trojan.linkoptimizer.b

[bllmtt]

Intanto mi scuso per aver lasciato aperta la discussione per tutto questo tempo, ma il problema era passato in secondo piano. Adesso i computer con questo problema sono due. Intanto sono riuscito a pulirne uno grazie alle precise indicazioni di Giancarlo (GRAZIE!!!).
Ho lanciato hijackthis e pulito alcune cose che mi saltavano subito all'occhio.
Logfile of HijackThis v1.99.1
Scan saved at 12.13.34, on 27/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\LEXBCES.EXE
C:\Windows\system32\LEXPPS.EXE
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Programmi\Belkin\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\alg.exe
C:\Programmi\QuickTime\qttask.exe
C:\Windows\system32\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\I-Storm USB ADSL Modem\CnxDslTb.exe
C:\Windows\system32\LXSUPMON.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128 .5462\GoogleToolbarNotifier.exe
C:\Programmi\Spyware Doctor\swdoctor.exe
C:\Programmi\Belkin\Software Bluetooth\BTTray.exe
C:\Programmi\DIGITAL GRAPH\Mind5\Alarm.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\regedit.exe
C:\Windows\explorer.exe
E:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libero.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Programmi\I-Storm USB ADSL Modem\CnxDslTb.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\Windows\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [oeuai] C:\Documents and Settings\vischi\Dati applicazioni\tofareraci\systvmrs.exe
O4 - HKLM\..\Run: [tskxgljk] "c:\windows\system32\tskxgljk.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PrevxRootkitRemovalTool] "F:\CD8487T.exe" -scan <- già rimosso
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128 .5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Scadenze Mind 5.0.lnk = ?
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\Belkin\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Belkin\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Belkin\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O15 - Trusted Zone: *.cercoporno.com <- già rimosso
O15 - Trusted Zone: *.eros-porno.com <- già rimosso
O15 - Trusted Zone: www.hastalavista.it <- già rimosso

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: NavLogon - C:\Windows\system32\NavLogon.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\Belkin\Software Bluetooth\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\ORANT\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe

Ho forti dubbi sulla riga con tskxgljk anche perchè non trovo nessuna corrispondenza con google con questo nome di file.
Se qualcuno vede altre cose da eliminare è il benvenuto
Appena riesco pulisco anche l'altro pc e posto il log di hijackthis
ciao e grazie
Matteo

[crazy.cat]

Da far sparire questi due file
O4 - HKLM\..\Run: [oeuai] C:\Documents and Settings\vischi\Dati applicazioni\tofareraci\systvmrs.exe
O4 - HKLM\..\Run: [tskxgljk] "c:\windows\system32\tskxgljk.exe"

dai una passata con Virit
http://www.tgsoft.it/italy/index_ita.html

[Giorgius]

Pc staccato da Internet prima di ogni scansione-rimozione.

SuperAntiSpyware 3.9.1008
Download: http://downloads2.superantispyware.c...ntiSpyware.exe
Dovrebbe rilevarlo e toglierlo dal ripristino di sistema.

Come prova definitiva fai partire il tool russo DrWeb CureIt! 4.33
Download: ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe