MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 01-16-10, 14:24
richardd richardd is offline
Private E-2
 
Join Date: Jan 2010
Posts: 5
Thanks: 2
Thanked 0 Times in 0 Posts
Default Trojan Clicker.AEIO

About 2 days ago AVG started to pop-up (about every 5 minutes) a message threat detected:

filename C:\\Windows\temp\ouvv.temp\svchost.exe
Trojan Horse Clicker.AEIO
Procesname: C:\Windows\System32\svchost.exe
Proces-ID: 664

The proces-ID always refers to the processes:
Power
PlugPlay
DCOMLaunch

I looked up the corresponding dll's from these processes but their creationdate hasn't changed. I also put them through an online scanner (http://virusscan.jotti.org/nl) and they were all clean.

A complete scan with AVG doesn't detect anything.

I have attached the logfiles. Except for RootRepeal which gave the following error:
FOPS - DeviceIOControl Error! Error Code = 0xc0000024
Extended info (0x000000e8)

I would really appreciate if someone could look into them.
Attached Files
File Type: txt ComboFix 16012010.txt (20.1 KB, 7 views)
File Type: txt mbam-log-2010-01-16 (20-02-06).txt (967 Bytes, 2 views)
File Type: zip MGlogs.zip (182.5 KB, 2 views)
File Type: log SUPERAntiSpyware Scan Log - 01-16-2010 - 19-28-39.log (593 Bytes, 2 views)
Reply With Quote
Sponsored links
  #2  
Old 01-17-10, 20:31
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,172
Thanks: 61
Thanked 7,585 Times in 4,082 Posts
Default Re: Trojan Clicker.AEIO

Welcome to Major Geeks!


You must put ComboFix on your Desktop as the instructions requested. You have it in the below folder.
c:\users\Richard\Downloads\ComboFix.exe

Uninstall the below software:
Ask Toolbar

Now go to TDSSKiller and Download TDSSKiller.zip to your Desktop
  • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
  • Click Start > Run and copy/paste the following bold command into Run box and hit Enter.
"%userprofile%\Desktop\TDSSKiller.exe" -v
  • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
  • When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

Now we need to use ComboFix
  • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
  • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
  • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
  • Open Notepad and copy/paste the text in the below quote box into it:
Quote:
KILLALL::

Folder::
C:\Windows\temp\ccfy.tmp
C:\Windows\temp\eofb.tmp
C:\Windows\temp\obsr.tmp
C:\Windows\temp\rtix.tmp
C:\Windows\temp\tohq.tmp
C:\Windows\temp\vrvi.tmp
c:\program files\Ask.com


File::
C:\USERS\RICHARD\LOCALS~1\TEMP\89965.OD
C:\USERS\RICHARD\LOCALS~1\TEMP\ADOBEARM.LOG
C:\USERS\RICHARD\LOCALS~1\TEMP\CVR5F6~1.CVR
C:\USERS\RICHARD\LOCALS~1\TEMP\~2A9CC.TMP
C:\USERS\RICHARD\LOCALS~1\TEMP\~ROMFN~1
C:\$RECYCLE.BIN\S-1-5-21-1081231135-4166540561-2544132051-1001\$RKEXT5Z.TMP\SVCHOST.EXE

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • C:\ComboFix.txt
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
richardd (01-21-10)
  #3  
Old 01-18-10, 04:45
richardd richardd is offline
Private E-2
 
Join Date: Jan 2010
Posts: 5
Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: Trojan Clicker.AEIO

Thanks Chaslang for looking into this!

As an additional problem the power switch from my external harddisk is broken so at this moment I don't have a complete backup of my data. I'll probably have the harddisk back from repair within 2 or 3 days so I want to wait before I go further with the cleaningproces.

Furthermore things have gone worse since I made the log-files. I now have an additional pop-up from AVG. Sometimes it says Clicker.AEIO is the treath and other times Generic 16.ADCC is the treath. They both refer to the same proces-ID.

I also get bleu-screen errors now and a slow machine. I don't know wether this comes from the trojan doing more harm, or because of the wrong use of ComboFix. ( I also run Windows 7 and I'm not sure ComboFix can work with that)
ComboFix came up with a warning that SuperAntiSpyware was still resident so I killed it's process. Then ComboFix went on saying that there still was something active so I tried to abort ComboFix. This didnīt work and ComboFix went on and deleted c:\windows\system32\twain_32.dll

So first I want to wait until I have my harddisk back and leave the infected PC off.

Chaslang, can you advice me what to do next? Must I (after the backup) go on with your cleaning process or is there a possible way to undo the harm ComboFix maybe has done? (I can't do a systemrestore because that was turned off making the log-files)

And thanks again for your time and effort.
Reply With Quote
  #4  
Old 01-20-10, 04:26
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,172
Thanks: 61
Thanked 7,585 Times in 4,082 Posts
Default Re: Trojan Clicker.AEIO

Quote:
Originally Posted by richardd View Post
( I also run Windows 7 and I'm not sure ComboFix can work with that)
Yes it does. You already ran it and attached a log in your first message.

Quote:
Originally Posted by richardd View Post
Chaslang, can you advice me what to do next? Must I (after the backup) go on with your cleaning process
Yes if you wish to remove the malware.

Quote:
Originally Posted by richardd View Post
or is there a possible way to undo the harm ComboFix maybe has done?
What harm?

Quote:
Originally Posted by richardd View Post
(I can't do a systemrestore because that was turned off making the log-files)
System Restore was not turned off by making log files.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
richardd (01-21-10)
  #5  
Old 01-20-10, 05:51
richardd richardd is offline
Private E-2
 
Join Date: Jan 2010
Posts: 5
Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: Trojan Clicker.AEIO

The bluescreen errors stopped by itself (maybe after permitting Windows to look for a solution after the restarts) and also the AVG pop-up stopped by itself. I had a few times a window pop-up that svchost.exe wasn't able to communicate but that also stopped by itself.
The thing that went on was that there kept C:\Windows\temp\ccfy.tmp folders appearing.
But that seems to have stopped now after your steps.
Looks very good!
Attached Files
File Type: txt ComboFix 20012010.txt (18.3 KB, 3 views)
File Type: zip MGlogs.zip (185.7 KB, 1 views)
File Type: txt TDSSKiller.2.2.2_20.01.2010_11.41.10_log.txt (36.2 KB, 3 views)
Reply With Quote
Sponsored links
  #6  
Old 01-21-10, 04:11
richardd richardd is offline
Private E-2
 
Join Date: Jan 2010
Posts: 5
Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: Trojan Clicker.AEIO

After about a day of using my PC again I still don't have any problems or weird folders appearing. I want to thank you very much!!
Reply With Quote
  #7  
Old 01-22-10, 21:16
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,172
Thanks: 61
Thanked 7,585 Times in 4,082 Posts
Default Re: Trojan Clicker.AEIO

You're welcome. Your logs are clean. Now you need to get this PC properly protected since it has none. The below will cover this.



If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /uninstall
      • Notes: The space between the combofix" and the /uninstall, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  6. Go to add/remove programs and uninstall HijackThis.
  7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
  8. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  9. After doing the above, you should work thru the below link:
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #8  
Old 01-24-10, 04:57
richardd richardd is offline
Private E-2
 
Join Date: Jan 2010
Posts: 5
Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: Trojan Clicker.AEIO

Thank you for the final touch
Reply With Quote
  #9  
Old 01-25-10, 15:06
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,172
Thanks: 61
Thanked 7,585 Times in 4,082 Posts
Default Re: Trojan Clicker.AEIO

You're welcome. Surf safely!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Tags
clicker.aeio, trojan

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Trojan-Clicker.WMA.Agent.d Jenny 2 Malware Removal 1 01-10-10 02:01
Trojan-Clicker.Win32.Delf.qg Costapaul Malware Removal 1 04-24-08 12:04
Clicker virus? Tom_NY Malware Removal 3 12-30-07 11:25
trojan add clicker cannot remove laserh20 Malware Removal 3 12-19-07 12:47
trojan clicker.c flessa Software 4 01-21-04 16:16


All times are GMT -5. The time now is 17:29.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger