Trojan Link Optimizer

{* Edits: REM, Ron Metzger, Sept. 26 2006 11:00 am ET} (This article comes from a forum's thread http://www.ztw3.com/forum/forum.cgi?read=82048.

Description

• It creates a file called: C:\WINDOWS\COM4.XFW

{*REM} (The extension changes from system to system, and the filename is usually a reserved DOS name.) {/REM}

• Affects the Registry
• http://www.symantec.com/security_response/writeup.jsp?docid=2006-082416-2803-99
• Antivirus detects it but can remove it (notably NOD32)
• Booting on DOS and using NTFS for DOS doesn't work
• Spyware detectors show the entry but can't remove it (HijackThis) or freeze (Spybot-Search & Destroy

Cure

Ron Metzger proposed this solution that works: Well, if you have been hit with LinkOptimizer you must do a few things manually to remove the malware. First of all, do all the corrective actions in safe mode AND Disconnected from the Internet (yes, disconnect the wire(s)). Download any needed tools and then take the corrective actions. {*REM} Since files in the System Restore area may cause re-infection, the safe thing to do is to remove all restore points. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: How to turn off or turn on Windows XP System Restore. Please re-enable System Restore after the cleanup is complete. {/REM} COM4.xfw is an Alternate Data Stream stored on the C:\Windows directory. {*REM} Again, the extension is different on each system, as well as the reserved name used. {/REM} Download Streams from http://www.sysinternals.com/Utilities/Streams.html and run the command (from a DOS prompt): Download Registrar Lite: http://www.resplendence.com/download/reglite.exe Install this. RegLite is able to see rootkit hidden AppInit_DLLs values, which regedit and regedt32 have blocked. Go to: Note: The value may be hidden in the upper part of the screen, but down below, when AppInit_DLLs is highlighted (above), the offending .dll file should be visible. Write this file name down, as it is the likely re-infector, every time Explorer is loaded. Reboot the PC in Recovery Console mode and delete this file. While in Recovery Console mode, look for these files and delete them (rename them if you want, just in case): Reboot the PC again, in Safe Mode Since LinkOptimizer adds a new administrator account on the compromised computer using a random user name, you may need to look for this User ID and delete it. {*REM} Unfortunately, this will block access to any files LinkOptimizer has created or changed using EFS. However, this problem cannot be easily avoided, as these files are already encrypted and only LinkOptimizer can access them, using its random password associated to this user ID. And, this user ID cannot be used to log in directly as LinkOptimizer has blocked interactive logon capabilities. See McAfee Spy-Agent.bf for additional information. {/REM} Also, LinkOptimizer may lower the privileges of the current logged user in order to disable the functioning of some security-related software. You may need to re-enable these privileges, using ntrights (from a cmd.exe prompt): You can get NTRights.exe from: Microsoft rktools.exe. Extract the entire toolkit and ntrights.exe is included. Look for and delete the entire directory for LinkOptimizer: Run the command (from a DOS prompt): Reboot normally, and do several Online AV scans of your choice. Follow this up with a Full Ad-Aware SE Personal scan and cleaning. Remember to get any updates prior to running the Full Scan. Run an Alternate Data Stream scan as well. {*REM} Use RegLite again. Locate AppInit_DLLs and remove the offending (random) .dll entry if still present. {/REM} Registrar Lite changes the way .reg files are imported, so you may want to uninstall this program to get back to the defaults. You may want to run RootKitRevealer as well. {*REM} Once everything is clean, re-enable System Restore. {/REM} I have some alternate methods for removing this nasty, but start with this first. If needed, we may need to use Process Explorer to help things along. I hope not. {*REM} — -------- Additional Information ------ As of September 23, 2006 05:25:01 PM GDT Symantec has created a tool for 'fixing' this problem. (See: Symantec Trojan-LinkOptimizer, Symantec FixLinkOpt, and Symantec FixLinkopt.exe download. FixLinkOpt.exe is a tool for cleaning up LinkOptimizer. However, I (Ron Metzger) have not used the tool as of this edit date, so I cannot evaluate its effectiveness or safety. Use at your own risk. The following excerpts are direct quotes from Symantec FixLinkOpt {QUOTE} Note for network administrators: If you are running MS Exchange 2000 Server, we recommend that you exclude the M drive from the scan by running the tool from a command line, with the Exclude switch. For more information, read the Microsoft knowledge base article: XADM: Do Not Back Up or Scan Exchange 2000 Drive M (Article 298924). ex. Close all the running programs. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet. If you are running Windows Me or XP, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: How to disable or enable Windows Me System Restore How to turn off or turn on Windows XP System Restore Locate the file that you just downloaded. Double-click the FixLinkopt.exe file to start the removal tool. Click Start to begin the process, and then allow the tool to run. NOTE: If you have any problems when you run the tool, or it does not appear to remove the threat, restart the computer in Safe mode and run the tool again. Restart the computer. Run the removal tool again to ensure that the system is clean. If you are running Windows Me/XP, then reenable System Restore. If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection. {/QUOTE} -------- End Additional Information --------- {/REM}

---