Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clicker.fr Trojan! Help!


  • Please log in to reply
1 reply to this topic

#1 AlanBeling

AlanBeling

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 05 July 2006 - 07:38 PM

Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 21:20:16, on 5/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\DateManager\DateManager.exe
C:\Arquivos de programas\Workspace Macro Pro 6.0\WMPHotkeys.exe
C:\Arquivos de programas\ARM Software\MacroMaker\MacroMaker.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Dofus\Dofus.exe
C:\Arquivos de programas\Dofus\dofus.dll
C:\Arquivos de programas\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\WinRAR\WinRAR.exe
C:\DOCUME~1\Usuario\CONFIG~1\Temp\Rar$EX00.157\KillBox.exe
C:\WINDOWS\System32\devldr32.exe
C:\Arquivos de programas\WinRAR\WinRAR.exe
C:\DOCUME~1\Usuario\CONFIG~1\Temp\Rar$EX00.813\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.festasbadaladas.com.br
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R3 - URLSearchHook: (no name) - {21692FBB-5933-817C-AD54-344B003B8AFA} - prcmon.dll (file

missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} -

C:\WINDOWS\System32\{7C922767-5A71-444F-95AA-DE95305E78EC}.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} -

C:\WINDOWS\System32\scpsssh2.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} -

C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} -

C:\WINDOWS\System32\{7C922767-5A71-444F-95AA-DE95305E78EC}.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [system32] C:\WINDOWS\System32\system32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20091\socks.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang

1033
O4 - HKLM\..\Run: [sound64] vxdman.exe
O4 - HKLM\..\Run: [xwiz] Shaitan1678.exe
O4 - HKLM\..\Run: [luotb.exe] C:\WINDOWS\System32\luotb.exe
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Arquivos de programas\Anti Trojan Elite\TJEnder.exe

:NO
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de

programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DateManager] c:\DateManager\DateManager.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Arquivos de programas\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Arquivos de programas\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [keybdll] msag.exe
O4 - HKCU\..\Run: [xxtoolbar] ms-its.exe
O4 - HKCU\..\Run: [WinInitDll] NopeZ.exe
O4 - Startup: MacroMaker.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: Workspace Macro Pro Hotkeys.lnk = C:\Arquivos de programas\Workspace

Macro Pro 6.0\WMPHotkeys.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\web\related.htm
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) -

https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) -

https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14F01485-7437-4DAA-852F-5526DF9A88CB}: NameServer =

85.255.116.58,85.255.112.173
O17 - HKLM\System\CCS\Services\Tcpip\..\{53DB7AC0-F136-4ECB-8151-EC6F6A2D99FE}: NameServer =

85.255.116.58,85.255.112.173
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2A68ADE-7198-41D5-B023-615CA78C5D2C}: NameServer =

85.255.116.58,85.255.112.173
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.58 85.255.112.173
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.58 85.255.112.173
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.58 85.255.112.173
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de

programas\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices,

Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Windows Logon Information (WLI) - Unknown owner -

C:\WINDOWS\System32\fonts.{0003000d-0000-0000-c000-000000000046}\lsass.exe (file missing)


Same problem of always: A pop-up each exacts 5minutes and 55 seconds of a virus, with weird naming. I heal all, but it's giving me the bleeping nerves having to click it.

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 06 July 2006 - 12:44 PM

Hi AlanBeling and Welcome to the Bleeping Computer!


First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.


Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
  • Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer,Reboot into SAFE MODE(Tap F8 when restarting)
  • Your system may take longer than usual to load; this is normal.
  • Once the desktop loads-> Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

    R3 - URLSearchHook: (no name) - {21692FBB-5933-817C-AD54-344B003B8AFA} - prcmon.dll (file missing)

    O1 - Hosts: localhost 127.0.0.1

    O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} -
    C:\WINDOWS\System32\{7C922767-5A71-444F-95AA-DE95305E78EC}.dll

    O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} -
    C:\WINDOWS\System32\{7C922767-5A71-444F-95AA-DE95305E78EC}.dll

    O4 - HKLM\..\Run: [system32] C:\WINDOWS\System32\system32.exe

    O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20091\socks.exe

    O4 - HKLM\..\Run: [sound64] vxdman.exe

    O4 - HKLM\..\Run: [xwiz] Shaitan1678.exe

    O4 - HKLM\..\Run: [luotb.exe] C:\WINDOWS\System32\luotb.exe

    O4 - HKCU\..\Run: [DateManager] c:\DateManager\DateManager.exe

    O4 - HKCU\..\Run: [UnSpyPC] "C:\Arquivos de programas\UnSpyPC\UnSpyPC.exe"

    O4 - HKCU\..\Run: [KillAndClean] "C:\Arquivos de programas\KillAndClean\KillAndClean.exe"

    O4 - HKCU\..\Run: [keybdll] msag.exe

    O4 - HKCU\..\Run: [xxtoolbar] ms-its.exe

    O4 - HKCU\..\Run: [WinInitDll] NopeZ.exe

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
    C:\WINDOWS\web\related.htm

    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
    C:\WINDOWS\web\related.htm

    O17 - HKLM\System\CCS\Services\Tcpip\..\{14F01485-7437-4DAA-852F-5526DF9A88CB}: NameServer =
    85.255.116.58,85.255.112.173

    O17 - HKLM\System\CCS\Services\Tcpip\..\{53DB7AC0-F136-4ECB-8151-EC6F6A2D99FE}: NameServer =
    85.255.116.58,85.255.112.173

    O17 - HKLM\System\CCS\Services\Tcpip\..\{D2A68ADE-7198-41D5-B023-615CA78C5D2C}: NameServer =
    85.255.116.58,85.255.112.173

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.58 85.255.112.173

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.58 85.255.112.173

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.58 85.255.112.173

    O23 - Service: Windows Logon Information (WLI) - Unknown owner -
    C:\WINDOWS\System32\fonts.{0003000d-0000-0000-c000-000000000046}\lsass.exe (file missing)

    Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close out Ewido Anti-Spyware.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.


Click Start, and then click Search.
Click All files and folders.
In the "All or part of the file name" box, type:

rasphone.pbk

Verify that "Look in" is set to "Local Hard Drives" or to (C:).
Click "More advanced options."
Check "Search system folders."
Check "Search subfolders."
Click Search.
Click Find Now or Search Now.

If you find rasphone.pbk file, right-click the file, and then click "Open With."
Deselect the "Always use this program to open this program" check box.
Scroll through the list of programs and double-click Notepad.
When the file opens, delete the entries below:

IpDnsAddress = 85.255.116.58
IpDns2Address = 85.255.112.173
IpNameAssign = 2



Still in Safe Mode,Check Add\Remove Programs for any of these entries,remove any found

KillandClean

UnSpyPC

DateManager

Web Related/Related



Be sure Windows is Showing Hidden Files
http://www.bleepingcomputer.com/forums/ind...showtutorial=62


Search for and Delete if found

c:\DateManager<-- Folder

C:\Arquivos de programas\UnSpyPC<-- Folder

C:\Arquivos de programas\KillAndClean<-- Folder

C:\WINDOWS\System32\luotb.exe<-- File

While in the System32 folder you may see other files like the one listed below,these are randon numbered CLSIDs with either a .dll or .exe extension,delete any of these found.


C:\WINDOWS\System32\{7C922767-5A71-444F-95AA-DE95305E78EC}.dll


Still in the System 32 folder,locate and delete this folder

C:\WINDOWS\System32\fonts.{0003000d-0000-0000-c000-000000000046}


Click Start-> Run-> Copy&Paste the bold text below into the Open Box and Click OK

sc delete WLI


Restart the computer back into Normal Mode.


Now open the Control Panel-> In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems.


Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)


Please have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from Ewido and Panda along with report.txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users