Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The infamous z00clicker.dll


  • This topic is locked This topic is locked
8 replies to this topic

#1 goolax18

goolax18

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 21 June 2010 - 02:21 PM

Hello! I'm one of those people that keep clicking on things or deleting files until it works with no formal education on how to really fix things. ~insert your cringing face here~ lol

I have a Dell Inspiron 531, Windows XP Home edition.
About 2 months ago, my cd burner drive became disabled. I jumped through a few hoops and somehow got it working again. Not too long after, I got that fake anti-virus thing that disabled everything I attempted to fix it with. (I'm not sure if that's related) I dug my way through my computer files and figured out how to stop that. (I really couldn't tell you what I did if I tried) Then shortly after, my Avast picked up z00clicker.dll in my files. I was getting re-directed on websites all the time then, as well. I dug myself through a few of those files and somehow got that to stop. I ran Avast again and it was gone.

Since then, I've uninstalled my Avast and reinstalled the new version. I downloaded Malwarebytes of which found some things, but it didn't remove or find the z00clicker. Well, z00clicker came back through an Avast full system scan (not a bootscan) and I can't find anything on my own. I haven't been re-directed to anything but I want to catch it before it gets any worse. I start an online schooling next week and I can't afford to be down. So I googled & found this website. I have done the DDS & GMER per the instructions request and attached the logs.

Attached Files

  • Attached File  DDS1.txt   12.8KB   11 downloads
  • Attached File  DDS2.txt   7.91KB   10 downloads
  • Attached File  ARK.TXT   9.72KB   9 downloads


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:01 PM

Posted 27 June 2010 - 05:11 PM

Hi goolax18,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

#3 goolax18

goolax18
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 27 June 2010 - 05:45 PM

I haven't done anything since I posted the original request. Please help

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:01 PM

Posted 27 June 2010 - 05:54 PM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions

There is a rootkit infection we are going to take care of and do some cleaning and filling the security wholes.
  1. We are going to run this special tool.
    • Please download TDSSKiller.exe and save it to your desktop.
    • Run TDSSKiller.exe.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.
    • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any remaining versions if the tool could not uninstall them (look for any entry on Add/Remove that contains Java, JRE or Java Run Time), they are:

    J2SE Runtime Environment 5.0 Update 6
    Java™ 6 Update 16


  3. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  4. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Rename the installer to moon.exe while choosing C: drive to save in.
    • Double Click moon.exe to install the application to its default location.
    • Make sure no checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • Using Windows Explorer (right-click start > Explorer) navigate to the following folder:C"\Program Files\Malwarebyte' Anti-Malware
    • Locate the file mbam.exe and rename it to clear.exe then double-click to run it.
    • Wait until it opens up.
    • Update it. When you get the message that it is updated successfully check under Update tab the Database version should read 2256 or above.
    • Select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log after running it and removing what it finds, or removing files after reboot.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  5. Tell me also how is your computer running.



#5 goolax18

goolax18
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 27 June 2010 - 06:13 PM

Thank you so much for your help! Thank you for the peer to peer file sharing warning. I'll have a talk with the other users in my household about that.

I've attached the log you have requested. I did have to reboot. When I was brought back up, the AVAST shield was turned off. So, I turned that back on immediately. I've also updated my Java. I'm currently re-running Avast to see if z00clicker is still there, but the full scan takes a while. I'll reply again when it is complete.

My computer has been running fine. There are no hiccups or crashes at all. I don't even get re-directed to websites. It's just when I'm trying to get the z00clicker.dll eradicated, Avast gets an error.

OH I didn't run malwarebytes just now. But I have and it didn't pick up on anything including the lingering z00clicker. Do you want me to run that again?

Attached Files


Edited by goolax18, 27 June 2010 - 06:14 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:01 PM

Posted 27 June 2010 - 06:31 PM

The rootkit is taken care of. thumbup2.gif

If you made sure you updated Malwarebytes before scanning and it came clean no need to run it again.

I'll wait for your report on Avast scan before rounding off. If it found anything I need the full path to the file found.

#7 goolax18

goolax18
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 27 June 2010 - 08:13 PM

THANK YOU THANK YOU THANK YOU THANK YOU!!!!!!!!!!!! Avast didn't find anything either. smile.gif You ROCK!!!!!

clapping.gif thumbup.gif




#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:01 PM

Posted 27 June 2010 - 08:18 PM

You are most weloceme goolax18. thumbup.gif
  1. You may delete any tool or log we used from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.


Recommendations:
  1. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  2. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing goolax18. smile.gif

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:01 PM

Posted 03 July 2010 - 06:44 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users