Jump to content

Cliccker Cn


Recommended Posts

It seems that I have Cliccker on computer. How did I get it? Can anyone help me get rid of it?

Thanks!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:23:52 PM, on 8/22/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Sonic Shared\CineTray.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\RIA\Speedlink\RIA-Speedlink.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6071203

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6071203

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com

O2 - BHO: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\LNTPA9\tmietb.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\LNTPA9\tmietb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [sNM] C:\Program Files\SpyNoMore\SNM.exe /startup

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: SpeedlinkV4.1.lnk = ?

O4 - Global Startup: Service Manager.norun

O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rbdomain.local

O17 - HKLM\Software\..\Telephony: DomainName = rbdomain.local

O17 - HKLM\System\CCS\Services\Tcpip\..\{2802183E-E245-451A-BC95-256CB2665153}: NameServer = 192.192.100.20

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rbdomain.local

O17 - HKLM\System\CS1\Services\Tcpip\..\{2802183E-E245-451A-BC95-256CB2665153}: NameServer = 192.192.100.20

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rbdomain.local

O17 - HKLM\System\CS2\Services\Tcpip\..\{2802183E-E245-451A-BC95-256CB2665153}: NameServer = 192.192.100.20

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--

End of file - 10282 bytes

Link to post
Share on other sites

  • Staff

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Thank you for your help! I have attached the latest malwarebytes scan. Below is the last Highjack scan.

What's next?

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\LNTPA9\tmietb.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\LNTPA9\tmietb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [sNM] C:\Program Files\SpyNoMore\SNM.exe /startup

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: SpeedlinkV4.1.lnk = ?

O4 - Global Startup: Service Manager.norun

O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rbdomain.local

O17 - HKLM\Software\..\Telephony: DomainName = rbdomain.local

O17 - HKLM\System\CCS\Services\Tcpip\..\{2802183E-E245-451A-BC95-256CB2665153}: NameServer = 192.192.100.20

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rbdomain.local

O17 - HKLM\System\CS1\Services\Tcpip\..\{2802183E-E245-451A-BC95-256CB2665153}: NameServer = 192.192.100.20

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rbdomain.local

O17 - HKLM\System\CS2\Services\Tcpip\..\{2802183E-E245-451A-BC95-256CB2665153}: NameServer = 192.192.100.20

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Unknown owner - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service (file missing)

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

mbam_log_2009_08_25__10_44_12_.txt

Link to post
Share on other sites

Problems: When I perform a google search and click on one of the links, then click the back arrow, I am redirected to an new website and Cliccker Cn. appears in the address bar. Additionally outlook will no longer open properly. When I open it it hangs up and I have kill it. Then when I reopen it works fine, but get an error message stating it was not closed properly. The defragmetner will not work. Finally it takes forever for my computer to start now. Whatever I have, I do not think Malware is killing it?

Again thanks so much for your help.

Hi,

Your problem is confusing. Please tell me what exact problem you are having. Please let me know what about this cclicker, what scanner is flagging it and where it flags it.

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

The only two antivirus software programs on my machine that I am aware of are symantec and malwarebytes. I disabled symantec. I think i disabled malwarebytes, but i am not sure. I tried running combo fix several times. I also tried renaming the file but it still did not work. I get a message that says preparing to scan but then it flashes off???

What am I doing wrong?

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

  • Staff

Hi,

Please try this method,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Combo fix will not run. I tried rebooting in safe mode but my password would not work. I also tried saving combofix as comb-fix.exe; iexplore.exe and winlogon.exe. No luck!

Hi,

Please try this method,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

  • Staff

Hi,

Sorry, it looks like I missed your reply earlier.

Download and run Win32kDiag:

Since it's already past midnight here, my reply may be later, so please be patient. :D

Link to post
Share on other sites

When I try to run Win32kDiag I get the following error message: Warning could not get backup privileges!

Cannot access: C:WINDOWS\bthservsdp.dat.

Any other thougts?

Hi,

Sorry, it looks like I missed your reply earlier.

Download and run Win32kDiag:

Since it's already past midnight here, my reply may be later, so please be patient. :D

Link to post
Share on other sites

Found it!

Log file is located at: C:\Documents and Settings\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\bthservsdp.dat

[1] 2009-08-25 17:43:01 12 C:\WINDOWS\bthservsdp.dat ()

Isn't there a log created anyway?
Link to post
Share on other sites

  • Staff

Hi,

That's all that was in the logfile?

Strange...

Anyway, Open notepad and copy and paste next present in the quotebox in it:

DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\sceclt.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\ntelogon.dll >Look.txt

Start notepad Look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.

It should look like this: bat.gif

Doubleclick on it and notepad should open.

Copy and paste the contents of it in your next reply.

Link to post
Share on other sites

Volume in drive C has no label.

Volume Serial Number is 8C78-FE5C

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 05:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 05:00 AM 407,040 netlogon.dll

2 File(s) 587,264 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 181,248 scecli.dll

Thanks for your continued help! Here is the information you requested.

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 407,040 netlogon.dll

2 File(s) 588,288 bytes

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 407,040 netlogon.dll

2 File(s) 588,288 bytes

Total Files Listed:

6 File(s) 1,763,840 bytes

0 Dir(s) 141,762,011,136 bytes free

Hi,

That's all that was in the logfile?

Strange...

Anyway, Open notepad and copy and paste next present in the quotebox in it:

Save this as look.bat , choose to save as *all files and place it on your desktop.

It should look like this: bat.gif

Doubleclick on it and notepad should open.

Copy and paste the contents of it in your next reply.

Link to post
Share on other sites

  • Staff

Hi,

Hmmm, strange here. Let's check some other files...

Open notepad and copy and paste next present in the quotebox in it:

DIR /a/s C:\WINDOWS\eventlog.dll C:\WINDOWS\logevent.dll C:\WINDOWS\cngaudit.dll >Look2.txt

Start notepad Look2.txt

Save this as look2.bat , choose to save as *all files and place it on your desktop.

It should look like this: bat.gif

Doubleclick on it and notepad should open.

Copy and paste the contents of it in your next reply.

Link to post
Share on other sites

Thanks for your continued help!

Volume in drive C has no label.

Volume Serial Number is 8C78-FE5C

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 05:00 AM 55,808 eventlog.dll

1 File(s) 55,808 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:11 PM 56,320 eventlog.dll

1 File(s) 56,320 bytes

Directory of C:\WINDOWS\system32

04/13/2008 07:11 PM 56,320 eventlog.dll

1 File(s) 56,320 bytes

Total Files Listed:

3 File(s) 168,448 bytes

0 Dir(s) 141,754,503,168 bytes free

Hi,

Hmmm, strange here. Let's check some other files...

Open notepad and copy and paste next present in the quotebox in it:

Save this as look2.bat , choose to save as *all files and place it on your desktop.

It should look like this: bat.gif

Doubleclick on it and notepad should open.

Copy and paste the contents of it in your next reply.

Link to post
Share on other sites

  • Staff

That looks OK as well.

This doesn't make sense and it's really strange that Combofix won't run in your case with the renaming method I posted earlier. NOTE, Combofix should be renamed before you actually download it, exactly as how it is explained in the screenshot.

So please delete all Combofix references you already have now and RETRY again, so this means, redownload again and rename before the actual download/save.

Also, I don't really understand about the safe mode part, because you tell you don't have a password for that. Please log in on your account in Windows safe mode then. :D

Link to post
Share on other sites

What is the best way to unintall all the versions of combofix on my computer before I reinstall? Also, the password I use to log in normal startup will no longer work in safe mode. I only have one password and it will not work in safe mode.

That looks OK as well.

This doesn't make sense and it's really strange that Combofix won't run in your case with the renaming method I posted earlier. NOTE, Combofix should be renamed before you actually download it, exactly as how it is explained in the screenshot.

So please delete all Combofix references you already have now and RETRY again, so this means, redownload again and rename before the actual download/save.

Also, I don't really understand about the safe mode part, because you tell you don't have a password for that. Please log in on your account in Windows safe mode then. :D

Link to post
Share on other sites

  • Staff

Just delete the Combofixes from your desktop, that's all you have to do.

Also, the password I use to log in normal startup will no longer work in safe mode. I only have one password and it will not work in safe mode.
That doesn't make any sense though. Can you remove the password temporary? So no password is required in normal mode either?
Link to post
Share on other sites

Uninstalled all previous versions of Combofix.

I reinstalled and saved as iexplore.

I reran combo fix.

I reached the point where it said scanning files...should not take more than 10 min... and it flashed to an all blue screen that said

"A problem has been detected and windows has been shut down to prevent damage to your computer! An attempt was made to write to read only memory. ...Tech info. ****Stop: oxoooBE .... A serious error has occured.

When I restarted an error report was sent to Microsoft and a Microsoft page opened with instructions to delete any recenlty added hardware.

I also tried to log on in safemode. It will not allow me to log on in safe mode.

What should I try next?

Link to post
Share on other sites

  • Staff

So, Combofix actually runs after all?

Not sure about the safe mode. Please explain the safe mode issue, because it doesn't make sense. Why can't you log on in Windows safe mode? What error do you get?

I assume you already disabled your Antivirus and other scanners? because they interfere with Combofix in normal mode.

Did Combofix install the Recovery Console?

Also, do next..

We Need to remove Rootkits with RootRepeal

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Link to post
Share on other sites

I trouble running RootRepeal. The scan is attached.

Thanks

So, Combofix actually runs after all?

Not sure about the safe mode. Please explain the safe mode issue, because it doesn't make sense. Why can't you log on in Windows safe mode? What error do you get?

I assume you already disabled your Antivirus and other scanners? because they interfere with Combofix in normal mode.

Did Combofix install the Recovery Console?

Also, do next..

We Need to remove Rootkits with RootRepeal

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

RootsRepeal_Scan1.txt

Link to post
Share on other sites

  • Staff

Hi,

This log is incomplete.

Please reread my instructions, because it looks like you only selected the drivers part and that part doesn't even look complete yet.

Can you also please disable your Norton while running scans?

The scan may take a while, so please wait until the scan has finished.

I trouble running RootRepeal.
Please explain.

Please also answer the other questions about the safe mode etc, because it's difficult to help if I have only a littlebit of info.

Also, Did Combofix install the Recovery Console as I asked previously?

You can still try to run Combofix, because I know it will run, but please disable all other programs in the background. But before you run the scan, please reboot, this to make sure no other references of previous scans are still running.

Then don't open any other program except for Combofix and please make sure your Norton is disabled. If you're unsure how to properly disable it, then please temporary uninstall Norton and reboot. This to really make sure you're doing this properly.

Link to post
Share on other sites

I attempt to answer your questions in turn:

1. Safe mode--each time I try to log in in safe mode when I get the user name and password screen...each time i enter my password the it says password incorrect try again. The ony password I have is the same one I use to log in under normal cicumstances. Thus I share your frustration regarding not being able to log on in safe mode.

2. Rootrepeal--- when i follow your instruction it freezes up my commputer...it never moves beyond the...initializing please wait phase...how long does it take 30min or several hours??

3. I will try to run rootrepeal again.

Thanks for your help and patiance!

Hi,

This log is incomplete.

Please reread my instructions, because it looks like you only selected the drivers part and that part doesn't even look complete yet.

Can you also please disable your Norton while running scans?

The scan may take a while, so please wait until the scan has finished.

Please explain.

Please also answer the other questions about the safe mode etc, because it's difficult to help if I have only a littlebit of info.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.