Jump to content

installation impossible due to malware

leluc

By leluc
in CCleaner

 Share

Recommended Posts

leluc

leluc

Posted
Posted

Hi,

 

On my computer , it is impossible to download , or install , or copiing the CCleaner.exe file

 

when downloading , IE7 or Firefox stoppe immediatly withou any message

when copiing (with windows explorer) the explorer stop and restart

when installing , the dialog box asking for the langage appair , and windows explorer stop and restart.

 

 

I have tested the computer with

avast , antivir , trend micro online , bitdefender online , kaspersky online

adawareSE , SpyBot search&destroy

nothing found

 

the same probleme occurs when firing the computer in safe mode , without any firewall or antivirus.

 

can you help me ?

 

PS: I have the same problem with Hijackthis

 

luc

Link to comment
Share on other sites
AndyManchesta

AndyManchesta

Posted
Posted

Hi Leluc, Welcome to the forum

 

This does sound like it maybe trojan related, can you download the attached zip file (LinkOptCheck), extract the folder then double click RunThis.bat, it will then export some registry keys and check a couple of folders for non-default exe files then write the information to a text file named Report.txt which will save inside the LinkOptCheck folder and also open with Notepad once its finished, Please post the full contents of that report back on here and we can then take it from there

 

Let us know if you have any problems running the file

 

Cheers

 

Andy

LinkOptCheck.zip

LinkOptCheck.zip

Link to comment
Share on other sites
AndyManchesta

AndyManchesta

Posted
Posted

Hi Leluc

 

You do have the LinkOptimizer trojan showing which likely means you also have a variant of the Gromozon Rootkit, this is its entry in the log

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe

Debugger REG_SZ "c:\windows\system32\fugmqrfe.bak"

 

There is a newer variant of this trojan that also adds a debugger for iexplore.exe but the one you have appears to be the older version which has just added a debugger value for explorer.exe, this trojan is very difficult to manually remove as it changes permissions on its file and registry entry to deny anyone access and can restore its reg entry instantly if its removed, if the file is removed and the reg entry remains then its not possible to start explorer.exe (no desktop icons or taskbar). it also targets alot of the tools we use which is why your not able to open HijackThis at the moment.

 

 

Download LinkOptfix from Here and save it to your desktop

 

Copy and paste these instructions to notepad and save it to your C:\drive incase you need to access it without using the start menu later

 

To run the fix, double click LinkOptfix.exe and it will create a new folder on your desktop named LinkOptfix, open the newly created LinkOptfix folder and double click fix.bat, it will only take afew seconds to run, first it creates a backups folder, moves the trojan file into the backups folder, stops explorer.exe (you will lose the desktop icons and taskbar) , resets the permissions then removes the trojan reg entry and restarts explorer.exe, you should then be able to run HJT and post a log, if you can then ignore the rest of this post and reply so we can then check for remaining problems in a HJT log and have some files scanned as there is afew suspicious files showing in that report you uploaded.

 

 

If explorer.exe doesnt restart after running the tool then you will have to remove its reg entry which will be possible as the file would of been moved so it cannot load again, if explorer doesnt restart you will not be able to access the start menu so press Control , Alt & Delete to open Task Manager, then click Applications and New Task, you can then click Browse to find the text file you saved with these instructions and click ok to open it, then type Regedit into Task Manager > Applications > New Task and click OK to open the registry editor,

 

Click the [+] next to HKEY_LOCAL_MACHINE

Click the [+] next to SOFTWARE

Click the [+] next to Microsoft

Click the [+] next to Windows NT

Click the [+] next to Current Version

Click the [+] next to Image File Execution Options

 

Scroll down the list and find explorer.exe then right click it and choose Permissions, On the permissions for Everyone area place a check next to Full Control then click Apply and OK, right click the explorer.exe key and choose Delete, then go back to Task Manager > Applications > New Task and type explorer.exe and click ok and then it will restart

 

You should not need the manual instructions as the fixtool should remove it fine but its best to provide an alternative method just incase its needed,

 

Let me know if you have any problems or questions

 

Cheers

 

Andy

Link to comment
Share on other sites
AndyManchesta

AndyManchesta

Posted
Posted

Hi Luc,

 

Thanks for the logs, there's still afew problems showing so this will take afew steps to help you get the machine clean again.

 

Run Hijack This and choose Do A System Scan then place a check next to these entries

O2 - BHO: Class - {0A5F82EA-0DD1-4033-7C1A-F9F2F5775550} - C:\WINDOWS\uvwog1.dll (file missing)

O23 - Service: UpdHab - Unknown owner - C:\Program Files\Fichiers communs\System\swA.exe

Close all open browser and other windows except for HijackThis and press the Fix Checked button

 

 

Please download the Suspicious file Packer from Safer-Networking.org and unzip it to your desktop.

 

Run SFP.exe.

 

Please copy the following lines into the Step 1: Paste Text window:

C:\WINDOWS\apisv.exe

C:\WINDOWS\msgh.exe

C:\WINDOWS\PATCH.EXE

C:\WINDOWS\system32\atlws32.exe

C:\WINDOWS\system32\ntlg.exe

C:\Program Files\Fichiers communs\System\swA.exe

then click "Continue".

 

This will create a .cab file on your desktop named requested-files[Date/Time].cab

 

Please then visit the below link

 

http://www.bleepingcomputer.com/submit-mal....php?channel=27

 

In the Link to topic where this file was requested: area type Ccleaners, Click Browse and then locate the requested-files.cab archive on your desktop then click Send File

 

Once it shows

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

You can then close that site and continue with the below steps

 

Download the Gromozon remover from here

 

http://www.prevx.com/gromozon.asp

 

Run the tool and follow the prompts, click No if it prompts you to install prevx as its a trial version and isnt required here, when its finished please post the gromozon_removal.log into your next reply,

 

 

Goto Start > Run > copy and paste

 

cmd /c net user>%systemdrive%\user.txt & start notepad %systemdrive%\user.txt

 

Press OK and post the contents of the C:\user.txt file back on here

 

Goto Start > Run > copy and paste

 

cmd /c regedit.exe /a/e %systemdrive%\regresult.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" & start notepad %systemdrive%\regresult.txt

 

Press OK and post the contents of the C:\regresult.txt back

 

Please then upload the Requested-files.cab archive, post back the Gromozon_removal log, C:\user.txt and C:\regresult.txt then we can take it from there

 

Thanks

 

Andy

Link to comment
Share on other sites
AndyManchesta

AndyManchesta

Posted
Posted
I hope I don't break any rule by entering this thread. As I read the rules, it seemed best to write this in this existing threat.

 

Thanks in advance!

 

Mic

 

Hi Mic, welcome to the forum,

 

Ive asked one of the Moderators for this area of the site to split your post into a new topic to prevent confusing this thread, once thats done I'll be happy to assist you in removing anything that remains,

 

Thanks

Link to comment
Share on other sites
AndyManchesta

AndyManchesta

Posted
Posted

Hi Luc

 

The gromozon remover has done a great job there :)

 

None of the files were packed correctly by the suspicious file packer though except PATCH.EXE which is a legit file from Trend Micro so could you try uploading them at VirusTotal

 

Visit VirusTotal

 

Open the scan site and copy and paste this into the Upload a File area (next to Browse)

 

C:\WINDOWS\apisv.exe

 

Then click Send File, wait until all the results are shown and it shows Finished in the current status area then copy and paste the full results to notepad (Start > Run > type Notepad and press OK) then click Another file which will appear below the scan windows after its finished scanning the file and repeat the steps to scan these files one at a time

 

C:\WINDOWS\msgh.exe

C:\WINDOWS\system32\atlws32.exe

C:\WINDOWS\system32\ntlg.exe

 

Again copy and paste the scan results into a notepad file when the scan is complete then copy and paste the results from each file back on here, if the scanner shows they are 0 bytes when you attempt to upload them let us know.

 

Go to Start > Run > and copy and paste

 

sc delete UpdHab

 

Press OK and you will just notice the cmd screen flash on then off again and the service will be removed.

 

Open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.

 

REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]"UYpqSqP"=-

 

 

Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg(or right click and choose Merge) and allow it to be merged into the registry which will remove the entry.

 

Please then run a scan with Kaspersky's scanner to make sure there is no remaining malware problems

 

Run Kaspersky WebScanner

  • Please go HERE and click Kaspersky Online Scanner
  • Read and Accept the Agreement
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • If you see a Windows [dialog asking if you want to install this software, click the Install button.
  • The program will launch and then begin downloading the latest definition files,
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
  • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

 

Cheers

Link to comment
Share on other sites
AndyManchesta

AndyManchesta

Posted
Posted

Just delete these files then:

 

C:\WINDOWS\apisv.exe

C:\WINDOWS\msgh.exe

C:\WINDOWS\system32\atlws32.exe

C:\WINDOWS\system32\ntlg.exe

 

If you have problems finding them set Windows to show hidden and system files

 

Click Start. Goto MyComputer then C:\drive

Select the Tools menu from the top bar and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

UnCheck the "Hide protected operating system files (recommended)" option.

 

Click Yes to confirm then OK

 

Set this back once you have checked for the files by opening the same page and pressing the Restore Defaults button then click Apply and OK.

 

 

Regarding Kaspersky, it will take a long time to scan but please allow it to finish as it will help us to see if there's any remaining problems on your system, you have had a nasty rootkit infection so its important to make sure there is no additional trojans now that has been removed.

 

Thanks

Link to comment
Share on other sites
AndyManchesta

AndyManchesta

Posted
Posted

:blink:

 

Hopefully this will be the last scanner we need to use though as its detection rate is excellent

 

I'll get an email notification when you reply so we can continue either later tonight or tomorrow :)

 

Andy

Link to comment
Share on other sites
AndyManchesta

AndyManchesta

Posted
Posted

Hi Luc,

 

That looks good, just afew leftover files to remove but Id like you run the Gromozon remover again to make sure its now showing clear,

 

1. Please download The Avenger by Swandog46 to your Desktop

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all of the text contained in the code box below (making Files to delete: the top line) to your Clipboard by highlighting it and pressing (Ctrl+C):

 

 

Files to Delete:C:\Documents and Settings\Administrateur\Local Settings\Temp\PXR1.tmp C:\Documents and Settings\Administrateur\Local Settings\Temp\PXR2.tmpC:\Documents and Settings\Administrateur\Local Settings\Temp\PXR3.tmp C:\Documents and Settings\Administrateur\Local Settings\Temp\PXR4.tmpC:\Documents and Settings\Administrateur\Local Settings\Temp\PXR5.tmp

 

 

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

 

 

Open Notepad (Start Menu > Run > Type notepad and press OK)

 

Copy and Paste the contents of the code box into Notepad

 

 

dir /b/s/a-d "%commonprogramfiles%\*.exe">>Check.txtNotepad Check.txtdel /q Check.txt

 

 

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Check.bat then save it to your desktop

 

Double click Check.bat and it will check for .exe files then open the results in notepad, if there is any information in the notepad file please post the contents of that (Check.txt) back on the forum.

 

Finally generate a report of the Add/Remove screen entries:

Open Hijackthis, and click the Misc Tools button.

Then click the Open Uninstall Manager... button.

The Add/Remove Programs Manager panel should appear.

In this panel click the Save list button.

Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.

 

Post back the logs and let us know if your still having any problems

 

Thanks

 

Andy

Link to comment
Share on other sites
AndyManchesta

AndyManchesta

Posted
Posted

Hi Luc,

 

That looks fine :)

 

You can now delete all the tools and files we used

 

LinkOptCheck <-- Folder

LinkOptFix <-- Folder

C:\Avenger <--Folder

requested-files[Date/Time].cab <-- Folder

 

Avenger.exe <--File

LinkOptFix.exe <-- File

SFP.exe (Suspicious File Packer) <-- File

fix.reg <-- File

Gromozon Remover <-- File

Check.bat <-- File

Check.txt <-- File

uninstall_list.txt <-- File

C:\avenger.txt <-- File

C:\user.txt <-- File

C:\regresult.txt <-- File

C:\Gromozon_removal log <-- File

 

You have multiple versions of Java installed so all the older versions can be removed, its common for them to leave older versions on the system when it upgrades which can take up alot of space and are not needed, to remove them goto to the Add/Remove screen (Start > Control Panel > Add or Remove Programs) and remove:

 

J2SE Runtime Environment 5.0 Update 6

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

Java SE Runtime Environment 6 Update 1

 

Just leave Java 6 Update 2 on the machine as that is the latest version.

 

 

I'll add afew basic steps below to help avoid further infections,

 

Consider installing Spywareblaster

SpywareBlaster can help prevent malware installing by adding hundreds of malicious sites to the restricted zone of IE and blocking the common spyware ActiveX controls which prevents the installation of any of them via webpages.

A tutorial on using SpywareBlaster may be found here.

  • Avoid illegal sites such as warez, cracks, serials etc... because that's where most malware is present.
  • Don't click on any links inside popups, Spam email messages or Instant Messenger programs.
  • Download free software only from sites you know and trust

Make sure to run your Antivirus software regularly, and to keep it up-to-date and also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

 

Please also read Tony Klein's excellent article:

 

So how did I get Infected in the First Place?

 

Hopefully these steps will lower the chances of getting more malware issues but just let us know if you have questions or problems again anytime.

 

Regards

 

Andy

Link to comment
Share on other sites
leluc

leluc

Posted
  • Author
Posted

Hello Andy

 

thanks for your help and councils , you are the best !!

 

I'm installing SpywareBlaster

 

I hope it is never necessary to call for your help again.

 

thanks and thanks again

 

Regards

 

Luc

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept