Question

Trojan.Adclicker and Drive problem

Asked by: ryancys

I found my pc was infected by some trojan/virus so I decided to re-format the whole system.

But after I re-format and re-installed the whole thing, seems that the problem is still remains there?!! How come.. ??


By the way, my real problem is when I launch IE browser (now is resolved) or the Drive (this still happen : (   ), it will prompt me my system is infected by Trojan.Adclicker.

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Trojan.Adclicker
File:  I:\diskcheck.exe
Location:  Quarantine
Computer:  SERVER
User:  <username>
Action taken:  Quarantine succeeded : Access denied
Date found: Saturday, October 07, 2006  5:13:07 PM


How can I resolve the problems above? Please lead me to sort this crap out! thanks

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2006-10-07 at 02:53:11ID22016351
Tags

trojan

Topic

Anti-Virus Applications

Participating Experts
2
Points
500
Comments
12

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. crap
    how come macs are so crap??
  2. Trojans
    Can A trojan infect the MBR? If so will repartitioning get rid of it?

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: ryancysPosted on 2006-10-07 at 03:05:53ID: 17682034

I think the extra menu is the cause of my problem?!
Ref:
http://www.myjavaserver.com/~ryancys/tmp/snap1.jpg
http://www.myjavaserver.com/~ryancys/tmp/snap1b.jpg

Is this some sort of hacking URL prompt? I try to remove it from Registry but not sure where's the executable.
Ref:
http://www.myjavaserver.com/~ryancys/tmp/snap2.jpg

 

by: legalsrlPosted on 2006-10-07 at 03:07:32ID: 17682043

Hiya,

Go to http://www.hijackthis.de and install it, post the results to the analyzer and then post the link to the results here

Also, try downloading Spy Sweeper from http://www.dee-it.com/downloads.asp and install it, update it and scan

It's free for 14 days and fully functioning, so let's see what nasties are lurking on your machine.

Let me know the link to the results

Cheers
Si

 

by: ryancysPosted on 2006-10-07 at 03:09:50ID: 17682056

Hi,

Yes... I had tried hijackthis before, and it resolved my IE problem, so now i stil got problem when i double click on my Drive. Please refer to the URLs I posted above.

At the meantime, I will try install Spy Sweeper to see if it can resolve my problem or not.

Many thanks

 

by: legalsrlPosted on 2006-10-07 at 03:14:17ID: 17682080

Hiya,

I need to see the running processes and your registry entries.

Can you post the results to hijack this and I can help further

SpySweeper should get it, if it picks it up in a scan and removes it, run a scan again to make sure it's removed

It might be worth scanning it in Safe Mode

I've got to pop out for a bit, but I'll check back in later

Cheers
Si

 

by: ryancysPosted on 2006-10-07 at 03:18:37ID: 17682091

Hi,

Here's the result generated from hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 6:16:38 PM, on 07/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
K:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
K:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\isnotify.exe
K:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Common Files\{105F14E6-0450-1033-1123-010818040001}\Update.exe
K:\LeapFTP\LeapFTP.exe
M:\download\Programs\Hypersnap\hsdx.exe
K:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe
M:\download\Spywares\ssfsetup2119_1890353621.exe
C:\DOCUME~1\trowa\LOCALS~1\Temp\is-OVPT9.tmp\is-SFF7C.tmp

O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - K:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - K:\PROGRA~1\FLASHGET\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - K:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [vptray] K:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = K:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - K:\PROGRA~1\FLASHGET\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - K:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - K:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - K:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winiwf32 - C:\WINDOWS\SYSTEM32\winiwf32.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll
O23 - Service: DefWatch - Symantec Corporation - K:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - K:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

 

by: rpggamergirlPosted on 2006-10-07 at 04:24:46ID: 17682228

Hi,

What you have there is a dialer trojan and a smitfraud infection!

May I suggest to please follow the steps below:

1.  Please download SmitfraudFix.
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

We want to look at the Option 1 log because the log detects rootkit driver if roootkit is present.


2.  After you post the log from option 1, you then run the fix which is Option 2.(THIS IS THE FIX)
Option 2 needs to be done in Safe Mode:
Reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
"smitfraudfix.cmd"
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


3. Next, Run smitfraudfix again but this time run it in normal mode,
Select option 3 (to delete the trusted zone entries)


4. You have a dialer there also(not part of smitfraud so smitfraudfix won't get rid of it)
* Open HiJackThis
* Click on the "Config..." button on the bottom right
* Click on the tab "Misc Tools"
* Click on "Delete File on Reboot"

* Navigate to this file --> C:\WINDOWS\SYSTEM32\winiwf32.dll

* Double click on that file.
* HJT asks you if you want to reboot, now. Click "No"
* Do the same for this file also --> C:\Program Files\Common Files\{105F14E6-0450-1033-1123-010818040001}\Update.exe
* When you get to the second file, click "Yes" when HJT asks you to reboot.


After you've done all that, your Hijackthis log should have just one harmless entry that you can fix:
O20 - Winlogon Notify: winiwf32 - C:\WINDOWS\SYSTEM32\winiwf32.dll - "file missing"

 

by: ryancysPosted on 2006-10-07 at 05:12:32ID: 17682363

Hi there,

Here is the reply you want:

SmitFraudFix v2.105

Scan done at 20:09:56.10, 07/10/2006
Run from C:\Documents and Settings\trowa\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\trowa


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\trowa\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\trowa\FAVORI~1

C:\DOCUME~1\trowa\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\SpyQuake2.com\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


thanks

 

by: rpggamergirlPosted on 2006-10-07 at 05:16:11ID: 17682374

Rootkit driver is detected!
Don't worry we'll take care of it afterwards.

Please go into Safe Mode and run smitfraudfix again and this time choose option 2 and post the log also.

 

by: ryancysPosted on 2006-10-07 at 06:22:13ID: 17682574

Hi there,

Now I got one good news, and one bad news.

The good news is seems that I don't have Trojan.Adclicker infected anymore = )

The bad news is I still facing some weird problem, when I double click a Drive, it shows me with Open With dialog
http://www.myjavaserver.com/~ryancys/tmp/snap1c.jpg

instead of the Drive contents.

Below is the screenshot of Drives that one is working and one got such problem above:

No problem:
http://www.myjavaserver.com/~ryancys/tmp/snap1b.jpg

Got problem:
http://www.myjavaserver.com/~ryancys/tmp/snap1.jpg


Can this problem be restored without formatting the Drive that got problem?

 

by: ryancysPosted on 2006-10-07 at 07:44:20ID: 17682761

Hi there,

I had sorted the "weird" problem above by deleting the autorun.inf that exists on each drives that got problem, seems that the drives got problem have this autorun.inf file, that calls an executable (suspect is the virus/trojan) that is missing (suspect was deleted by using the Tools above), so that's why it keep prompt me a "Open With" dialog when i double click the Drive.

Everything is clear now!

Thanks again to you guys and today I learned something new here ; ) cheers

 

by: rpggamergirlPosted on 2006-10-07 at 08:56:54ID: 17682934

I'm surprised that you closed your thread and no longer want our assistance.

A rootkit driver was detected and should be dealt with.

Oh well, good luck! ...cheers! :)

 

by: ryancysPosted on 2006-10-07 at 09:14:00ID: 17682963

Yup not too sure about "rootkit driver", if you don't mind, can you explain more about that and how can i handle that? thks ; )

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...