persistent Trojan.Adclicker

Discussion in 'Malware Help (A Specialist Will Reply)' started by essin, Jun 18, 2007.

  1. essin

    essin Private E-2

    Hi. I've had malware problems all weekend, most of which I think I've managed to clean out, thanks in large part to your Removal Guide. I've worked through all the steps, and everything seemed pretty clean. However, when I open IE, two of the earlier problems still crop up.

    1. The Windows Script Manager tries to find something called C:/ProgramFiles/func.js but claims it can't, returning an error code 80070002.

    2. Symantec claims it intercepts and deletes Trojan.Adclicker, in the file C:/ProgramFiles/func.exe.

    I presume this means that there's something buried deep (in IE) that reinstalls this stuff every time I open IE, but I'm far from an expert and don't really know where to go from here.

    I'm attaching the CounterSpy, BitDefender, and PandaActiveScan logs to this post and will attach the others to the next one.

    Thanks in advance for any help you can give.
     

    Attached Files:

    essin, Jun 18, 2007
    #1
  2. essin

    essin Private E-2

    Here are the GetRunKey, ShowNew, and HijackThis logs.

    Thanks again.
     

    Attached Files:

    essin, Jun 18, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    First please uninstall the CounterSpy trial now before continuing. We are finished with it now and it could get in our way.

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {F0A86A10-826C-4381-9227-DAE0CC32BC4C} - C:\Program Files\Common Files\menor58441.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jun 18, 2007
    #3
  4. essin

    essin Private E-2

    Thanks for the fast turnaround and the clear directions; I don't understand how you can help so many people simultaneously, but it's much appreciated. I can't reproduce the error on starting IE anymore, and (for what it's worth) Symantec gives the system a clean bill of health.

    Incidentally, could whatever it was have caused me to GPF, or would I have to look elsewhere for that?

    You've been a big help. I'm attaching those log files.
     

    Attached Files:

    essin, Jun 18, 2007
    #4
  5. essin

    essin Private E-2

    Here's the HJT log. Thanks again.
     

    Attached Files:

    essin, Jun 18, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Potentially, yes! Are you still getting them?

    You need to locate a delete the below folder. Be careful since the below folder name shows a special character in it but this will not be what you see when using Windows Explorer to find the folder. It will look like AppPatch and you will see two of these folders. Refer to the date shown below for the folder so you know you are selecting the correct folder. There is a valid C:\Windows\AppPatch folder but it will have a different date.
    Code:
    "C:\WINDOWS\"
àPPPATCH      Jun 15 2007              "àppPatch"
    After deleting this folder attach a new log from ShowNew
     
    chaslang, Jun 19, 2007
    #6
  7. essin

    essin Private E-2

    Okay, I deleted the one with the date closest to the one you said. Explorer had that one as 6/16 and not in alphabetical order, which should be due to the invalid character. The other one had date 6/18. Here's hoping that was right.

    As for the GPFs, I had two a few days before I noticed any adware, which was my main tipoff, and two more while I was flailing about this weekend before I found your site. I assumed that they would be part of an independent problem, since they started earlier, but that could certainly be wrong. In any case, I haven't seen one for two days now.

    The newfiles log is attached. Thanks for your help.
     

    Attached Files:

    essin, Jun 19, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You go the correct folder!

    If you are not seeing anymore GPF's, it may well be that the malware was causing them.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jun 19, 2007
    #8
  9. essin

    essin Private E-2

    Well, I can't generate any error messages or virus intercepts, so that's good. The time Windows takes to start up has been much longer the last couple of times (specifically the time between entering my password and anything actually happening visibly), but since that wasn't really a problem even during the worst of it I doubt it's related.

    If I see anything crop up in the next couple of days, should I start a new thread or continue this one?

    Thanks so much for all your help.
     
    essin, Jun 19, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Not malware. Could be Symantec.

    If it occurs this week, just post in this thread. After a week, if you have other (not the same malware problems. You would have to start over again in a new thread. A week on the internet is a long time in the malware world. ;)
     
    chaslang, Jun 19, 2007
    #10
  11. essin

    essin Private E-2

    Okay, when looking through your "Protect Yourself" guide I decided to have a look at my Firewall setup (Symantec). When I looked at the "Intrusion Prevention" log I got an error dialog with "Internet Explorer script error" in the title bar with the IE logo (IE was not open). The error was "invalid character", code 0, and the URL it was trying to open was about:blank. Since I'm now paranoid about invalid characters, and since I saw about:blank at the top of your list of tough things to kill, I just thought I'd ask if it's something to worry about.

    Thanks.
     
    essin, Jun 19, 2007
    #11
  12. essin

    essin Private E-2

    Never mind. I looked on Symantec's website and find that it's a known error that they've addressed in a newer release.

    Is there some way I can donate to you or your site in thanks for your service?

    Thanks again.
     
    essin, Jun 19, 2007
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can donate to me if you like (purely optional) via PayPal. You would have to PM me with an email address and I will send info but again this is purely optional.
     
    chaslang, Jun 19, 2007
    #13
  14. essin

    essin Private E-2

    Hi again. Did you get the private message I sent, or did I fail to set that up properly?
     
    essin, Jun 20, 2007
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, I received it. Thanks!
     
    chaslang, Jun 20, 2007
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds