Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

clickover.cn search engine hijacker [Moved]


  • Please log in to reply
5 replies to this topic

#1 jdkool09

jdkool09

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 05 August 2009 - 04:48 PM

Hello,

I've read over these forums without posting trying to figure out a way to rid myself of clickover.cn (not sure if this is the proper name, it is the name I call it per the redirection address) but the answers I have found on these forums have explicitly stated that the fix is machine specific and should not be used as an over arching guide to getting rid of it.

I've run AVG Free, Spybot S&D, Malwarebytes, and SpyNoMore Clickover.cn remover. None of these seemed to work, after SpyNoMore did not work, I went ahead and uninstalled it as Malwarebytes claimed it to be a problem. Better safe than sorry. Both Malwarebytes and Spybot are fully updated (as of 12:00pm CT today) but neither of them seem to be able to detect this browser hijacker. I'm not exactly sure what I need to post here to help you out, so a little guidance would be appreciated. I can usually get rid of most of these things on my own. But this one has got me stumped. Help would be appreciated, and perhaps a guess at it's origin. I have no idea where I've contracted this from. I visit pretty routine sites, so I'm not sure where I picked this up at.

Thanks.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,944 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:08 PM

Posted 05 August 2009 - 09:46 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:08 PM

Posted 05 August 2009 - 10:23 PM

Please download RootRepeal.zip and save it to your Desktop.
alternate download link 1
alternate download link 2
  • Unzip the file on your Desktop or create a new folder on the hard drive called RootRepeal (C:\RootRepeal) and extract it there.
    (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Disconnect from the Internet as your system will be unprotected while using this tool.
  • Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
    This will ensure more accurate results and avoid common issues that may cause false detections.
  • Click this link to see a list of such programs and how to disable them.
  • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
  • Click on the Files tab at the bottom of the window, then click the Scan button.
  • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as rootrepeal.txt to your desktop.
  • A copy of the report with the date (i.e. RootRepeal report 07-30-09 (17-35-54).txt) is also saved to the root of your system drive (usually C:\).
  • Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
  • Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".
Chewy

No. Try not. Do... or do not. There is no try.

#4 jdkool09

jdkool09
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 06 August 2009 - 12:13 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/06 12:07
Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\SKYNETbaqeouls.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETdrefrrnp.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETnmnboovk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETxoyeoxrd.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\SKYNETrsjmtuuf.sys
Status: Invisible to the Windows API!



Note: There was also one hidden driver with the name SKYNET. Do I need to post driver logs also?

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:08 PM

Posted 06 August 2009 - 12:30 PM

With this infection we just need the hidden file log, the driver sys file will be the same, we can only attack the hidden file.

Highlight this line

Path: C:\WINDOWS\system32\drivers\SKYNETrsjmtuuf.sys
Status: Invisible to the Windows API!


Rightclick and chose wipe file

This will disable the rootkit


Reboot/restart your computer and then update MBAM and run a quick scan to finish killing the rootkit and it's buddies.
Chewy

No. Try not. Do... or do not. There is no try.

#6 jdkool09

jdkool09
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 06 August 2009 - 04:56 PM

thank you for your help.

Clickover.cn is now removed from my computer. I ran MBAM one more time and it picked up 2 residual files from SKYNET, but I deleted those successfully.

Thanks again for all your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users