Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windowsclick also


  • This topic is locked This topic is locked
16 replies to this topic

#1 cocodemer

cocodemer

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 13 April 2009 - 04:15 PM

I am having problems similar to other posters , of windowsclick having infected my IE. Whenever I am trying to access a page that is outwith google, i am redirected to windowsclick. I have just had problems with winpc defender which I managed to get rid of by running microsoft malware removal tool, but it has missed the windowsclick. I am running AVG at the moment, but any other malware removal i have tried to install is not starting up. Any suggestions?

BC AdBot (Login to Remove)

 


#2 jwilmoo

jwilmoo

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 13 April 2009 - 05:29 PM

about your problems installing MBAM, refer to my thread:

Try renaming the setup file to install.com

try installing in safe mode

here's a random renamer for the program if you can get it installed

http://kixhelp.com/wr/files/mb/randmbam.exe


otherwise, I really think you should'nt take any more action until one of the advisors on here gives you some direction.

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:32 PM

Posted 13 April 2009 - 06:50 PM

Please let us know how installing MBAM comes along
Chewy

No. Try not. Do... or do not. There is no try.

#4 cocodemer

cocodemer
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 16 April 2009 - 11:20 AM

Hi

Installing MBAM isnt coming along at all! I have tried to copy it to my desktop, the icon is there, but I am unable to open it. I have tried in safe mode, and renaming it, but no joy.
Any further suggestions?

#5 cocodemer

cocodemer
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 16 April 2009 - 12:12 PM

managed to get it installed in safe mode - but it doesnt start automatically, or when i run it from the start menu run function.

#6 cocodemer

cocodemer
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 16 April 2009 - 12:50 PM

Malwarebytes' Anti-Malware 1.36
Database version: 1989
Windows 5.1.2600 Service Pack 3

16/04/2009 18:43:53
mbam-log-2009-04-16 (18-43-53).txt

Scan type: Quick Scan
Objects scanned: 80349
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 42
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACxfllxmfi.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\ieocx.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{b360243e-09e8-402f-8721-00b6798089ad} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4b66e1df-4de3-4cda-83b5-11673eadab0b} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{06ec6572-7280-485a-a712-c380526bc048} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06ec6572-7280-485a-a712-c380526bc048} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ieocxapp.ieocx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ieocxapp.ieocx.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rxresult.rxresultfilter (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rxresult.rxresultfilter.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2ab289ae-4b90-4281-b2ae-1f4bb034b647} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e282c728-189d-419e-8ee2-1601f4b39ba5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e1a63484-a022-4d42-830a-fbd411514440} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dc3a04ee-cdd7-4407-915c-a5502f97eecd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db8cce99-59c6-4552-8bfc-058feb38d6ce} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d17726cc-d4dd-4c4a-9671-471d56e413b5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bb187c0d-6f53-4f3e-9590-98fd3a7364a2} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad5915ea-b61a-4dba-b5c8-ef4b2df0a3c7} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad0a3058-fd49-4f98-a514-fd055201835e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a58c497b-3ee2-45e7-9594-daca6be2a0d0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a3d06987-c35e-49e4-8fe2-ac67b9fbfb4c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9856e2d8-ffb2-4fe5-8cad-d5ad6a35a804} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8f6a82a2-d7b1-443e-bb9f-f7dc887dd618} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{88d6cf0e-cf70-4c24-bf6e-e4e414bc649c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83dfb6ee-ab18-41b5-86d4-b544a141d67e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c29c7e4-5321-4cad-be2e-877666bed5df} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f91eb90-ef62-44ee-a685-fac29af111cd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1a8642f1-dc80-4edc-a39d-0fb62a58b455} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{168dc258-1455-4e61-8590-9dac2f27b675} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WinPC Defender (Rogue.WinPCDefender) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59879fa4-4790-461c-a1cc-4ec4de4ca483} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{59879fa4-4790-461c-a1cc-4ec4de4ca483} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACxfllxmfi.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\ieocx.dll (Rogue.Multiple) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

#7 cocodemer

cocodemer
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 16 April 2009 - 01:20 PM

seems to have stopped the windowsclick forwards, anything else to do?

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:32 PM

Posted 16 April 2009 - 05:10 PM

We are looking for a file named UAC???????????.sys, which is the core rootkit

This is a very nasty infection

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

Just use the file tab, scan and paste the report into a reply here please
Chewy

No. Try not. Do... or do not. There is no try.

#9 cocodemer

cocodemer
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 17 April 2009 - 07:33 AM

its giving me a root repeal error - could not load our Kernel!, please contact the author!

any ideas?, it started the scan and then exited itself, while scanning the C drive (windows)

#10 cocodemer

cocodemer
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 17 April 2009 - 07:38 AM

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x0040e61a
Attempt to read from address: 0x0120ef19

#11 cocodemer

cocodemer
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 17 April 2009 - 07:41 AM

Have tried it a couple of times, went a little further in the scan, but closed itself with a seperate crash report each time.

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:32 PM

Posted 17 April 2009 - 08:34 AM

Run a new quick scan with MBAM

also

Please download and run Processexplorer


http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here
Chewy

No. Try not. Do... or do not. There is no try.

#13 cocodemer

cocodemer
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 17 April 2009 - 03:25 PM

MBAM:

Malwarebytes' Anti-Malware 1.36
Database version: 1995
Windows 5.1.2600 Service Pack 3

17/04/2009 21:15:58
mbam-log-2009-04-17 (21-15-58).txt

Scan type: Quick Scan
Objects scanned: 53462
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





*************************************************************************************


and Process explorer:

Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 696 Windows NT Session Manager Microsoft Corporation
csrss.exe 744 Client Server Runtime Process Microsoft Corporation
winlogon.exe 768 Windows NT Logon Application Microsoft Corporation
services.exe 820 Services and Controller app Microsoft Corporation
svchost.exe 988 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1060 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1100 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1164 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1244 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1560 Spooler SubSystem App Microsoft Corporation
svchost.exe 1636 Generic Host Process for Win32 Services Microsoft Corporation
AppleMobileDeviceService.exe 1672 Apple Mobile Device Service Apple Inc.
avgwdsvc.exe 1684 AVG Watchdog Service AVG Technologies CZ, s.r.o.
avgrsx.exe 412 AVG Resident Shield Service AVG Technologies CZ, s.r.o.
avgnsx.exe 420 AVG Network scanner Service AVG Technologies CZ, s.r.o.
mDNSResponder.exe 1704 Bonjour Service Apple Inc.
CLCapSvc.exe 1716 CLCapSvc Module
CLSched.exe 1728 CLSched Module
CLMLServer.exe 1764 NT CLMLServer Cyberlink
CLMLService.exe 1800 Cyberlink MediaLibrary NT Service Cyberlink
svchost.exe 1900 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 1996 Windows User Mode Driver Manager Microsoft Corporation
alg.exe 692 Application Layer Gateway Service Microsoft Corporation
iPodService.exe 2580 iPodService Module Apple Inc.
svchost.exe 2932 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 832 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 2004 Windows Explorer Microsoft Corporation
AGRSMMSG.exe 632 SoftModem Messaging Applet Agere Systems
VTTimer.exe 1408 S3 Graphics, Inc.
VTTrayp.exe 1356 s3contrl (32-bit) S3 Graphics Co., Ltd.
SOUNDMAN.EXE 1368 Realtek Sound Manager Realtek Semiconductor Corp.
SynTPLpr.exe 1376 TouchPad Driver Helper Application Synaptics, Inc.
SynTPEnh.exe 824 Synaptics TouchPad Enhancements Synaptics, Inc.
PDVDServ.exe 736 PowerDVD RC Service Cyberlink Corp.
PCMService.exe 1132 CyberLink PowerCinema Resident Program CyberLink Corp.
jusched.exe 1204 Java™ 2 Platform Standard Edition binary Sun Microsystems, Inc.
realsched.exe 1224 RealNetworks Scheduler RealNetworks, Inc.
realplay.exe 2324 100.00 RealPlayer RealNetworks, Inc.
QTTask.exe 1148 QuickTime Task Apple Inc.
iTunesHelper.exe 1420 iTunesHelper Module Apple Inc.
avgtray.exe 1512 AVG Tray Monitor AVG Technologies CZ, s.r.o.
msnmsgr.exe 2068 MSN Messenger Microsoft Corporation
msmsgs.exe 2080 Windows Messenger Microsoft Corporation
GoogleToolbarNotifier.exe 2100 GoogleToolbarNotifier Google Inc.
ctfmon.exe 2116 CTF Loader Microsoft Corporation
procexp.exe 3528 Sysinternals Process Explorer Sysinternals - www.sysinternals.com



Is that what you need from Process Explorer?

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:32 PM

Posted 17 April 2009 - 05:17 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.

#15 cocodemer

cocodemer
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 18 April 2009 - 03:55 PM

Hi - more problems.

I downloaded and ran DrWeb, got through the quick scan with no worries, there were no problems, I then unchecked the Heuristic analysis box and ran the complete scan. The first time it ran for a while, and came up with a few problems, I clicked yes to all when it asked , (this was before the end of the scan), and then i left it, and when I came back, it had crashed and rebooted, I ran the quick scan again and have just tried to run the complete scan, but it got about 1/4 of the way through and crashed agin. It was in safe mode, and had followed intructions as directed. Any ideas?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users