?
Solved

Linkoptimizer trojan

Posted on 2006-05-03
8
Medium Priority
?
1,777 Views
Last Modified: 2013-12-04
I have this problem: in the programs directory I found a linkoptimizer.dll inside a linkoptimizer directory. The av program (nod32) saw it as a likely unknown trojan and deleted it. At the same time in the windows\temp dir (which shouldn't exist cause my temp dir I thought was inside "documents and settings") I found a dual1.exe file which again the av deleted cause it was a likely unknown virus. There was also a linkoptimizer entry in the uninstall application list and I uninstalled. I used hijackthis to clean entries in the registry and I manually scanned the registry and removed other entries. I scanned everything with adaware and spyware doctor. So there should be no trace of these things on my pc BUT every couple of days they pop up again, sometimes dual1.exe is dual2.exe but anything I try they pop up again. Can somebody advise me?

Current log from hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 16.52.48, on 03/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Programmi\Executive Software\Diskeeper\DkService.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programmi\Eset\nod32krn.exe
C:\Internet\BVRP Connection Manager\NomadSvr.exe
C:\Programmi\Norton Ghost\Agent\VProSvc.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Programmi\Microsoft Hardware\Mouse\point32.exe
C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Programmi\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
C:\Programmi\ABIT\uGuru\uGuru.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\utility\wincmd\TOTALCMD.EXE
C:\Internet\eMule\emule.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
c:\utility\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehungersite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\Internet\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Internet\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Internet\GetRight\xx2gr.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Internet\COPERN~1\COPERN~1.DLL
O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Internet\ICQToolbar\toolbaru.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Music\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [H2O] C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programmi\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Programmi\ABIT\uGuru\uGuru.exe
O4 - Startup: RemindMe.lnk = C:\Programmi\RemindMe\RemindMe.exE
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Internet\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download with GetRight - C:\Internet\GetRight\GRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Internet\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Internet\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Internet\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Internet\COPERN~1\COPERN~1.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\Internet\COPERN~1\COPERN~1.EXE
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Internet\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Internet\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145715164734
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A1E3972-AB47-4164-8DA5-732CEE3C4E93}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4E0A6FD-50BC-4373-ADA2-21E1720D638B}: NameServer = 62.211.69.150 212.48.4.15
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmi\Executive Software\Diskeeper\DkService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Connection Manager (Nomad) - Unknown owner - C:\Internet\BVRP Connection Manager\NomadSvr.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programmi\Norton Ghost\Agent\VProSvc.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
0
Comment
Question by:Daniele Brunengo
  • 4
  • 3
8 Comments
 
LVL 23

Expert Comment

by:bhanukir7
ID: 16597862
hi there
do u see these entreis out this
identify what all services u need and remove rest all this should eliminate the problem. spyware adware and all these softwares are helpful but they also at times remove certain links.

run msconfig and set selective startup and deselect startup items.
this would reduce a lot of headache. then go ahead and manually delete
the nvraidservice.exe if ur not running any raid level on your hard disk.
remove the point32.exe which i dont think is of anyuse. potential virus file.
remove the nod32.kui.exe
if ur using sygate personal firewall then dont remove the smc.exe but if u dont have sygate then this maybe also a virus file.
and also this C:\Programmi\RemindMe\RemindMe.exE

i am referring the following links posted by u
goodluck.
manually deleting is more advisable.
all these entries will be in

HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\

TRY TO DELETE ENTRIES WHICH U DONT WANT TO USE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Music\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [H2O] C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programmi\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Programmi\ABIT\uGuru\uGuru.exe
O4 - Startup: RemindMe.lnk = C:\Programmi\RemindMe\RemindMe.exE
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe


goodluck

bhanu
0
 
LVL 32

Accepted Solution

by:
r-k earned 2000 total points
ID: 16599005
For future reference, you can post the HJT log directly to http://www.hijackthis.de/ and just post a link to the saved analysis page.

I did this for you, and it is at:

 http://www.hijackthis.de/logfiles/d880dd381ffdf443f9c09f5265107384.html

I would suggest using HJT to remove the following entries:

 O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Internet\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
 R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\Internet\COPERN~1\COPERN~1.DLL
 O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Internet\COPERN~1\COPERN~1.EXE
 
Then reboot, run HJT again and make sure these entries are really gone.

Can you tell us what folder the dual1.exe and dual2.exe files are in?

You can disable them as follows:

(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)

(1) Right click on the file (e.g. dual1.exe) in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Repeat steps (1) to (4) for the other file (dual2.exe)

(6) Close all windows.

(7) Reboot.

After reboot the file(s) will be unable to run (because no one can access them any more). The symptoms should be gone.

At this point you can clean up with a standard anti-spyware program. I suggest Ewido, but you can try others that you already have.


0
 

Author Comment

by:Daniele Brunengo
ID: 16601278
nvraidservice.exe I need it because I use raid 0+1
point32.exe is needed for mouse center button configuration
nod32.kui.exe is needed by the av
smc.exe is needed cos I use sygate personal firewall
C:\Programmi\RemindMe\RemindMe.exE is a scheduling software
Copernic is a search software, very good

These are all softwares I've been using for ages, so it's not their fault. Actually I use a startup manager with which I have disabled unuseful entries.

dual1.exe or dual2.exe are in the c:\windows\temp folder
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 32

Expert Comment

by:r-k
ID: 16601368
Did you try disabling the dual1.exe and dual2.exe files like I suggested above?

0
 

Author Comment

by:Daniele Brunengo
ID: 16601402
Yes, thanks. Now I'm waiting some hours to see if they reappear.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16601443
Sounds good. I don't think you'll have any more trouble from those files, but post back if anything of interest happens.

If you're sure that Copernic is something you want, then there is nothing else wrong with the HJT log. System seems clean.

0
 

Author Comment

by:Daniele Brunengo
ID: 16610436
The files have not resurfaced since following your suggestion. I guess I'll close the question and say THANKS!
0
 
LVL 32

Expert Comment

by:r-k
ID: 16610487
Thank you and good luck.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question