Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help On Trojan Clicker.fr


  • This topic is locked This topic is locked
1 reply to this topic

#1 Choky

Choky

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 12 July 2006 - 10:34 PM

Hey all,Im new here.
I cant seem to get rid of trojan clicker.fr
AvG detects it but cant heal it or anything,other symtoms are a weird tool bar on both my browser and windows(the windows that open up in windows),also a small pop up bubble in the bottom right corner about spyware.

I did the fixwareout and also the HJT,and here are both logs/txts:

Fixwareout produced this:
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}34256ED9451B-217B-5AB4-36DA-B1C14E3C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}61419AFBE4EB-5499-DB14-99BE-8B202FE7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BBA9558D61EC-9DC8-B204-CD0B-12156678{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9B6C0F0F6D55-A2B9-5434-D6C2-6C00EFA1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}098B504F495F-F9C8-7044-4469-1F22ADC6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}089ACF209513-8249-3CE4-0D3A-2167921B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\zekmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DF9CEA86BED7-32BA-40C4-37C8-1D910654{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}43104D5DF6AA-3409-EC14-E406-648BD1F9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C2BD50ACEEA2-6959-5084-CFCD-3329CA46{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7732179ABD9D-83FB-C094-496E-0AB0EBF1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E83E4B33F80B-015A-D514-F308-96E92526{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Random Runs removed from HKLM
"dmkez.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSNFE.EXE
* csr.exe C:\WINDOWS\System32\CSCWW.EXE
* csr.exe C:\WINDOWS\System32\CSKGN.EXE
* csr.exe C:\WINDOWS\System32\CSZZB.EXE
* csr.exe C:\WINDOWS\System32\CSJGC.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSNFE.EXE 51.271 2006-07-12
C:\WINDOWS\SYSTEM32\CSCWW.EXE 51.271 2006-07-12
C:\WINDOWS\SYSTEM32\CSKGN.EXE 51.271 2006-07-12
C:\WINDOWS\SYSTEM32\CSZZB.EXE 51.271 2006-07-13
C:\WINDOWS\SYSTEM32\CSJGC.EXE 51.271 2006-07-13
C:\WINDOWS\SYSTEM32\DMVWN.EXE 62.047 2002-09-24
C:\WINDOWS\SYSTEM32\DMPGI.EXE 62.047 2002-09-24
C:\WINDOWS\SYSTEM32\DMQUC.EXE 62.047 2002-09-24
C:\WINDOWS\SYSTEM32\DMFBL.EXE 62.047 2002-09-24
C:\WINDOWS\SYSTEM32\DMKEZ.EXE 62.047 2002-09-24
Other suspects
Directory of C:\WINDOWS\system32
{62529E69-803F-415D-A510-B08F33B4E38E}.exe
{1FBE0BA0-E694-490C-BF38-D9DBA9712377}.exe
{64AC9233-DCFC-4805-9596-2AEECA05DB2C}.exe
{9F1DB846-604E-41CE-9043-AA6FD5D40134}.exe
{B1297612-A3D0-4EC3-9428-315902FCA980}.exe
{6CDA22F1-9644-4407-8C9F-F594F405B890}.exe
{87665121-B0DC-402B-8CD9-CE16D8559ABB}.exe
{1AFE00C6-2C6D-4345-9B2A-55D6F0F0C6B9}.exe
{7EF202B8-EB99-41BD-9945-BE4EBFA91416}.exe
{840F1F58-B9A8-4837-AF3F-9FA37727D3E0}.exe
{4B805E19-3513-449E-A1D9-798C32C1F133}.exe
{4443B491-551C-4BF0-B821-688A81A81A2D}.exe
{3FE1D103-0C25-4A48-A271-6335D2877739}.exe
{7B6C2410-A073-4BAB-8AB9-B46615E2243E}.exe
{B264B18E-A04E-44AA-A5D3-06856FFDE42D}.exe
{541C3752-F655-4636-ADFA-CA9E770CE01C}.exe
{352DAA61-972D-43B4-B575-3B010F7228B2}.exe
{20BFB359-CEBF-48D0-9F98-408B6522A530}.exe
{99E8945A-BE02-4957-A4EA-75B8830F43C1}.exe
{82E22467-86EB-4138-A893-7D12530B9849}.exe
{4D3C511A-E967-4585-BD5D-B9628903A64F}.exe
{CDB297C7-B5CF-4680-B723-698F88574FDC}.exe

And HJT produced this log:
Logfile of HijackThis v1.99.1
Scan saved at 5:23:35, on 13/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Archivos de programa\Java\jre1.5.0_07\bin\jusched.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\ewido anti-spyware 4.0\ewido.exe
C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\ARCHIV~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {A4E97468-750D-8878-F7C1-C9A14761969D} - systemdll.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{CF346DBE-41B0-4C2B-90CC-548172623BFB}.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{CF346DBE-41B0-4C2B-90CC-548172623BFB}.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PasswdMon] SysSupport.exe
O4 - HKLM\..\Run: [ssweeper] PasswdMon.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Archivos de programa\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Archivos de programa\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [joyef.exe] C:\WINDOWS\System32\joyef.exe
O4 - HKCU\..\Run: [NBJ] "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SAPSTR] EXE32EXE.exe
O4 - HKCU\..\Run: [slamm] backorif.exe
O4 - HKCU\..\Run: [prgsys0984] bnui.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Archivos de programa\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {0C7F3F20-8BAB-11D2-9432-00C04F8EF48F} (Downloadable Speech API) - http://activex.microsoft.com/activex/contr...api/spchapi.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1D87F5B2-05F1-11D2-AD7C-0000F8799342} (Microsoft IE Object Wrapper Sample Control) - http://activex.microsoft.com/activex/contr...t2/lhttseng.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145820937264
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12F5EAD9-55F8-4E51-BEB5-934593A1283E}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BBC3641-0FDA-4AD4-934A-52A5EC503458}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0FFBF52-58F6-4BDA-9DC7-5FF50111B586}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF2F83D7-97A4-49CF-B69A-435B39294A9C}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.153
O17 - HKLM\System\CS1\Services\Tcpip\..\{12F5EAD9-55F8-4E51-BEB5-934593A1283E}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.153
O17 - HKLM\System\CS2\Services\Tcpip\..\{12F5EAD9-55F8-4E51-BEB5-934593A1283E}: NameServer = 85.255.114.109,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.153
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe

Any help,please? :thumbsup:

BC AdBot (Login to Remove)

 


#2 Choky

Choky
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 13 July 2006 - 12:31 AM

Never mind,I seemed to have fixed it all. Thanks none the less.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users