Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clicker.fr & Generic.xks .. Help Please !


  • This topic is locked This topic is locked
4 replies to this topic

#1 Silvi

Silvi

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 02 September 2006 - 05:45 AM

Hello Moderators,

I'm getting constant pop-ups from my AVG Free Edition.
It gives me message my computer is infected. Clicker.FR and Generic.XKS and some more pop-ups.
I searched on Google and found I need to get HijackThis file from www.hijackthis.de
I got the file and ran it.
Here is the log file. Any help from you guys will be appreciated.



Logfile of HijackThis v1.99.1
Scan saved at 3:36:34 PM, on 9/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Pinnacle\PCTV Stereo\Remote\Remoterm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Infection\Desktop\hijackthis_199\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{8E272192-1467-4D48-8FD7-93B0050F0563}.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{8E272192-1467-4D48-8FD7-93B0050F0563}.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\PCTV Stereo\Remote\Remoterm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [beyid.exe] C:\WINDOWS\System32\beyid.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.sbicard.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{302DECCE-7073-4C86-BB0E-EA52556BB7CC}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E85E3FD-726E-4FC0-AF52-A667F5B03CB3}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC4A783B-07E3-4C8D-9720-9F3D9A11A2FD}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED2FB1F6-397E-4AB5-B6CC-C8F8333A239B}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O17 - HKLM\System\CS1\Services\Tcpip\..\{302DECCE-7073-4C86-BB0E-EA52556BB7CC}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O17 - HKLM\System\CS2\Services\Tcpip\..\{302DECCE-7073-4C86-BB0E-EA52556BB7CC}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


==============================

Please advice, what should I do.
Help me with this trouble and I will never let my brother use my computer :thumbsup:
And, I cant open system32 folder. That particular window gets stuck.

OH!! By the way, I ran the HijackThis file from my desktop. Is that the right thing to do or should I move file to C:\ and then run it and paste the log ?
Will that make a difference ?

Thanks & Regards,
Silvia.

Edited by Silvi, 02 September 2006 - 03:28 PM.


BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:56 PM

Posted 03 September 2006 - 03:42 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
It's ok to run Hijackthis from the desktop, just never from a temp folder.

You have a few separate issues that we will have to work through one at a time.


Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Silvi

Silvi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 06 September 2006 - 05:41 AM

Hi Here is what I did to remove that Clicker.FR thing. Its a bit of work around.

I ran HijackThis and pasted the log on www.hijackthis.de website

Told me there was a file in system32 folder which is nasty

name = beyid.exe

Wont allow me to access system32 folder.

So, I tried from command prompt and I could see that file ..

del beyid.exe

GONE!!

then fixed some other items using hijackthis

Then did msconfig and removed beyid.exe from startup items

Did Regedit and removed beyid.exe from Run or RunOnce
(Both HKey Current User and HKey Local Machine)

Then I regained access to system32 folder.

THis stupid spyware created about 200 files with names something like this {2BGHE34JK- ......}

Ran AVG for about 20 times and everytime I use to run it, it would find about 30 files.

Chose HEAL and once all those funny files were Healed,

Ran Hijack this again.

Pasted log on www.hijackthis.de

Fixed some toolbars.

ISSUE RESOLVED!!!

No More Stupid Clicker.FR
No More Stupid Generic.XKS

NO No more viruses and spywares.

What I wanted to say, you dont really require that warehouse fix file :thumbsup:)

Thanks & Regards,
Silvia. :flowers:

(P.S. The only problem that I have right now is .. When I right click up there on IE, it shows STANDARD BUTTONS, ADDRESS BAR AND LINKS .. They are greyed out and I cant select or deselect them. What should I do. I know, the answer is registry. 0 to 1 or 1 to 0. But where in registry?).

Edited by Silvi, 06 September 2006 - 05:48 AM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:56 PM

Posted 06 September 2006 - 03:18 PM

I have to tell you this Silvia, but chances are that the infection that created your problems is still present.

Please follow the steps in my previous post and we'll find out for sure.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:56 PM

Posted 21 September 2006 - 04:44 PM

As there has been no response, and this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users