Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus 090820 cliccker.cn klikstats.cn


  • This topic is locked This topic is locked
1 reply to this topic

#1 David08052

David08052

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 20 August 2009 - 02:33 PM

Hi,
I noticed on Mon that after a google search, when I clicked on a google link (either direct click or right click and open in a new window), I would often be sent to a site other than the one with the specified URL. This is in Internet Explorer 8: I do not have a problem in Firefox. My OS is Vista Home.

I have been struggling with many posts but what seemed to help was spynomore. It returned these names:
Agent Rootkit C:\Windows\system32\net.net
HKEY_LOCAL_MACHINE\SOFTWARE\UAC
HKEY_LOCAL_MACHINE\SOFTWARE\UAC\connections
C:\Windows\system32\Drivers\UACrbxmstypye.sys
C:\Windows\system32\UACscwebjrcne.dll

I renamed all of these after which no further problem with right click and open in a new window. However, the problem persists with direct click. All now have a suffix of orig, so in the registry for example I have UAC.orig

The UAC registry shows a "sval" entry for klikstats.cn which worries me because it seems to open my computer for a connection from this site, and since the suffix is for China, it suggests to me that someone in China might both be setting up to connect to my computer, and might be issuing the redirects. The redirects are all shell sites: when I try to contact them, I cannot. None have a phone number or physical location. When I email them, there is no reply.

I just ran RootRepeal "Only Display Hooked Functions" and found this:
C:\Windows\System32\kbiwkmcbrffgvd.dll
C:\Windows\System32\kbiwkmkturrjqs.dat
C:\Windows\System32\kbiwkmvbteufjw.dat
six files with the kbiwkm prefix.
Root repeal just found a hidden service:
C:\windows\system32\drivers\kbiwkmcvvjiiwk.sys

However, when I go to that directory, there are no kbiwk files found. And I don't see anything like that in startup using msconfig.

One email said that this virus had disabled system restore and when I went to System "backup and restore", the message said "there areno backups available on this computer." However, when I click on computer, properties, system protection, I can see 5 checkpoints.

I have read in the news that China has been invading U.S. computers and wonder if this could be related to those news reports. But, mostly I would like to stop this problem and move on. Any help will be appreciated. I can receive mail from other users as well as the moderator.
Thanks
David

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:23 AM

Posted 20 August 2009 - 11:23 PM

You have posted a hijackthis log here and you are already receiving assistance.

Please refrain from asking for help from others while you are being instructed by someone helping you with a hijackthis log elsewhere. Any modifications you make can result in system changes which may not show in the log you already posted. Further, following advice outside of that post may cause confusion for the Helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer. If you had posted your log here, similar rules would apply. We would ask that you refrain from asking for help elsewhere.

If you followed any other advice already, please ensure you inform the HJT Helper when they respond to assist you with your log. This will help them know what has been done and they probably will ask for an updated log.

To avoid confusion, I am closing this topic. If you still need assistance after your log has been reviewed and you have been cleared, please start a new topic. If you have any questions, please PM me or another moderator.

Thanks for your cooperation.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 20 August 2009 - 11:24 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users