Hi =] Trojan gen =/

[polonus]

Hi jc81,

You do not need terminator.exe if you do not use TERMINATOR, see: http://www.clickomania.ch/progs/Terminator.htm

In the case you do not need terminator then delete it with DrWeb, if you use Terminator to shut down windows, upload terminator.exe to virustotal to see if it is really malicious at http://www.virustotal.com/

Yep, and then post a new hjt log txt.file,

polonus

[jc81]

New Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:27 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\launch.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX1\_start.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX1\setup.exe
C:\Program Files\AIM6\aim6.exe
C:\hijackthis\JCHiJackThis.exe
C:\WINDOWS\system32\Ko3C11T6.exe

[jc81]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://wheresheliesbrokeninside.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.76.downloads.estara.com./as/OneCCDM.php?template=35769&sessionid=429251185_69.25.47.76_50991&=&req=1149726245140OneCC.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://candymountain.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10578 bytes

[polonus]

Hi jc81,

You can fix this with hjt:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Upload this file to virustotal and give the results:
Ko3C11T6.exe
The path, it is here: C:\WINDOWS\system32\Ko3C11T6.exe

polonus

[jc81]

File ko3C11T6.exe received on 08.24.2008 21:09:08 (CET)
Current status: Finished
Result: 15/35 (42.86%)

Antivirus     Version     Last Update     Result
AhnLab-V3   2008.8.21.0   2008.08.22   -
AntiVir   7.8.1.23   2008.08.24   TR/Crypt.ULPM.Gen
Authentium   5.1.0.4   2008.08.24   -
Avast   4.8.1195.0   2008.08.23   -
AVG   8.0.0.161   2008.08.24   Clicker.PLM
BitDefender   7.2   2008.08.24   Trojan.Adclicker.HB
CAT-QuickHeal   9.50   2008.08.22   -
ClamAV   0.93.1   2008.08.24   -
DrWeb   4.44.0.09170   2008.08.24   -
eSafe   7.0.17.0   2008.08.24   Suspicious File
eTrust-Vet   31.6.6044   2008.08.23   -
Ewido   4.0   2008.08.24   -
F-Prot   4.4.4.56   2008.08.24   -
Fortinet   3.14.0.0   2008.08.24   PossibleThreat
GData   2.0.7306.1023   2008.08.20   -
Ikarus   T3.1.1.34.0   2008.08.24   Trojan.Adclicker.HB
K7AntiVirus   7.10.427   2008.08.23   -
Kaspersky   7.0.0.125   2008.08.24   -
McAfee   5368   2008.08.22   New Malware.bl
Microsoft   1.3807   2008.08.24   -
NOD32v2   3382   2008.08.23   a variant of Win32/TrojanClicker.Agent.NEB
Norman   5.80.02   2008.08.22   -
Panda   9.0.0.4   2008.08.24   Suspicious file
PCTools   4.4.2.0   2008.08.24   -
Prevx1   V2   2008.08.24   Malicious Software
Rising   20.58.62.00   2008.08.24   Trojan.Win32.Undef.jrw
Sophos   4.32.0   2008.08.24   Mal/HckPk-A
Sunbelt   3.1.1575.1   2008.08.23   -
Symantec   10   2008.08.24   -
TheHacker   6.3.0.6.060   2008.08.23   -
TrendMicro   8.700.0.1004   2008.08.23   PAK_Generic.001
VBA32   3.12.8.4   2008.08.23   suspected of Win32.Trojan-Downloader
ViRobot   2008.8.22.1346   2008.08.22   -
VirusBuster   4.5.11.0   2008.08.24   -
Webwasher-Gateway   6.6.2   2008.08.24   Trojan.Crypt.ULPM.Gen
Additional information
File size: 82434 bytes
MD5...: 35c4d9423dbd514ac62b31c7e70e0c3f
SHA1..: f5163a43b85467dd9f5aaf6b660083091e24d7d6
SHA256: 8de5b0193c36351229897e4e1818b6a0082af359d05a6ecd60242f1420c0eede
SHA512: 52997c0bcde0bcb5da7143dd6a3bc48a95461236ed2da05f410ebf64ab1731ee
46897a6ec4006608ac05e4f1d362bd338c45526f6345010aa60969e9616da786
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4217a9
timedatestamp.....: 0x48b093a3 (Sat Aug 23 22:48:03 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0xd000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xe000 0x14000 0x13a00 7.99 ba37e5d176644c11bbac4f4e98157565
.rsrc 0x22000 0x1000 0x400 2.87 559bb30f4f6b1185c0379c266f036837

( 9 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegCloseKey
> NETAPI32.dll: NetScheduleJobAdd
> ole32.dll: OleRun
> OLEAUT32.dll: -
> SHELL32.dll: StrChrA
> SHLWAPI.dll: StrDupA
> USER32.dll: wsprintfA
> WININET.dll: InternetOpenA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=F564CFBB020E1463423A019D5FED4900B46269C6

[DavidR]

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Fix the entry for it in HJT and if you added a copy to the avast chest delete the original file.

[wyrmrider]

This is Adware
It looks as if NOD-32
http://www.eset.com/onlinescan/
and Bit-Defender
"on line" scans
 would get it-- and not a bad idea in any case IMHO
(I think these have to be run from IE if Active X is required although there may be Java Versions)

I always recommend an online AV scan when finishing cleaning up malware
usually Kaspersky but here we are led in other directions
choice is good


also
virus encyclopedia says
Ad-Aware von Lavasoft
Spybot Search & Destroy von Spybot.info
work
have you tried Spybot 1.6?
I like Immunize
you can install SD-Helper but DO NOT INSTALL T-Timer at this time
update and run a scan

as with any tool watch for false positives

polonus may have other ways
DAvidR says to fix with HJT-
Good Advice
that would get the active part but may leave fragments/ files / the installer
so best to keep checking- this has been around long enough that complete solutions should be available
If you do any of the above post a fresh HJT when you are done

[polonus]

Hi jc81,

First and foremost undo system restore:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

Adclicker removal instructions

You have to be the Administrator (full priviledges). The way it works, it loads into RAM and then uses your O/S as it's slave to replicate and try to do its damage. One of the first things we do is temporarily kill its slave off.
-------------

1) Quit all open apps. Kill off everything except avast, your firewall, and anti-spyware programs, drivers.
2) Open the Task Manager (CTRL-ALT-DEL)
3) Find "Explorer.exe" and RIGHT-CLICK on it. Choose "end-process tree" to kill Explorer entirely.
4) Start DrWebCureIT from a mem stick. Scan your entire disk to get rid of all those infecting DLLs (You can have over 15,000).
5) Now that the slave is killed, lets go identify the "master" still in RAM. Under the Task Manager, Launch "sysinfo32".
6) Go to "Software Environment->Loaded Modules". Choose Advanced View. Once it's preflighted everything and displayed a list, sort it by date, so you can see what was most recently installed. Look at the Manufacturer column and look for "Melkosoft". You might see more than one evil entry.
7) Under SysInfo32, go to "Software Environment->Startup Programs" THIS is the one that causes it to launch when Explorer.exe runs.: It could look like

"c:\winnt\system32\.exe"

Under the Task Manager, now that you know its name, go to File->Start Task and launch regedit. Search for the name. Mine was found in the registry here:

Computer->HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft->Windows->CurrentVersion->Run->Control handler
Delete registry values:

Browse to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete the values 'SVCHOST', 'TcpDetect' and 'win32app'

DELETE the specific entry for "??.exe" (whatever yours was named).
9) Back in the Task Manager, go to File->Start Task, and launch Explorer.exe to bring your O/S back up. avast  should not holler because when Explorer.exe starts, it no longer launches the virus.
10) Go into where the replicating DLLs are:

c:\winnt\system32\

and add ".vir" to the end of the DLLs that anti-virus couldn't clean out because they were "in use" and couldn't be deleted (you identified these in Step #6.
11) Reboot
12) Go back into

c:\winnt\system32\

and delete all files you added the ".vir" suffix to.

13) Lastly, run your anti-spyware program and have it search your entire disk. This will remove malicious cooks that this thing also seems to plant.
14) Reboot.

polonus

[wyrmrider]

polonus may have other ways

[polonus]

Hi jc81 and wyrmrider,

It might also be necessary to run an additional tool.
Please download SmitfraudFix (by S!Ri) from here:
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Extract the content (a folder named SmitfraudFix) to your Desktop.
Start up your PC in SafeMode. Read how:  http://www.pchell.com/support/safemode.shtml

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

polonus

[wyrmrider]

Polonus sent me the following as a PM- it should be heeded by any following this thread

Hi wyrmrider,

HJT and/or av programs cannot cure adclicker malware, because it is being put back (system32 is nicely restored by Windows system restore), so disable system restore, and then you have to kill it off first inside the registry, else the registry is putting it back, if the process is gone, it is no longer active and then you have to cleanse all of the spawning dlls it created.
It is morbidly nasty persistent stuff,

pol
END PM


JC81

I meant to ask but did ANY of your previous scans/ logs show anything we have not looked at?
even if you think they are gone?
logs are indications of Symptoms- then we have to track down the real infections
Just removing the symptoms can leave the disease in a "drug resistant state" to steal a phrase

pol

JC
be sure and post the whole log

[polonus]

Hi wyrmrider,

But let us not panic, because this malware will leave jc81's PC, small sweat.
And remember there are more ways to kill this beast. First we try to do it most elegantly, and if the silk gloves cannot strangle it, we take a boxing glove to knock it out.
All is well that ends well.

polonus

[jc81]

Wow. Overwhelming. I probably wont get to this until the weekend. But thank you.

[jc81]

Polonus sent me the following as a PM- it should be heeded by any following this thread

Hi wyrmrider,

HJT and/or av programs cannot cure adclicker malware, because it is being put back (system32 is nicely restored by Windows system restore), so disable system restore, and then you have to kill it off first inside the registry, else the registry is putting it back, if the process is gone, it is no longer active and then you have to cleanse all of the spawning dlls it created.
It is morbidly nasty persistent stuff,

pol
END PM


JC81

I meant to ask but did ANY of your previous scans/ logs show anything we have not looked at?
even if you think they are gone?
logs are indications of Symptoms- then we have to track down the real infections
Just removing the symptoms can leave the disease in a "drug resistant state" to steal a phrase

pol

JC
be sure and post the whole log

I did post the whole log.
I posted the log of every scan I did.
I am so confused right now...

[wyrmrider]

I think I was thinking of the Dr Web log if any- did that problem get fixed ?
Polonus also had a post ?30?
terminator upload to virus total- I missed teh resolution on that one
I think you are doing great BTW
cheeres