LinkOptimzer still in Control Panel -> Add and Remove Software

[Ulle_G]

Hi...thanks for your effort so far. And yes, I am in Finland at the moment and I am working/studying at the Institute of Technology.

So, now I try to answer your questions again. Yesterday when I wanted to upload a zip-file my browser chrashed and with it the whole repply.

1.Virus and Scanner:I found these:
HKLM\SOFTWARE\KMiNT21 -> Adware.DesktopSpyAgent : Keine Aktion durchgeführt.
C:\WINDOWS\system32\drivers\etc\pnc.exe -> Backdoor.Ncx.a : Keine Aktion durchgeführt.
C:\WINDOWS\system32\drivers\etc\tftp8675 -> Backdoor.SdBot.ry : Keine Aktion durchgeführt.
And deleted them manually. There were also some reg entries found by Pandas and Trendmicros Onlinescan-Solutions which I removed as well.

Then I ran all applications mentioned in SAFE-mode and have them done their work.

2.SpySweeper:I did run two spysweeper scans. One in SAFE-Mode and one in Normal-mode. In my next post I upload all the log-files.

3.FamilyKeyLogger:First I used the control panel - remove/add programs. Thereafter I checked the registry and file system for malicious files manually according to removal instructions of McAfee Antivirus online.

4.LastFileOpened:Reffering to post 8. The file was TaskMgrRunDll and the text in that file was that you can see in the post. starting with
+---[ System Stats ]----------------------------------+
and ending with
-[ MICROSOFT LOSES! ]-
And I did it again and deleted all of those files
and yesterday in the morning before I read your post I changed permissions in the registry and deleted all of those BHO entries.
I think I was shooting over the goal again.

4.LinkOptimzer:In June my PC has been infected by that nasty Prog. Here you can find what happened so far: http://www.thespykiller.co.uk/forum/...d&topic=1838.0

As I said I will upload the log-files in an extra post.

[Ulle_G]

logs enclosed

[jholland1964]

Ulle_G, Thanks for the logs. I am going to say at the outset here, I am really at a disadvantage reading several of these logs because I only read and speak English. Some items of course are recognizable in any language. But honestly I can't tell for certain what has been removed and what hasn't...plus with the unrequested reg-edits done...I just don't know for sure. Much of this may seem redundant to you, running tools you have already run, but I just want to be certain we have done all we can to get this machine up and running and I want to be certain, for myself, and more importantly, for YOU, that we have completed all the steps in the order I would recommend before we feel we must try something else. Hopefully this will be it..and we can say hooray when all these are completed.

Since your first "go round" with Link Optimizer in June there were several tools developed and released in July to help remove this automatically so I would like you to try one that I have used myself to remove this from a machine I worked on personally, hands on, and it did work;

This is the Gromozon Rootkit Removal Tool from Prevx

To use the program simply download it to your computer and double-click on the downloaded file. Now click on the Scan button and follow the prompts.

Update your AVG program, but do not run it yet.

Next I would like you to do the following. Download, if you have not already, the Ewido Security Suite.
DoubleClick the Ewido Icon on your desktop and allow it to update to the latest malware definitions (Click Update > Start Update). Just install and update DO NOT RUN the PROGRAM yet.
Now I would also like you to update both your AdAwareSE programs and Spybot S & D. Make certain you have the current versions of both programs. Just update, don't run them yet.
Also update Spysweeper don't run yet.
Update CCleaner. Don't run it yet.

Please be certain that you have Enabled the Viewing of Hidden Files and Folders.

Shut down the computer. Disconnect the internet cable from the back of the computer. Reboot the computer in SAFE MODE and do the following IN THE ORDER GIVEN.

Run a FULL SYSTEM SCAN with your AVG and remove everything found.

Open and RUN CCleaner with the default options to clean out temporary files. Only use the Default Scan (Windows Tab) and select Run Cleaner. Do not run any other options from other tabs.

Open SpyBotSD and Click “Check for Problems.” Allow SpyBot to fix what it finds.

Open Ad-Aware SE Personal and Click START > Check the Perform full system scan box > Click NEXT. Allow Ad-Aware to scan and to fix what it finds.

OPEN EWIDO and click Scanner > Complete System Scan.
Allow it to fix what it finds and click on Save Report. Save the log to where it can be easily found and please attach it along with your HijackThis log when you post back.

Open Spysweeper.

* click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.
* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.

Reboot to Normal Mode. Run a NEW HiJackThis scan, save the log. Post back here with that NEW log, the Ewido log and the Spysweeper log.
Judy

[Ulle_G]

Hi Judy.

Yeah, but its ok to do all these scans cause I want to be sure that my computer is clean. So I have done all the steps starting with the Gromozon Removal Tool and all the other scan procedures.

The Tool didn´t find anything and also the other scans showed no extraordinary content.

The logs files are enclosed and I translated some of the most important entries in the log files.

Thank you very much! By the way, whats your profession? Just asking...

BR Ulle

[jholland1964]

Hi BR Ulle,
Glad that no linkoptimizer was found by the Gromozon Removal Tool. That is good. "Probably" means it is gone. At first glance the HJT log looks clean but will do a more thorough scan through to be certain.

I hate to ask you to do this but could you translate the Spysweeper entries which say "Warning: Failed to open file" These would be the ones timed from 13:22 to 13:28. Believe there are 24 such entries beginning with that top one which says "<-- Process cannot be entered cause its used by a differnt process." I really need to know what these are and maybe I can understand why the file failed to open. It may mean nothing but I don't know for sure. At least the Ewido scan was also clean.

My profession? Ha...at the present time...most of my time is spent being a Grandma! Before that I ran a school cafeteria until they closed the school! My husband thought I would love computers so..he started all this by buying me a computer and as "they say", "the rest is history". I am self taught with the help of various Gateway and Dell techs over the last 10 years or so and then the guys at this forum really have helped me learn what little I do know. I love it, can you tell?
Judy

[Ulle_G]

Joo, no Problem. Its trains my english even though I should learn more finnsich here.
Nice story and nice hobby you have there. I would like to spend more time withs computer but its not possible at the moment. So it happend that my computer was infected but I learn more every day.

Here is the translation. I hope that I hit the right terms:

13:26: Warning: Failed to open file "c:\avenger\lpt2.exe". System cannot find file.

13:23: Warning: Failed to open file "c:\documents and settings\ulleg\local settings\application data\microsoft\windows\usrclass.dat.log". Process cannot be entered cause its used by a differnt process.

13:23: Warning: Failed to open file "c:\documents and settings\ulleg\local settings\application data\microsoft\windows\usrclass.dat". Process cannot be entered cause its used by a differnt process.

13:23: Warning: Failed to open file "c:\documents and settings\ulleg\local settings\temp\perflib_perfdata_630.dat". Process cannot be entered cause its used by a differnt process.

13:23: Warning: Failed to open file "c:\documents and settings\ulleg\ntuser.dat.log". Process cannot be entered cause its used by a differnt process.

13:23: Warning: Failed to open file "c:\documents and settings\ulleg\ntuser.dat". Process cannot be entered cause its used by a differnt process.

13:23: Warning: Failed to open file "c:\documents and settings\networkservice\anwendungsdaten\webroot\sp y sweeper\data\settings.dat". Process cannot be entered cause its used by a differnt process.

13:23: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". Process cannot be entered cause its used by a differnt process.

13:23: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". Process cannot be entered cause its used by a differnt process.

13:23: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". Process cannot be entered cause its used by a differnt process.

13:23: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". Process cannot be entered cause its used by a differnt process.

13:22: Warning: Failed to open file "c:\windows\system32\drivers\sptd.sys". Process cannot be entered cause its used by a differnt process.

13:22: Warning: Failed to open file "c:\windows\system32\drivers\sptd8045.sys". Process cannot be entered cause its used by a differnt process.

13:22: Warning: Failed to open file "c:\windows\system32\drivers\dtscsi.sys". Process cannot be entered cause its used by a differnt process.

13:22: Warning: Failed to open file "c:\windows\system32\config\default". Process cannot be entered cause its used by a differnt process.

13:22: Warning: Failed to open file "c:\windows\system32\config\software". Process cannot be entered cause its used by a differnt process.

13:22: Warning: Failed to open file "c:\windows\system32\config\system". Process cannot be entered cause its used by a differnt process.

13:22: Warning: Failed to open file "c:\windows\system32\config\security.log". Process cannot be entered cause its used by a differnt process.

13:22: Warning: Failed to open file "c:\windows\system32\config\sam.log". Process cannot be entered cause its used by a differnt process.

13:22: Warning: Failed to open file "c:\windows\system32\config\sam". Process cannot be entered cause its used by a differnt process.

13:22: Warning: Failed to open file "c:\windows\system32\config\security". Process cannot be entered cause its used by a differnt process.

13:22: Warning: Failed to open file "c:\windows\system32\config\default.log". Process cannot be entered cause its used by a differnt process.

13:22: Warning: Failed to open file "c:\windows\system32\config\software.log". Process cannot be entered cause its used by a differnt process.

13:22: Warning: Failed to open file "c:\windows\system32\config\system.log". Process cannot be entered cause its used by a differnt process.

Ulle...the BR was for Best regards

[jholland1964]

Hi!
Thanks for the translation. I don't really see anything here that is a problem. Hopefully all is cleaned now. Does that linkoptimizer still show in the add/remove?

I would run HJT again and place a checkmark next to the following entry;
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
Then click the FIX button and exit HJT.

If YOU feel all is well then I would set a new Restore Point on the computer by Right Clicking My Computer, choose Properties, System Restore. Place a checkmark next to Turn Off System Restore. You will be asked if you are sure, click yes or ok. System Restore will shut down. Close that out, wait a minute and then do the same thing only this time remove the checkmark and Sytem Restore will start back up giving you new, clean restore points.
You do all ready have your AVG program and your Firewall but I would also recommend that you ADD SpywareBlaster to your "weapons of defense" if you don't have it all ready. It is a super, little FREE program which really will help protect the computer because it blocks malicious ActiveX installs by implementing a “kill bit” to prevent those ActiveX programs with known CLSIDs from being executed. Highly recommended! From Javacool Software.