linkoptimizer

[babery]

Ciao a tutti,
sono stato infettato da linkoptimizer, ho cercato nel forum informazioni su come debellarlo, l'ho disinstallato, ma quando si parla del registro di configurazione non ho capito bene quello che devo fare... vi posto un log di Hijackthis e il report di Ewido: se c'è qualcuno che puo aiutarmi...
grazie
ciao

Logfile of HijackThis v1.99.1
Scan saved at 0.08.39, on 23/09/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://arianna.libero.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libero.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Libero
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {5B4D79E1-AF10-130C-90FE-F62EB199D85E} - C:\WINDOWS\vcbwc1.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ykoq7.exe] C:\WINDOWS\Temp\ykoq7.exe
O4 - HKLM\..\Run: [ykoq9.exe] C:\WINDOWS\Temp\ykoq9.exe
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1059845.exe
O16 - DPF: {F57D27AE-CE57-4BC8-B232-EA57747BE5B7} - ms-its:mhtml:file://C:\PATH.MHT!http://195.225.176.5//d//lnkfwfa//sqpfcdg//roplsvi//irkqpg//IT//arct.chm::/painter.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe






-----------------------------------
Ewido report:

C:\WINDOWS\Downloaded Program Files\504066.exe -> Heuristic.Win32.Dialer : Ignored.
C:\Documents and Settings\Puma\Impostazioni locali\Temporary Internet Files\Content.IE5\PWSBDHGX\send[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Ignored.
C:\Documents and Settings\Babery\Cookies\babery@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Puma\Cookies\puma@ads20.bpath[2].txt -> TrackingCookie.Bpath : Cleaned.
C:\Documents and Settings\Babery\Impostazioni locali\Temp\Cookies\babery@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Babery\Impostazioni locali\Temp\Cookies\babery@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Babery\Cookies\babery@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\WINDOWS\Downloaded Program Files\1059845.exe -> Trojan.Diamin.t : Cleaned with backup (quarantined).
C:\WINDOWS\Passe-partout.exe -> Trojan.Diamin.t : Cleaned with backup (quarantined).


::Report end

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

[andorra24]

Con hijackthis elimina queste voci premendo fix checked:

O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1059845.exe
O16 - DPF: {F57D27AE-CE57-4BC8-B232-EA57747BE5B7} - ms-its:mhtml:file://C:\PATH.MHT!http://195.225.176.5//d//lnkfwfa//sqpfcdg//roplsvi//irkqpg//IT//arct.chm::/painter.dll


Scarica questo tool:
http://www.prevx.com/gromozon.asp
eseguilo. Al riavvio del computer, il programma terminerà la scansione delle altre cartelle di windows.
Puoi rispondere NO alla richiesta di installare prevx al termine.
Sarà creato un report in C:\Gromozon_removal.log.
Copia e incolla il report in un post.