Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32 Trojan.Clicker


  • This topic is locked This topic is locked
10 replies to this topic

#1 BillyPhD

BillyPhD

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 28 August 2010 - 09:47 AM

For starters, I am on a Vostro 400 computer and use Windows XP (No fancy versions). About 2 days ago, I was informed by Ad-aware (free version) that it has blocked a process attempting to create a file called Win32 Trojan.Clicker. I performed a virus scan afterwards with Ad-aware to find that the virus had gotten into my computer anyways; I think it was from a file titled something like setup.exe that created the Trojan. Anyways, I selected the option remove when it found the Trojan in the scan results and it required I restart my computer. I did so, and performed another scan afterwards. Ad-aware did not detect the virus anymore, but weird occurrences were happening such as random blank tabs opening without my permission on Mozilla Firefox, taking me to sites with odd URL's. Also, while playing my game, Team Fortress 2, I noticed heavy lag after the first round. I ended up closing the game and it was taking a long time. It loaded me out to a black screen for a while, and I had thought the computer crashed until a big white window popped up on my screen. This was my "Windows Virus Scanner", or something along the lines of that, that had detected a virus and started scanning without my permission. It claimed it found about 25 different Trojans within the first few seconds of scanning, and I was immediately suspicious. Having dealt with fake Anti-Virus software before, I shut down my computer manually without tampering with everything. I've also had a few other odd things happen. One time, after leaving my computer for a while, with Mozilla Firefox up, I came back to find that my mouse couldn't interact with anything. I clicked restart so I could start up my computer again and even that didn't work so I had to restart manually. To counter this virus, I even tried scanning with Malware-bytes (again, free version) and it didn't come up with anything on the first scan of my registry, but came up with a Trojan the second time. Again, it said it was quarantined and removed, and that I needed to restart to ensure it was gone. When I restarted it was fine for a couple minutes but started acting up again in odd weird ways shortly after. My computer or any of its programs have never acted this way, so I know it's the Trojan's doing. I have no idea how to successfully eliminate it from my machine. Sorry for typing so much but I wanted to write down as much as I knew about what it was doing. Thanks.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Jackson Oliva at 16:49:52.54 on Fri 08/27/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.545 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\DOCUME~1\JACKSO~1\LOCALS~1\Temp\user.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\JACKSO~1\LOCALS~1\Temp\bldx71vl4x.exe
C:\DOCUME~1\JACKSO~1\LOCALS~1\Temp\user.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\WINDOWS\System32\svchost.exe"
C:\Documents and Settings\Jackson Oliva\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: c:\windows\system32\jxx1gqccr.dll: {b1ba40a2-75f2-51bd-f413-04b13a2c8953} - c:\windows\system32\jxx1gqccr.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [hse897ifdsjf98u3heuidhfdd] c:\docume~1\jackso~1\locals~1\temp\bldx71vl4x.exe
uRun: [trawgd327uhf838jdfdsfdfds] c:\docume~1\jackso~1\locals~1\temp\user.exe
uRun: [Mwisi] rundll32.exe "c:\windows\nvfsnasn.dll",Startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\pro

Attached Files


Edited by BillyPhD, 28 August 2010 - 10:27 AM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:44 AM

Posted 28 August 2010 - 03:13 PM

Good evening. smile.gif

Your DDS log shows no active real-time anti-virus protection as far as I can tell - how long has this been the case?

So long, and thanks for all the fish.

 

 


#3 BillyPhD

BillyPhD
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 28 August 2010 - 09:13 PM

This is odd. The virus has only acted out a couple of days back. It's possible that it might be gone, because I didn't have too many problems today. I'll reply back and produce new DDS and Gmer texts if anything acts out strangely again. By the way, thanks for taking the time to read over my problem.

Update: Shortly after my post, another tab on Mozilla Firefox popped up while on YouTube. This was not a occurrence a couple of days back. Might it be a cookie or something else causing my problem?

Another Update: A little while after that, I heard multiple clicking noises in the background, as if something was being selected. A minute later, an audio ad starts playing and continues when I close Mozilla Firefox. Shortly after closing the browser, the clicking dies down. But I notice a pop-up warning has come up saying that scripts are being received from htp://coolmom.com (I removed a "t" to prevent it from becoming a URL, I don't trust this site). I've never heard of or visited this site and these actions on my computer are far from normal. Tomorrow I'll create a new DDS test file, and even a Gmer text file if I need to because weird things keep on happening.

Edited by BillyPhD, 28 August 2010 - 09:54 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:44 AM

Posted 29 August 2010 - 04:40 PM

Good evening. smile.gif

QUOTE
Your DDS log shows no active real-time anti-virus protection as far as I can tell - how long has this been the case?

How long has your PC been without an anti-virus program?

So long, and thanks for all the fish.

 

 


#5 BillyPhD

BillyPhD
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 30 August 2010 - 09:48 AM

I don't know. Maybe about 3 or 4 days ago was when my Ad-aware found that the virus was on my system. Keep in mind I wasn't doing a scan and I didn't even have the window open, but a notification came up about it. There must have been some sort of protection to alert me of that. Since then I haven't disabled the protection, so it's odd that its not showing up.

Also, keep in mind I have used MalwareBytes and Ad-aware as my Anti-Malware programs. I've had them for about a year now.

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:44 AM

Posted 30 August 2010 - 02:31 PM

Good evening. smile.gif

What version of Ad-Aware are you running?

So long, and thanks for all the fish.

 

 


#7 BillyPhD

BillyPhD
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 31 August 2010 - 02:45 PM

8.0.9

It says I can update, but I haven't done so recently because there's been no virus trouble in over a year. I rarely ever run it unless something suspicious happens.

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:44 AM

Posted 31 August 2010 - 05:22 PM

Unfortunately I don't think that your version of Ad-Aware comes with a specific real-time anti-virus module that is sufficient to protect your PC.
Given the lack of basic security programs onboard and the amount of time that this has probably been the case, the best suggestion I can offer is to back up any important files and then reformat and reinstall Windows.
It is going to be impossible to guarantee a clean computer at the end of the removal process, which makes it something of a non-starter in the first place. The possibility that legitimate files may have been infected or corrupted by the malware present on your PC, and also that security settings may have been lowered making your computer more liable to infection in the future, means that starting over is the easiest and most reliable solution to your problems.
You also need to be aware of the risk of identity theft if you have accessed bank accounts with this computer or shopped online. Keylogging software could have recorded details of these actions and a lack of an effective firewall means that there is nothing to stop this information being sent home. If this does apply to you, i'd monitor your accounts and perhaps consider getting credit/debit cards, passwords etc... changed - obviously not using this PC!
Should you want them, I can provide links to free software that will help keep your PC malware-free in the future, but you shouldn't count on them to clean your machine as it is now.

So long, and thanks for all the fish.

 

 


#9 BillyPhD

BillyPhD
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 31 August 2010 - 06:43 PM

I do have have a few accounts, but I haven't entered passwords for any of them. Also, none of them contain important information. I'd guess you probably want me to do a system restore, or removal of all files?
I did that last time when I had a bad virus about 1.5 years ago and it worked fine afterwards. As for backed up files everything on my computer can be replaced, as every program can be reinstalled and my games are owned in an online account, so I don't think I'll need to back anything up. Thanks for the advice and helping me with my problem! It's useful getting information from someone who knows what they are doing.

One more question before this can be closed, what programs would be best to keep my computer safe?

Edited by BillyPhD, 31 August 2010 - 06:44 PM.


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:44 AM

Posted 01 September 2010 - 02:48 PM

Good evening. smile.gif

Anti-Virus. There are a few free ones available, three of which are below:

AVG Free Edition: Available here.
avast! 4 Home Edition: Available here
AntiVir Personal Edition Classic : Available here

I use AVG on a lappy at the minute and am happy with it, but i've used the other two previously with no issues. Remember that you should only have one AV installed at a time due to the potential for confliction.

Firewall. There are a few free firewalls available, of which the following are some examples:

Comodo Firewall Pro: Available here.
PC Tools Firewall Plus: Available here.
Online Armor Free: Available here.

Again, only install one at a time - running two or more firewalls simultaneously can cause conflicts resulting in less, not more, protection.

There are other examples of both free AVs and firewalls available, but i've used all of these at one time or another without tears at bedtime.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet, even if it is a little old.

So long, and thanks for all the fish.

 

 


#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:44 AM

Posted 05 September 2010 - 01:38 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users