Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

problems with windowsclick


  • Please log in to reply
7 replies to this topic

#1 axel84

axel84

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 25 March 2009 - 06:27 AM

Hello,
a friend of mine has been having problems with windowsclick, getting redirected to all kinds of sites, i helped her out and managed to get it to stop by using combofix and MBAM but since the process was very long and complicated (at least for me :thumbsup: ) i wanted to ask you if i can be sure everything is gone and safely give back the laptop to its owner or should i post the logs of combofix and MBAM so you guys can have a look at it?

Thank you very much

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:49 PM

Posted 25 March 2009 - 10:09 AM

Hello axel84, As you will notice the blue text at the top of this forum,won't allow combo fix use in this section. so please post the MBAM log and then run these scana and post the log also.

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 axel84

axel84
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 26 March 2009 - 03:10 PM

OK here are the logs:

Malwarebytes' Anti-Malware 1.34
Versione del database: 1894
Windows 5.1.2600 Service Pack 2

25/03/2009 11.48.10
mbam-log-2009-03-25 (11-48-10).txt

Tipo di scansione: Scansione completa (C:\|E:\|)
Elementi scansionati: 137450
Tempo trascorso: 38 minute(s), 49 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 10

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACafuoyojg.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACsrrntjix.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{21E47DBC-4F0F-4B84-936D-0F9829EDAF03}\RP82\A0027654.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{21E47DBC-4F0F-4B84-936D-0F9829EDAF03}\RP82\A0027655.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D96B8B29-68AA-4392-A29F-579FBB5DF60F}\RP280\A0082638.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D96B8B29-68AA-4392-A29F-579FBB5DF60F}\RP280\A0082639.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D96B8B29-68AA-4392-A29F-579FBB5DF60F}\RP280\A0082640.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D96B8B29-68AA-4392-A29F-579FBB5DF60F}\RP280\A0082641.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D96B8B29-68AA-4392-A29F-579FBB5DF60F}\RP280\A0082676.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACthjxekjp.sys (Trojan.Agent) -> Quarantined and deleted successfully.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/26/2009 at 08:56 PM

Application Version : 4.26.1000

Core Rules Database Version : 3816
Trace Rules Database Version: 1770

Scan type : Complete Scan
Total Scan Time : 00:35:38

Memory items scanned : 220
Memory threats detected : 0
Registry items scanned : 5597
Registry threats detected : 0
File items scanned : 67642
File threats detected : 0


Thanks for your help :thumbsup:

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:49 PM

Posted 26 March 2009 - 07:34 PM

Hello I must tell you this first about finding TDDs
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


SDFix will be the next step if you are inclined.
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 axel84

axel84
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 27 March 2009 - 06:39 AM

I've looked at the link and i have a couple of questions :thumbsup:
If i decide to format can i still safely store documents from the laptop to external drives or can this operation cause a possible infection of the storage device which would make useless the formatting operation? The Computer is connected ho internet via a router and mainly used for recreational and scientific purposes, so no business going on besides sporadic purchases which where made long time before the windowsclick "situation" occurred. If i don't reinstall the os does it mean shopping online will no longer be secure on that pc? And finally, the Computer has 2 os, i guess there isn't any need to kill the other one too. What would you suggest? To format or not to format? :flowers:
Thank you

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:49 PM

Posted 27 March 2009 - 01:39 PM

Hello here's a bit of info on this.
In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.
==============================
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 axel84

axel84
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 30 March 2009 - 06:23 AM

I went on and did the SDFix scan this is the log:


SDFix: Version 1.240
Run by User on 30/03/2009 at 13.06

Microsoft Windows XP [Versione 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 13:12:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"="C:\\Programmi\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programmi\\MSN Messenger\\livecall.exe"="C:\\Programmi\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Programmi\\Skype\\Phone\\Skype.exe"="C:\\Programmi\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Programmi\\Messenger\\msmsgs.exe"="C:\\Programmi\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"="C:\\Programmi\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programmi\\MSN Messenger\\livecall.exe"="C:\\Programmi\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :



Files with Hidden Attributes :

Tue 18 Nov 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Finished!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:49 PM

Posted 30 March 2009 - 09:57 AM

How is the PC running now? Any more signs of infection that you can see?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users