Jump to content

Cliccker.cn redirect


Recommended Posts

Hi

I recently got overwhelmed with a bunch of adware popups and fake anti-virus installs. Apparently a friend borrowed my laptop and tried to help improve my security.... I installed malware and scanned my PC and it found 3 infected files after I had un-installed the bogus anti-virus software. Malaware would crash during a regular scan so I used it in safe mode and cleaned any infections it found.

Now my explorer has become useless.. it was redirecting every search i did in google earlier to cliccker.cn all day and by the end of the day explorer crashes within 2-3 clicks on a webpage. I had to install chrome. I did a a hijack this log. Could you please look at it and advise..

Thank you

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:42:20 AM, on 8/26/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18294)

Boot mode: Normal

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\Microsoft.Net\Framework\v3.0

\WPF\PresentationFontCache.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1

\MSSQL\Binn\sqlservr.exe

C:\TOSHIBA\IVP\ISM\pinger.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Microsoft SQL Server\90

\Shared\sqlbrowser.exe

C:\Program Files\Microsoft SQL Server\90

\Shared\sqlwriter.exe

C:\Windows\system32\svchost.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\TOSHIBA\TOSHIBA DVD

PLAYER\TNaviSrv.exe

C:\Windows\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\Program

Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe

C:\Program Files\Common Files\Ulead

Systems\DVD\ULCDRSvr.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-

Static\MOM.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-

Static\CCC.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Salling Software AB\Salling Media

Sync\Salling Media Sync.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Windows\WindowsMobile\wmdc.exe

C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Windows\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\WerCon.exe

C:\TOSHIBA\IVP\ISM\ivpsvmgr.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Windows\System32\mobsync.exe

C:\Windows\System32\notepad.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727

\dfsvc.exe

C:\Users\TOSHIBA\AppData\Local\Google\Chrome\Applicat

ion\chrome.exe

C:\Users\TOSHIBA\AppData\Local\Google\Chrome\Applicat

ion\chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\WUDFHost.exe

C:\Windows\WindowsMobile\WmdHost.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Users\TOSHIBA\Documents\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.toshibadirect.com/dpdstart

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.toshibadirect.com/dpdstart

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =

R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Intern

et Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet

Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-

C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-

90988571CECB} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB

-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03

\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-

4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI

Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [Camera Assistant Software]

"C:\Program Files\Camera Assistant Software for

Toshiba\traybar.exe" /start

O4 - HKLM\..\Run: [synTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%

\TOSHIBA\Power Saver\TPwrMain.EXE

O4 - HKLM\..\Run: [HSON] %ProgramFiles%

\TOSHIBA\TBS\HSON.exe

O4 - HKLM\..\Run: [smoothView] %ProgramFiles%

\Toshiba\SmoothView\SmoothView.exe

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%

\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [00TCrdMain] C:\Program

Files\TOSHIBA\FlashCards\TCrdMain.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8

\avgtray.exe

O4 - HKLM\..\Run: [salling Media Sync] "C:\Program

Files\Salling Software AB\Salling Media Sync\Salling

Media Sync.exe" -atboottime

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [googletalk] C:\Program

Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [Windows Mobile Device Center] %

windir%\WindowsMobile\wmdc.exe

O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program

Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows

Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program

Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [Google Update]

"C:\Users\TOSHIBA\AppData\Local\Google\Update\GoogleU

pdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%

\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL

SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter]

rundll32.exe oobefldr.dll,ShowWelcomeCenter (User

'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%

\Windows Sidebar\Sidebar.exe /detectMem (User

'NETWORK SERVICE')

O8 - Extra context menu item: E&xport to Microsoft

Excel - res://C:\PROGRA~1\MICROS~2\Office12

\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-

AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button:

@C:\Windows\WindowsMobile\INetRepl.dll,-222 -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-

9307-00C04FAE2D4F} -

C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra 'Tools' menuitem:

@C:\Windows\WindowsMobile\INetRepl.dll,-223 -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-

B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12

\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0}

(CTVUAxCtrl Object) -

http://dl.tvunetworks.com/TVUAx.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-

A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8

\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Agere Modem Call Progress Audio

(AgereModemAudio) - Agere Systems -

C:\Windows\system32\agrsmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. -

C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati External Event Utility - ATI

Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG

Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8

\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. -

C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Lic NetConnect service

(CLTNetCnService) - Unknown owner - C:\Program

Files\Common Files\Symantec Shared\ccSvcHst.exe (file

missing)

O23 - Service: ConfigFree Service - TOSHIBA

CORPORATION - C:\Program

Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: FLEXnet Licensing Service - Acresso

Software Inc. - C:\Program Files\Common

Files\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT)

- Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe

O23 - Service: Jumpstart Wifi Protected Setup

(jswpsapi) - Atheros Communications, Inc. -

C:\Program Files\Jumpstart\jswpsapi.exe

O23 - Service: pinger - Unknown owner -

C:\TOSHIBA\IVP\ISM\pinger.exe

O23 - Service: Swupdtmr - Unknown owner -

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TOSHIBA Navi Support Service

(TNaviSrv) - TOSHIBA Corporation - C:\Program

Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe

O23 - Service: TOSHIBA Optical Disc Drive Service

(TODDSrv) - TOSHIBA Corporation -

C:\Windows\system32\TODDSrv.exe

O23 - Service: TOSHIBA Power Saver (TosCoSrv) -

TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power

Saver\TosCoSrv.exe

O23 - Service: TOSHIBA SMART Log Service - TOSHIBA

Corporation - C:\Program

Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe

O23 - Service: Ulead Burning Helper

(UleadBurningHelper) - Ulead Systems, Inc. -

C:\Program Files\Common Files\Ulead

Systems\DVD\ULCDRSvr.exe

--

End of file - 11045 bytes

Link to post
Share on other sites

  • Staff

Hi,

The current formatting of your log makes it difficult to read, so in notepad:

On top, click Format >uncheck Word Wrap

Then, Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.