installation impossible due to malware

CCleaner for Windows
1

Hi,

On my computer , it is impossible to download , or install , or copiing the CCleaner.exe file

when downloading , IE7 or Firefox stoppe immediatly withou any message

when copiing (with windows explorer) the explorer stop and restart

when installing , the dialog box asking for the langage appair , and windows explorer stop and restart.

I have tested the computer with

avast , antivir , trend micro online , bitdefender online , kaspersky online

adawareSE , SpyBot search&destroy

nothing found

the same probleme occurs when firing the computer in safe mode , without any firewall or antivirus.

can you help me ?

PS: I have the same problem with Hijackthis

luc

2

This post realy belongs:

In this section of the forum: http://forum.piriform.com/index.php?showforum=12

Or this one: http://forum.piriform.com/index.php?showforum=2

I'll message AndyManchesta and he or anotherAntispyware Mod will help you out.

3

Hi Leluc, Welcome to the forum

This does sound like it maybe trojan related, can you download the attached zip file (LinkOptCheck), extract the folder then double click RunThis.bat, it will then export some registry keys and check a couple of folders for non-default exe files then write the information to a text file named Report.txt which will save inside the LinkOptCheck folder and also open with Notepad once its finished, Please post the full contents of that report back on here and we can then take it from there

Let us know if you have any problems running the file

Cheers

Andy

LinkOptCheck.zip

LinkOptCheck.zip

4

report file

Result.txt

Result.txt

5

Hi Leluc

You do have the LinkOptimizer trojan showing which likely means you also have a variant of the Gromozon Rootkit, this is its entry in the log

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe

Debugger REG_SZ "c:\windows\system32\fugmqrfe.bak"

There is a newer variant of this trojan that also adds a debugger for iexplore.exe but the one you have appears to be the older version which has just added a debugger value for explorer.exe, this trojan is very difficult to manually remove as it changes permissions on its file and registry entry to deny anyone access and can restore its reg entry instantly if its removed, if the file is removed and the reg entry remains then its not possible to start explorer.exe (no desktop icons or taskbar). it also targets alot of the tools we use which is why your not able to open HijackThis at the moment.

Download LinkOptfix from Here and save it to your desktop

Copy and paste these instructions to notepad and save it to your C:\drive incase you need to access it without using the start menu later

To run the fix, double click LinkOptfix.exe and it will create a new folder on your desktop named LinkOptfix, open the newly created LinkOptfix folder and double click fix.bat, it will only take afew seconds to run, first it creates a backups folder, moves the trojan file into the backups folder, stops explorer.exe (you will lose the desktop icons and taskbar) , resets the permissions then removes the trojan reg entry and restarts explorer.exe, you should then be able to run HJT and post a log, if you can then ignore the rest of this post and reply so we can then check for remaining problems in a HJT log and have some files scanned as there is afew suspicious files showing in that report you uploaded.

If explorer.exe doesnt restart after running the tool then you will have to remove its reg entry which will be possible as the file would of been moved so it cannot load again, if explorer doesnt restart you will not be able to access the start menu so press Control , Alt & Delete to open Task Manager, then click Applications and New Task, you can then click Browse to find the text file you saved with these instructions and click ok to open it, then type Regedit into Task Manager > Applications > New Task and click OK to open the registry editor,

Click the [+] next to HKEY_LOCAL_MACHINE

Click the [+] next to SOFTWARE

Click the [+] next to Microsoft

Click the [+] next to Windows NT

Click the [+] next to Current Version

Click the [+] next to Image File Execution Options

Scroll down the list and find explorer.exe then right click it and choose Permissions, On the permissions for Everyone area place a check next to Full Control then click Apply and OK, right click the explorer.exe key and choose Delete, then go back to Task Manager > Applications > New Task and type explorer.exe and click ok and then it will restart

You should not need the manual instructions as the fixtool should remove it fine but its best to provide an alternative method just incase its needed,

Let me know if you have any problems or questions

Cheers

Andy

6

Hello Andy

your fix work !! many thanks

I upload the Hijackthis log file for councils

luc

hijackthis.txt

hijackthis.txt

7
I hope I don't break any rule by entering this thread. As I read the rules, it seemed best to write this in this existing threat.

Would have been better creating a new thread in the HijackThis Section of the forum. Though as Andy has posted here he should still see it.

8

Hi Luc,

Thanks for the logs, there's still afew problems showing so this will take afew steps to help you get the machine clean again.

Run Hijack This and choose Do A System Scan then place a check next to these entries

O2 - BHO: Class - {0A5F82EA-0DD1-4033-7C1A-F9F2F5775550} - C:\WINDOWS\uvwog1.dll (file missing)

O23 - Service: UpdHab - Unknown owner - C:\Program Files\Fichiers communs\System\swA.exe

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Please download the Suspicious file Packer from Safer-Networking.org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\WINDOWS\apisv.exe

C:\WINDOWS\msgh.exe

C:\WINDOWS\PATCH.EXE

C:\WINDOWS\system32\atlws32.exe

C:\WINDOWS\system32\ntlg.exe

C:\Program Files\Fichiers communs\System\swA.exe

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Please then visit the below link

http://www.bleepingcomputer.com/submit-mal....php?channel=27

In the Link to topic where this file was requested: area type Ccleaners, Click Browse and then locate the requested-files.cab archive on your desktop then click Send File

Once it shows

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

You can then close that site and continue with the below steps

Download the Gromozon remover from here

http://www.prevx.com/gromozon.asp

Run the tool and follow the prompts, click No if it prompts you to install prevx as its a trial version and isnt required here, when its finished please post the gromozon_removal.log into your next reply,

Goto Start > Run > copy and paste

cmd /c net user>%systemdrive%\user.txt & start notepad %systemdrive%\user.txt

Press OK and post the contents of the C:\user.txt file back on here

Goto Start > Run > copy and paste

cmd /c regedit.exe /a/e %systemdrive%\regresult.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" & start notepad %systemdrive%\regresult.txt

Press OK and post the contents of the C:\regresult.txt back

Please then upload the Requested-files.cab archive, post back the Gromozon_removal log, C:\user.txt and C:\regresult.txt then we can take it from there

Thanks

Andy

9
I hope I don't break any rule by entering this thread. As I read the rules, it seemed best to write this in this existing threat.

Thanks in advance!

Mic

Hi Mic, welcome to the forum,

Ive asked one of the Moderators for this area of the site to split your post into a new topic to prevent confusing this thread, once thats done I'll be happy to assist you in removing anything that remains,

Thanks

10

hello Andy

thanks

Luc

user.txt

gromozon_removal.txt

regresult.txt

user.txt

gromozon_removal.txt

regresult.txt

11

Hi Luc

The gromozon remover has done a great job there :)

None of the files were packed correctly by the suspicious file packer though except PATCH.EXE which is a legit file from Trend Micro so could you try uploading them at VirusTotal

Visit VirusTotal

Open the scan site and copy and paste this into the Upload a File area (next to Browse)

C:\WINDOWS\apisv.exe

Then click Send File, wait until all the results are shown and it shows Finished in the current status area then copy and paste the full results to notepad (Start > Run > type Notepad and press OK) then click Another file which will appear below the scan windows after its finished scanning the file and repeat the steps to scan these files one at a time

C:\WINDOWS\msgh.exe

C:\WINDOWS\system32\atlws32.exe

C:\WINDOWS\system32\ntlg.exe

Again copy and paste the scan results into a notepad file when the scan is complete then copy and paste the results from each file back on here, if the scanner shows they are 0 bytes when you attempt to upload them let us know.

Go to Start > Run > and copy and paste

sc delete UpdHab

Press OK and you will just notice the cmd screen flash on then off again and the service will be removed.

Open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.

REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]"UYpqSqP"=-

Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg(or right click and choose Merge) and allow it to be merged into the registry which will remove the entry.

Please then run a scan with Kaspersky's scanner to make sure there is no remaining malware problems

Run Kaspersky WebScanner

  • Please go HERE and click Kaspersky Online Scanner
  • Read and Accept the Agreement
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • If you see a Windows [dialog asking if you want to install this software, click the Install button.
  • The program will launch and then begin downloading the latest definition files,
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
  • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

Cheers

12

virus total answer : 0 bytes size received / Se ha recibido un archivo vacio

for each file

kaspersky is in progress but can take many time

13

Just delete these files then:

C:\WINDOWS\apisv.exe

C:\WINDOWS\msgh.exe

C:\WINDOWS\system32\atlws32.exe

C:\WINDOWS\system32\ntlg.exe

If you have problems finding them set Windows to show hidden and system files

Click Start. Goto MyComputer then C:\drive

Select the Tools menu from the top bar and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have checked for the files by opening the same page and pressing the Restore Defaults button then click Apply and OK.

Regarding Kaspersky, it will take a long time to scan but please allow it to finish as it will help us to see if there's any remaining problems on your system, you have had a nasty rootkit infection so its important to make sure there is no additional trojans now that has been removed.

Thanks

14

i'have deleted the files

waiting for Kaspersky .

doiing 23% in 30 minutes , so next part of the story tomorrow

thanks Andy

Luc

15

:blink:

Hopefully this will be the last scanner we need to use though as its detection rate is excellent

I'll get an email notification when you reply so we can continue either later tonight or tomorrow :)

Andy

16

see you tomorrow

luc

kaspersky.txt

kaspersky.txt

17

Hi Luc,

That looks good, just afew leftover files to remove but Id like you run the Gromozon remover again to make sure its now showing clear,

1. Please download The Avenger by Swandog46 to your Desktop

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all of the text contained in the code box below (making Files to delete: the top line) to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to Delete:C:\Documents and Settings\Administrateur\Local Settings\Temp\PXR1.tmp C:\Documents and Settings\Administrateur\Local Settings\Temp\PXR2.tmpC:\Documents and Settings\Administrateur\Local Settings\Temp\PXR3.tmp C:\Documents and Settings\Administrateur\Local Settings\Temp\PXR4.tmpC:\Documents and Settings\Administrateur\Local Settings\Temp\PXR5.tmp

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

Open Notepad (Start Menu > Run > Type notepad and press OK)

Copy and Paste the contents of the code box into Notepad 

dir /b/s/a-d "%commonprogramfiles%\*.exe">>Check.txtNotepad Check.txtdel /q Check.txt

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Check.bat then save it to your desktop

Double click Check.bat and it will check for .exe files then open the results in notepad, if there is any information in the notepad file please post the contents of that (Check.txt) back on the forum.

Finally generate a report of the Add/Remove screen entries:

Open Hijackthis, and click the Misc Tools button.

Then click the Open Uninstall Manager... button.

The Add/Remove Programs Manager panel should appear.

In this panel click the Save list button.

Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.

Post back the logs and let us know if your still having any problems

Thanks

Andy

18

Hello Andy

Gromozon remover say there is no rootkit componeny on the system

no other problem found

thanks

luc

avenger.txt

Check.txt

uninstall_list.txt

avenger.txt

Check.txt

uninstall_list.txt

19

Hi Luc,

That looks fine :)

You can now delete all the tools and files we used

LinkOptCheck <-- Folder

LinkOptFix <-- Folder

C:\Avenger <--Folder

requested-files[Date/Time].cab <-- Folder

Avenger.exe <--File

LinkOptFix.exe <-- File

SFP.exe (Suspicious File Packer) <-- File

fix.reg <-- File

Gromozon Remover <-- File

Check.bat <-- File

Check.txt <-- File

uninstall_list.txt <-- File

C:\avenger.txt <-- File

C:\user.txt <-- File

C:\regresult.txt <-- File

C:\Gromozon_removal log <-- File

You have multiple versions of Java installed so all the older versions can be removed, its common for them to leave older versions on the system when it upgrades which can take up alot of space and are not needed, to remove them goto to the Add/Remove screen (Start > Control Panel > Add or Remove Programs) and remove:

J2SE Runtime Environment 5.0 Update 6

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

Java SE Runtime Environment 6 Update 1

Just leave Java 6 Update 2 on the machine as that is the latest version.

I'll add afew basic steps below to help avoid further infections,

Consider installing Spywareblaster

SpywareBlaster can help prevent malware installing by adding hundreds of malicious sites to the restricted zone of IE and blocking the common spyware ActiveX controls which prevents the installation of any of them via webpages.

A tutorial on using SpywareBlaster may be found here.

  • Avoid illegal sites such as warez, cracks, serials etc... because that's where most malware is present.
  • Don't click on any links inside popups, Spam email messages or Instant Messenger programs.
  • Download free software only from sites you know and trust

Make sure to run your Antivirus software regularly, and to keep it up-to-date and also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

Please also read Tony Klein's excellent article:

So how did I get Infected in the First Place?

Hopefully these steps will lower the chances of getting more malware issues but just let us know if you have questions or problems again anytime.

Regards

Andy

20

Hello Andy

thanks for your help and councils , you are the best !!

I'm installing SpywareBlaster

I hope it is never necessary to call for your help again.

thanks and thanks again

Regards

Luc