZER AIUTOOOOOO":


Chi c’è in linea

Visitano il forum: Nessuno e 7 ospiti