Gromozon and LinkOptimizer Removal Guide

Table of contents.
What do you need to know about Gromozon (LinkOptimizer)?
Are you infected?
Automatic removal of Gromozon (LinkOptimizer)
Manual removal of Gromozon (LinkOptimizer)
Alternate manual removal of Gromozon (LinkOptimizer)
Credits

Gromozon, also known as LinkOptimizer, is an extremely dangerous mixture of trojan and rootkit illegally installed to victim computers by malicious web sites through sophisticated exploits. This parasite is a hard to get rid of threat that integrates downloader trojans, rootkits, adware and other dangerous pests.

Once installed, Gromozon secretly downloads from the Internet and drops numerous malware parasites that serve unsolicited commercial advertisements, change essential system settings, severely degrade system performance, decrease Internet connection throughput, create malicious system services, etc. They can also crash the compromised computer and corrupt the entire system.

Gromozon uses advanced rootkit techniques to hide its files, registry keys and related objects. It also injects malicious code into running software and system processes in order to make its removal as much difficult as possible. The parasite is able to prevent some anti-rootkit tools from running. Gromozon runs on every Windows startup.

It should be noted that web sites distributing Gromozon are hosting exploits targeting all popular web browsers (Microsoft Internet Explorer, Mozilla Firefox, Opera).

Your system is infected with Gromozon (LinkOptimizer) if you are experiencing any of the following problems:

a) Unsolicited pop-up advertisements appear when you search the web with Google.

b) Browsing the Internet is slow. Your Internet connection throughput has been decreased severely.

c) New dial-up connection appears. Something is trying to use it to connect to the Internet without asking for your permission.

d) Your antivirus software notifies you of malicious executable (.exe), library (.dll) or temporary (.tmp) files infected with Win32/Agent or Win32/Agent.VP trojan. Your antivirus also detects Trojan.Win32.Agent.rl and Trojan.Win32.RKDice.a infections.

e) A lot of different parasites are being installed your system.

f) Your system crashes on startup. You can see error messages generated by the services.exe process.

g) Computer hard disks are working intensively, but no applications are running and the operating system does not seem to be overloaded.

h) Unknown randomly named processes are running in background.

i) Your HijackThis log contains any of the following entries:
R0 – HKCU/Software/Microsoft/Internet Explorer/Main,Local Page =
R0 – HKLM/Software/Microsoft/Internet Explorer/Main,Local Page =
R3 – Default URLSearchHook is missing
O2 – BHO: Class – { [CLSID, a combination of letters of digits] } – [filename] (file missing)
O2 – BHO: Java update console – { [CLSID, a combination of letters of digits] } – [filename] (file missing)

1. Download the Gromozon Rootkit Removal Tool by Prevx. Run the downloaded file. Gromozon Rootkit Removal Tool will scan your system and remove the main parts of Gromozon (LinkOptimizer) infection.
2. Some Gromozon (LinkOptimizer) components can still be in your system. Download PC Tools STOPzilla or Webroot Spy Sweeper to eliminate them.
3. Install the downloaded program. Read STOPzilla and Spy Sweeper tutorials to learn more.
4. Update the installed anti-spyware.
5. Run full system scan.
6. Remove all the threats the application will find.

Please note that eliminating the parasites automatically might be a paid function, which is not available in the limited free version. Purchasing STOPzilla or Spy Sweeper makes these products fully functional also enabling built-in real-time protection.

1. Use the System Restore to restore your system to last known good configuration. For more information please read official tutorial. Sometimes this completely disables the Gromozon (LinkOptimizer) rootkit and installed malware. All you have to do then is to scan your computer with antivirus and anti-spyware software and remove everything identified. However, usually the System Restore doesn’t help much, so you have to continue working through manual removal steps.

2. Open the Control Panel and launch the Add or Remove Programs tool. In the list of installed software find entries containing the word Java. Uninstall the corresponding programs.

3. Download the HijackThis program. Run a system scan, then fix the following entries (if present):
R0 – HKCU/Software/Microsoft/Internet Explorer/Main,Local Page =
R0 – HKLM/Software/Microsoft/Internet Explorer/Main,Local Page =
R3 – Default URLSearchHook is missing
O2 – BHO: Class – { [CLSID, a combination of letters of digits] } – [filename] (file missing)
O2 – BHO: Java update console – { [CLSID, a combination of letters of digits] } – [filename] (file missing)

4. Download GMER or Rootkit Revealer. These are advanced rootkit detection tools. Extract files from the downloaded archive. Launch the application and run a system scan. Do not use your computer while scan is running.

5. After the scan is over, you will be presented with a report containing malicious entries (files and registry keys hidden from the operating system). Search for a hidden library (DLL) file residing in the folder C:\Windows or C:\Winnt. Write down the full path of that file. Then search for a hidden file in the directory C:\Windows\System32 or C:\Winnt\System32. Take note of its full path also.

6. Now search the scan report for an executable file located in C:\Program Files\Common Files\System or C:\Program Files\Common Files\Microsoft\Shared. If you can find the file, write down its full path. If there is no such executable, skip this step.

7. Windows operating system stores user data in the specific folder C:\Documents and Settings. Gromozon (LinkOptimizer) creates a fake user account, which files can be found in the same directory. Open the C:\Document and Settings folder and look for a directory created at the day of the infection. Write down its full path.

8. Disable malicious service installed by Gromozon (LinkOptimizer). Pres Start > Run… Type in msconfig to the appeared Run box. This will open the System Configuration Utility. Select the Startup tab. You will be presented with the list of system services. Find a randomly named service and uncheck it. Then apply changes. There must be an executable file associated with it. You should have found that executable at Step 5 (“a hidden file in the directory C:\Windows\System32 or C:\Winnt\System32”) or Step 6 (“an executable file located in C:\Program Files\Common Files\System or C:\Program Files\Common Files\Microsoft\Shared”).

9. Download and install the CCleaner program. Use it to clean your system. CCleaner will empty temporary folders where some Gromozon (LinkOptimizer) components reside.

10. Delete the folder C:\Program Files\LinkOptimizer. You might need to use Pocket KillBox or KillBox utility.

11. Download The Avenger, a special tool designed to remove highly persistent files and registry keys protected by malware. Open the downloaded Zip archive and extract its files to your desktop. Start The Avenger by double-clicking on the avenger.exe file. Within the program’s main window select the Input script manually option. Then click on the Magnifying Glass icon. This will bring a new window. Copy the following lines:

Registry values to replace with dummy:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\filename.dllreplace this with name of the library (DLL) file you have found at Step 5
C:\WINDOWS\system32\com4.igp
C:\Program Files\xyz.exe
C:\Program Files\Common Files\System\filename.exereplace this with name of the executable file you have found at Step 6. Delete this line if you couldn’t find such file.
C:\Program Files\Common Files\Microsoft Shared\filename.exereplace this with name of the executable file you have found at Step 6. Delete this line if you couldn’t find such file.

Folders to Delete:
C:\Documents and Settings\folderreplace this with the folder name you have found at Step 7
C:\Windows\Temp

Windows 2000 users should replace WINDOWS with WINNT here.

Paste the lines above to the appeared window. Edit them and click on the Done button. This will close the new window. Within the program’s main window click on the Green Light icon. This will start the removal process. Answer Yes to all the questions prompted.

Your computer will be rebooted. If your system doesn’t restart, reboot it manually. Gromozon (LinkOptimizer) will be deactivated on next system startup.

12. If everything has gone right, Gromozon (LinkOptimizer) should now be removed. However, it is a very sophisticated infection, so there is no warranty that following all the steps will help you. If your system is still infected, please go to the 2-Spyware.com Forum and ask for help. The forum responders will try to help you with your particular case.

Sometimes automatic or manual removal of Gromozon (LinkOptimizer) is impossible due to constant system crashes and other problems caused by the parasite. In such cases all you can do is to backup all your personal information (documents, e-mail, programs, images, music, videos, etc.) and reformat the system. This will wipe out all the data from your hard disks along with the Gromozon (LinkOptimizer) trojan. Then you will have to reinstall the Windows operating system.

Please note that reformatting the system is a difficult process that requires a lot of knowledge and experience. If you never did this before, DO NOT reformat yourself! Ask an expert who can help you or visit the 2-Spyware.com Forum and ask for help there.

The 2-Spyware.com Research Team would like to thank Marco Giuliani, virus researcher, for his work “GROMOZON.COM. The strange case of Dr. Rootkit and Mr. Adware”. It is a document that describes the Gromozon (Link Optimizer) infection and provides some basic removal instructions.

We also want to thank holifay, site administrator at SuspectFile for putting LinkOptimizer / trojan Agent (rootkit variant) manual removal instructions alltogether. We have used these instructions for testing purposes. Some of the removal steps have also been used in this removal guide.


Files
Software
Compare
Like us on Facebook