Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I got "clickover.cn" and maybe more, please help!


  • Please log in to reply
4 replies to this topic

#1 Spring Fish

Spring Fish

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 06 August 2009 - 01:50 PM

Hi

I’m new here and have the same clickover.cn Google redirect problem. There may be other problems as well.

I've run Malware Bytes a few times to the point where it shows no problems.

I then followed the RootRepeal procedure to scan my C: drive files and now have the “hidden/locked” file log.

I would really appreciate any help in diagnosing this log file for me.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/06 13:34
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\vsfocealmnaltp.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfoceinmpxdui.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfocepkqhorjw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfocetblsrmtn.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\vsfoceedmgdqmcbm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\vsfoceorqrpcrxtx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\vsfoceqfxwbvcexb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\vsfocejuuyftgr.sys
Status: Invisible to the Windows API!

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:46 AM

Posted 06 August 2009 - 01:57 PM

Highlight this line with Rootrepeal file sacan

Path: C:\WINDOWS\system32\drivers\vsfocejuuyftgr.sys
Status: Invisible to the Windows API!


Rightclick and choose wipe file

Restart and immediately run a quick scan with MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#3 Spring Fish

Spring Fish
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 06 August 2009 - 02:04 PM

Thanks DaChew

I wiped the file and am running the MBAM scan now.

I guess I keep running the MBAM until it comes up clean...Right?

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:46 AM

Posted 06 August 2009 - 02:06 PM

Twice with a reboot inbetween, post both logs and we will need to go from there

Here's the standard warning

One or more of the identified infections is a rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Chewy

No. Try not. Do... or do not. There is no try.

#5 Spring Fish

Spring Fish
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 07 August 2009 - 05:22 PM

I follwed the instructions and the MBAM log came up clean twice. thanks for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users