Trojan Clicker.AEIO

[richardd]

About 2 days ago AVG started to pop-up (about every 5 minutes) a message threat detected:

filename C:\\Windows\temp\ouvv.temp\svchost.exe
Trojan Horse Clicker.AEIO
Procesname: C:\Windows\System32\svchost.exe
Proces-ID: 664

The proces-ID always refers to the processes:
Power
PlugPlay
DCOMLaunch

I looked up the corresponding dll's from these processes but their creationdate hasn't changed. I also put them through an online scanner (http://virusscan.jotti.org/nl) and they were all clean.

A complete scan with AVG doesn't detect anything.

I have attached the logfiles. Except for RootRepeal which gave the following error:
FOPS - DeviceIOControl Error! Error Code = 0xc0000024
Extended info (0x000000e8)

I would really appreciate if someone could look into them.

[chaslang]

Welcome to Major Geeks!


You must put ComboFix on your Desktop as the instructions requested. You have it in the below folder.
c:\users\Richard\Downloads\ComboFix.exe

Uninstall the below software:
Ask Toolbar

Now go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

KILLALL::

Folder::
C:\Windows\temp\ccfy.tmp
C:\Windows\temp\eofb.tmp
C:\Windows\temp\obsr.tmp
C:\Windows\temp\rtix.tmp
C:\Windows\temp\tohq.tmp
C:\Windows\temp\vrvi.tmp
c:\program files\Ask.com


File::
C:\USERS\RICHARD\LOCALS~1\TEMP\89965.OD
C:\USERS\RICHARD\LOCALS~1\TEMP\ADOBEARM.LOG
C:\USERS\RICHARD\LOCALS~1\TEMP\CVR5F6~1.CVR
C:\USERS\RICHARD\LOCALS~1\TEMP\~2A9CC.TMP
C:\USERS\RICHARD\LOCALS~1\TEMP\~ROMFN~1
C:\$RECYCLE.BIN\S-1-5-21-1081231135-4166540561-2544132051-1001\$RKEXT5Z.TMP\SVCHOST.EXE

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[richardd]

Thanks Chaslang for looking into this!

As an additional problem the power switch from my external harddisk is broken so at this moment I don't have a complete backup of my data. I'll probably have the harddisk back from repair within 2 or 3 days so I want to wait before I go further with the cleaningproces.

Furthermore things have gone worse since I made the log-files. I now have an additional pop-up from AVG. Sometimes it says Clicker.AEIO is the treath and other times Generic 16.ADCC is the treath. They both refer to the same proces-ID.

I also get bleu-screen errors now and a slow machine. I don't know wether this comes from the trojan doing more harm, or because of the wrong use of ComboFix. ( I also run Windows 7 and I'm not sure ComboFix can work with that)
ComboFix came up with a warning that SuperAntiSpyware was still resident so I killed it's process. Then ComboFix went on saying that there still was something active so I tried to abort ComboFix. This didn´t work and ComboFix went on and deleted c:\windows\system32\twain_32.dll

So first I want to wait until I have my harddisk back and leave the infected PC off.

Chaslang, can you advice me what to do next? Must I (after the backup) go on with your cleaning process or is there a possible way to undo the harm ComboFix maybe has done? (I can't do a systemrestore because that was turned off making the log-files)

And thanks again for your time and effort.

[chaslang]

Quote:

Originally Posted by richardd

( I also run Windows 7 and I'm not sure ComboFix can work with that)

Yes it does. You already ran it and attached a log in your first message.

Quote:

Originally Posted by richardd

Chaslang, can you advice me what to do next? Must I (after the backup) go on with your cleaning process

Yes if you wish to remove the malware.

Quote:

Originally Posted by richardd

or is there a possible way to undo the harm ComboFix maybe has done?

What harm?

Quote:

Originally Posted by richardd

(I can't do a systemrestore because that was turned off making the log-files)

System Restore was not turned off by making log files.

[richardd]

The bluescreen errors stopped by itself (maybe after permitting Windows to look for a solution after the restarts) and also the AVG pop-up stopped by itself. I had a few times a window pop-up that svchost.exe wasn't able to communicate but that also stopped by itself.
The thing that went on was that there kept C:\Windows\temp\ccfy.tmp folders appearing.
But that seems to have stopped now after your steps.
Looks very good!

[richardd]

After about a day of using my PC again I still don't have any problems or weird folders appearing. I want to thank you very much!!

[chaslang]

You're welcome. Your logs are clean. Now you need to get this PC properly protected since it has none. The below will cover this.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

[richardd]

Thank you for the final touch

[chaslang]

You're welcome. Surf safely!