Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TROJ_CLICKER.UP Google Searches Manipulated [RESOLVED]


  • This topic is locked This topic is locked

#16
newvibe

newvibe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I combed through my Outlook and deleted lots of emails.

Here is the results of the kaspersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 09, 2008 15:38:05
Records in database: 932467
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 89770
Threat name: 14
Infected objects: 31
Suspicious objects: 0
Duration of the scan: 01:29:34


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\msiexec[1].exe.bac_a02928 Infected: Trojan-Clicker.Win32.Agent.tg 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\syswcc32.exe.bac_a02928 Infected: not-a-virus:AdWare.Win32.WebHancer.423 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\syswcc32.exe.bac_a02928 Infected: not-a-virus:AdWare.Win32.WebHancer.390 3
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\syswcc32.exe.bac_a03420 Infected: not-a-virus:AdWare.Win32.WebHancer.423 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\syswcc32.exe.bac_a03420 Infected: not-a-virus:AdWare.Win32.WebHancer.390 3
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\syswcc32[1].exe.bac_a02928 Infected: not-a-virus:AdWare.Win32.WebHancer.423 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\syswcc32[1].exe.bac_a02928 Infected: not-a-virus:AdWare.Win32.WebHancer.390 3
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\syswcc32[1].exe.bac_a03420 Infected: not-a-virus:AdWare.Win32.WebHancer.423 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\syswcc32[1].exe.bac_a03420 Infected: not-a-virus:AdWare.Win32.WebHancer.390 3
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.55542 Infected: Trojan-Clicker.Win32.Agent.tg 1
C:\_OTMoveIt\MovedFiles\07072008_084522\Documents and Settings\All Users\Application Data\yfsvcxul\MBQPEFSZ.0XE Infected: Trojan.Win32.Obfuscated.gx 1
C:\_OTMoveIt\MovedFiles\07072008_084522\WINDOWS\PORTSV.0XE Infected: Trojan.Win32.Agent.sdd 1
C:\_OTMoveIt\MovedFiles\07082008_081543\Program Files\rhcp2vj0e9bc\rhcp2vj0e9bc.exe Infected: not-a-virus:FraudTool.Win32.AntivirusXP2008.a 1
C:\_OTMoveIt\MovedFiles\07082008_081543\temp\outlook express\Deleted Items.dbx Infected: Email-Worm.Win32.Zhelatin.a 1
C:\_OTMoveIt\MovedFiles\07082008_081543\temp\outlook express\Deleted Items.dbx Infected: Trojan-Downloader.Win32.Tibs.kj 1
C:\_OTMoveIt\MovedFiles\07082008_081543\temp\outlook express\Deleted Items.dbx Infected: Email-Worm.Win32.Zhelatin.ab 1
C:\_OTMoveIt\MovedFiles\07082008_081543\temp\StreamViewer\Setup-SopCast-2.0.4-2007-11-26.exe Infected: Trojan-Downloader.Win32.Agent.uwu 1
C:\_OTMoveIt\MovedFiles\07082008_081543\temp\StreamViewer.zip Infected: Trojan-Downloader.Win32.Agent.uwu 1
C:\_OTMoveIt\MovedFiles\07082008_081543\WINDOWS\444.470 Infected: Trojan.Win32.DNSChanger.eys 1
C:\_OTMoveIt\MovedFiles\07082008_081543\WINDOWS\444.471 Infected: Trojan.Win32.DNSChanger.eys 1
C:\_OTMoveIt\MovedFiles\07082008_081543\WINDOWS\system32\1030\ICMSETUP.0XE Infected: Trojan.Win32.DNSChanger.eyr 1
C:\_OTMoveIt\MovedFiles\07082008_081543\WINDOWS\system32\olixds06\OLIXDS061083.0XE Infected: Trojan-Downloader.Win32.VB.eyc 1
C:\_OTMoveIt\MovedFiles\07082008_081543\WINDOWS\system32\pphct2vj0e9bc.exe Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1

The selected area was scanned.

I'll check out the GeekU link - thanks!
Chad
  • 0

Advertisements


#17
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hey Chad,

OK! Well done, your log is clean again! :)

The first thing we need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

Please double-click OTMoveIt2.exe to run it.
Click the Clean up button
Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
Click Yes to the reboot.

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.

System Restore will now be active again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, lets reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

Reset Hidden/System Files & Folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 7). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.
  • Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. A tutorial can be found here.
  • AdAware another very powerful tool which searches and kills nasties that infect your system. A tutorial can be found here. AdAware and Spybot Search & Destroy compliment each other very well.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next lets look at Firewalls. These help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lastly, it is a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

Temp File Cleaners
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Note: Do NOT run this program if you have XP Professional 64 bit edition.
  • ATF Cleaner A very powerful cleaning program for XP and Windows 2000 only. Note: You may have this already as part of the fixes you have run.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat
  • 0

#18
newvibe

newvibe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
RatHat

Thanks so much again for all of your help! I was really upset and frustrated about my computer being so messed up, and now I'm so happy to have it back!

Best regards,
Chad
  • 0

#19
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
You are more than welcome Chad :)
  • 0

#20
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Chad,

After looking over your log again, there is one remaining folder that needs to be deleted.

Please navigate to: C:\Documents and Settings\Administrator\Application Data\shcr2vj0e9bc

And delete the folder shcr2vj0e9bc and all its contents. You will then be completely clean.

My apologies for missing this folder before.

Regards,
RatHat
  • 0

#21
newvibe

newvibe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
LOL - I was about to reply. I ran Ad-Aware and it found a remnant of "Cool Web Search". When I removed it and opened IE, my home page had been changed to "http:///", which I had seen before. Anyway, I deleted those files like you said, ran Ad-Aware again and I am squeaky clean. IE is behaving too. Thanks for finding that!
Cheers and Beers,
Chad
  • 0

#22
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Chad,

Lets make trebley sure, download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Regards,
RatHat
  • 0

#23
newvibe

newvibe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi RatHat,
It found some items and removed them no problem. I'm pasting the report below. This computer is on a home network, which I never mentioned but probably should have just in case.

Here are the results:

Malwarebytes' Anti-Malware 1.20
Database version: 937
Windows 5.1.2600 Service Pack 2

10:47:28 AM 7/10/2008
mbam-log-7-10-2008 (10-47-28).txt

Scan type: Quick Scan
Objects scanned: 62663
Time elapsed: 6 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\phct2vj0e9bc.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  • 0

#24
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Great! Four orphaned registry keys and the background wallpaper that told you that you were infected! Keep MBAM, it is free and will update manually with the latest definitions. Run it once every couple of weeks just to check your system.

I would say that you are now in very good shape, and good to go. I will keep this log open for the next couple of days though, so if you have any problems at all, post a reply here.

All the best,
RatHat
  • 0

#25
newvibe

newvibe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Very cool! Thanks again!
Chad
  • 0

Advertisements


#26
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP