Update: 28 september 2006

Please note that this guide has been written in July when no one antivirus was able to recognize and delete LinkOptimizer. Now Symantec and Prevx have prepared two automatic removal tools. We suggest first to use them (can be found here) and to continue with this guide only if it fails or to manually verify if everithing is OK.


NOTE: latest gromozon variants lock GMER, rootkitrevealer, HijackThis, Avenger and a lot of different security tools and web sites. Suspectfile has prepared two tools (Systemscan and AvRunner) that can be usefull to find and remove also this variant. More information here

In several security forums there are a lot of post asking on how remove LinkOptimizer or a generic variant of Trojan Agent, as it is seen from Avast. Some variants of this Adware are hard to remove because they use (as we will soon see) rootkit technics to hide themselves.

SuspectFile has prepared a manual removal procedure that allows to solve this problem. This procedure has been successfully tested on several PCs. At the moment no one antivirus is able to completely remove the rootkit variant, so this procedure will use some particular antirootkit tools such as GMER, DarkSpy and Rootkitrevelear.

SYMPTOMS OF THE INFECTION

• Avast notifies that one or more files with tmp, exe or dll extension are infected by Win32/Agent trojan. If you delete them they return at next reboot
• Internet surfing becomes slow, sometimes a new dialup conection is created
• Popups appear after a search in Google

These are symptoms of Linkoptimizer, an adware that install itself by exploiting the WMF vulnerability. If you have a non patched PC and surf through a site that link to a wmf image appositely created, you'll download automatically that adware.

Sometimes you can see LinkOptimizer from Control Panel >> Install or Remove Programs. In this case don't try to uninstall it: it doesn't seem to work (you will be driven to a web site) and some users reported the installation of a rootkit.

Latest variants of Linkoptimizer can not be seen from Control Panel because they use a rootkit to hide themselve from Windows API. The tool is recognized from Bitdefender as Backdoor.HackDef.Gen.

CHANGES AT THE SYSTEM (not necessary all at the same time)

• installation in C:/windows or C:/windows/system of one or more hidden dlls with random names (they are copies of linkoptimizer)
• creation in C:/programs or C:/windows/temp (sometimes in other folders) of hidden and crypted files with exe, dll, tmp extension. The name is random and it changes at reboot. We have analyzed some of them and they was variants of trojan Agent
• creation of a fake user profile wth random name. You can see a new folder in C:/documents and /settings created in the day of infection. This user is the owner of the crypted files
• creation of a new Service with random name. The service can be easy recognized (when visible) because in the list of services (Start >> Run type services.msc and press enter) in the connection colums there is a random name, instead of LocalSystem.
• Download and run of the rootkit tool to hide itself from Windows API. Its characteristics are:
  
  • a windows reserved filename (com#, lpt#, nul# prn#) to make difficult its removal.
  • it is saved in C:/windows/system32 in FAT32 systems and in ADS (alternate data streams) in NTFS systems.
  • It is loaded with any GUI because it is called from the APPInit_DLLs key
  NOTE: with this variant, the rootkit and the random dlls are not visible from explorer.exe and also the registry key APPInit_DLLs is apparently empty. You could see the name of the malware by using antirootkit tools, like rootkitrevelear o GMER. With Rootkirevelear the log would appear like this:
  
  Cita:
  HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/AppInit_DLLs 17/06/2006 10.29 66 bytes Windows API length not consistent with raw hive data.
  C:/WINDOWS/hyqtt1.del 10/07/2006 14.56 63.16 KB Hidden from Windows API.
  C:/WINDOWS/hyqtt1.dll 10/07/2006 14.56 63.16 KB Hidden from Windows API.
  C:/WINDOWS/system32/com4.igp 10/07/2006 16.39 115.04 KB Hidden from Windows API.
  
  In this case the infection started on the 10. of July. The first row says that the rootkit has been loaded from the APPInit_DLLs Key (it si the com4.igp file). This tool has made hidden linkoptimizer (the two files hyqtt1).

SYMPTOMS IN HIJACKTHIS (not always present)

• R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Local Page =
• R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Local Page =
• R3 - Default URLSearchHook is missing
• O2 - BHO: Class - {1A06B321-9911-88C0-89F1-281F7413084A} - C:/WINDOWS/hyqtt1.dll (file missing)
  The BHO name can vary: Class or Java update console, and also the CLSID value (the hex numbers). It is quite common to see file missing or no file when the rootkit is active

HOW TO SOLVE
If you have XP or ME, the easiest thing is do system restore and choose a restore point wich creation date is before the date of infection. To Restore the system please see this guide.
If the restore is not usefull, you can try with a couple of scans: an online scan with Bitdefender and a scan with Virit (it is in italian) from safe mode. Remember to upgrade it before using it.

Both programs see and delete Linkoptimizer, but they could miss to remove the rootkit variant. In this case you can manual remove it with our procedure:

MANUAL REMOVAL
(If you ned help please read down under HELP FROM THE FORUM)
This procedure works only on Windows 2000 and windows XP.

1. Download Rootkirevelear and do a system scan. Don't use the PC while RKR is running. From the RKR log identify the infected files (the files hidden from windows API that have been created in the day of the infection). You should found at least a dll in C:/windows and a file with a reserved name (see before) in C:/windows/system32.
2. Enable the view of hidden and system files (see here)
3. search the folder of a fake user with random name in C:/documents and settings/ The folder has been created in the day of the infection
4. search any hidden file with exe, dll, tmp extension with randome names in C:/programs or C:/windows/temp that have been created in the last 2 days.
5. Uninstall from Control Panel all Java versions. At the end of the cleaning you could reinstall the latest one from the SUN web site
6. fix (remove) in HijackThisall rows R0, R1 e R3 similar to that seen before and the rows like O2 - BHO: (nome)-{xxx}-(nofile) wheree XXX are hex numbers like this {DA39029C-D291-A968-3FF4-D0990D5CB5FC} and nome is a name similar to class or JavaScript console
7. Disable from the list of services the new service with random name, created from the malware. Right Click on the service and choose disabled from Startup type
8. empty all temp folders of all PC users. For instance C:/temp; C:/windows/temp; C:/documents and settings/user_name/temp and so on. Find them with Search to be sure not to miss someone. You can use a tool like CCleaner, but make a manual check to be sure all are empty
9. Delete if found the linkoptimizer folder
10. empty the recycle bin

Now download The Avenger and extract the exe file on your desktop.
- copy the content of the panel here down in the clipboard (press CTRL+C). NOTE: the right content should be created personally on the basis of what really found in the PC. If you are not sure please ask to the forum. This tool deletes files at kernel-level: pay attention at what you write, it will be deleted !!


NOTE: instead of C:\windows please write the correct path of your windows installation folder

Now, start The Avenger program by clicking on its icon on your desktop.

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

If it doesn't reboot your PC, please reboot it manually.

At reboot the trojan is deactivated. You can see the result in the Avenger log (C:/avenger.txt). In C:/Avenger you could find the backup of deleted files. The whole folder can be deleted. See below if you can not delete it.

To end your work:

1. Download RegSrch.zip. Extract RegSrch.vbs script on the desktop. Run it and write the name of the hidden dll in the window (it was hyqtt1.dll in our example). Wait until a Wordpad windows will open. Note the registry key where the dllwas loaded and delete it with regedit.exe.
2. if your system is NTFS: do a scan of ADS with HijackThis. Open HijackThis, click Open the misc tools section, then Open Ads Spy... e unselect Quick Scan. Follow this guide. Search in the log the file with the reserved name (com4.igp in this example) and if found select it, check the box near it and click Remove selected
3. In HijackThis, click Open the misc tools section >> open Uninstall Manager. Select linkoptimizer and press Delete this entry.

Now the PC is free from LinkOptimizer

We suggest to install as soon as possible the patch of wmf-exploit otherwise you could get a new infection. Please do also a couple of online scans: Bitdefenderand kaspersky(extended database) are good. Firts of any online scan temporary disable the real time scan of your AV


HELP FROM THE FORUM
If you need help please open your new topic with this information

1. HijackThis log
2. Rootkit with Gmer: download GMER.EXE. Open it and select the Rootkit tab. Click Scan and save the log by clicking Copy. You can paste it in your post
3. Autostart with GMER: in the same way do a log from the Autostart tab
4. any folder called linkoptimizer or link optimizer with full path
5. any hidden file with random name and exe, tmp, dll (or others) extension in C:/programs OR C:/windows/temp
6. the name and the creation date of the folders in C:/Documents and settings

Please wait the response of the forum and don't reboot if you can.


----------------------------------------------------------

IMPORTANT: Remember to enable the view of system and hidden files. See here

-----------------------------------------------------------

HOW TO DELETE C:\Avenger FOLDER
Sometimes you could find hard to delete the file with windows reserved names (com4.igp in our example). To delete it

- FAT32: from a DOS window type this command: del c:\avenger\com4.igp
- NTSF: from a DOS window type this command: del \\.\c:\avenger\com4.igp

If you still can not delete the file you have no rigts to do it.
In XP Professional Edition you can right click on it and select Properties. From the Protection Windows you can grant to your user all required rights on that file. If you can't see that option unselect disable simplified sharing from Folder Option. Please see here


In XP Home Edition you should see the "Protection" tab from the safe mode. You can also use some tools of Resource Kit such as ntrights.exe, cacls.exe e takeown.exe.

Another easy wasy is to use Darkspy.



The SuspectFile Team