aicr.exe trojan is the most infuriating thing ever - please help

Discussion in 'malware problems & news' started by rmoorley, Nov 14, 2006.

Thread Status:
Not open for further replies.
  1. rmoorley

    rmoorley Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    10
    My laptop has been infected by a Trojan which appears in the list of processes in Task Manager as aicr.exe. I have tried McAfee, Spybot S&D to name but two and still this damn thing prevents me from being able to do anything on my laptop without it taking hours and hours, let alone exposing me to phishers of passwords which prevent me from buying anything online etc.

    I have Googled this trojan and found previous threads from this site, one in particular advising to use CWShredder, but I can't get this to work. Can anyone tell me in lamens terms how I can get rid of this thing and save my sanity?

    thanks,

    Roops
     
  2. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    CWShredder doesn't involve an installation if that's what you're wondering. Just run it, Scan and Fix .
    Have you tried A-Squared and AVG AntiSpyware?
     
  3. rmoorley

    rmoorley Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    10
    Nope, haven't tried them. Just run SWShredder and it didn't even detect the trojan which is a bit of a surprise. I'll try the other two solutions you've suggested and see if either of them can do the trick.

    Thanks for taking the time to reply by the way, much appreciated.
     
  4. rmoorley

    rmoorley Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    10
    A Squared didnt detect it and the other anti spyware software failed to install. Are there any other suggestions of how I can destroy this infernal trojan once and for all?!?!!

    Roops
     
  5. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Is it in C:\INSIGHT\TOOLS\AICR.EXE? Do you have "Macro Express"?
     
  6. rmoorley

    rmoorley Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    10
    I'm not able to check the location of the file until tomorrow night (GMT), so will have a look and get back to you. In answer to your other question I don't have Macro Express.

    I was really hoping to use the following info to solve this problem

    https://www.wilderssecurity.com/archive/index.php/t-24197.html

    but when I followed the instructions on it 'First , Download CWShredder (http://www.wilderssecurity.com/attachments/CWShredder1531.zip)' the link didn't work and then when I tried to use CWShredder to detect the trojan via another site it didnt find it. This is a real surprise as what worked for someone else should have worked for me (or so I thought).

    Anyway, if you have any other suggestions I'll be really grateful for them, I'll get back to you tomorrow night when I get home again.

    thanks,
     
  7. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  8. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    It doesn't surprise me that CWShredder doesn't detect anything. Trend seem to have abandoned updating CWShredder. The last time I checked, it only detected approx. 50 out of 480 variants of CoolWebSeach.
     
  9. rmoorley

    rmoorley Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    10
    Someone, I checked my Insight directory and sure enough the TOOLS directory in there contains an AICR text file and an AICR application file. Any ideas what I should do now I know that?

    Snowbound, I am a complete novice as far as knowing where to find log files, (to be honest I don't even know what an HJT log file is). Any chance you could enlighten me so I can follow your suggestion?

    thanks,

    Roops
     
  10. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Sure, HJT is a little program u download and one of the options is to create a logfile of a certain part of the registry.

    All u have to do is follow the instructions at the link i posted above as everything is explained there(including where to download HJT).

    EDIT- make sure u post your log at the Gladiator forum as Wilders no longer processes them.



    snowbound
     
  11. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I found that file as a file of Macro Express. I searched in http://www.colba.net/~hlebo49/Good_Processes.txt ("Good processes with complete path")

    from - http://www.macros.com/ :

    "Macro Express is the premier Windows macro utility. With Macro Express, you can record, edit and play back mouse and keyboard macros. Its powerful tools and robust features will make you more productive.
    What is a macro? A macro is a way to automate a task that you perform repeatedly or on a regular basis. It is a series of commands and actions that can be stored and run whenever you need to perform the task. You can record or build a macro, and then play the macro to automatically repeat the series of commands or actions."


    If you downloaded this then just uninstall it. If not and it's not in the Add/Remove list, then i don't know.

    HijackThis is just as snowbound explained. Note that he's a moderator and knows far far far (lol) more than i. Run it, scan with it ("do a system scan and save a log file"), and a text file should be opened. Just select the whole text, copy, and paste at the forum indicated. Read their rules on the forum before posting and explain your case.
     
  12. rmoorley

    rmoorley Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    10
    My laptop is so messed up by this trojan that I cant even access the gladiator antivirus website, I've even left it trying to load the page overnight and it still cant cope with it. I guess the site requires more processing power than this one, the trojan is consistently using 80-95% of the laptop's processing capcity.

    Am really open to any other suggestions, for me its looking more and more of a case of admitting defeat and going and buying another laptop which is the worst conclusion really but possibly inevitable. Can anyone suggest anything before I backup my data and scrap it?
     
  13. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    No need for that. If worse came to worse and the malware cannot be cleaned for whatever reason, a format of your harddrive would do it.

    Is it possible for u to do any online malware scans? Here's a few to try,

    https://www.wilderssecurity.com/showthread.php?t=151540

    Download and try this one too if u can,

    http://www.freedrweb.com/cureit/



    snowbound
     
  14. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    rmoorley,

    Have you gone down this path?

    Given the information provided, this seems to be the most reasonable approach. Please realize that the symptoms you describe could be due to a software incompatibility, a bad installation, or a trojan.

    If it is a valid application suffering a systemic problem, you could scan from now until next year and not locate a problem. However, at this point you have identified a process that is sucking up CPU cycles. The best initial course to focus on is direct removal/disabling of that application, then verify there are no secondary infections interacting with that process.

    Blue
     
  15. rmoorley

    rmoorley Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    10
    Hi Blue,

    A fair suggestion, I thought that would be the easiest way too, but was surprised to find that it didn't even appear in my list of programs. Sneaky trojan I guess.

    R
     
  16. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Do you share your computer with anyone?:cautious:
     
  17. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    What name were you looking for? It should appear in Add/Remove programs as MacroExpress, something similar, or under the vendor name (Insight Software).

    Maybe, but let's work the problem, not the presumed solution.

    You should be able to disable launch of the offending processes by either a direct registry edit (not recommended) or via disabling the appropriate service and/or start entries using MSCONFIG (Start>Run type msconfig, enter; look for any entry connected to Insight Software/MacroExpress under the Services and Startup tabs, uncheck them, press OK, and reboot)

    You can also remove startup entries with Spybot, CCleaner and similar applications. Be cautious and cognizant of what you are removing with these tools.

    Blue
     
  18. rmoorley

    rmoorley Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    10
    I followed your instructions and got the following message when I typed 'msconfig' and hit Enter:

    'cannot find the file 'msconfig' (or one of its components). Make sure the path and filename are correct and that all required libraries are available'

    Re spybot, I ran its S&D program and that didn't fix the problem.

    Something has at least done some good as AICR.exe is only taking up about 50% of the processing capacity now. Obviously I need to get rid of the whole thing before I can celebrate, but its an improvement!

    Someone, I've started working my way through the list of programs in the thread that you gave me a link to. I've just downloaded Rising AntiVirus, AICR.exe is still there so I'm gonna work my through and see if there's anything that can do the trick.

    Thanks to both of you for all your suggestions so far btw.

    R
     
  19. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    If you can't find it in the Add-remove, check the folder C:\INSIGHT\TOOLS\ for an uninstall. Again i'm assuming it is Macro Express.
     
  20. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    With respect to msconfig, you could browse to the appropriate folder to get the full path (typically C:\Windows\PCHealth\HelpCtr\Binaries) and launch as that. The path information should be set in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE with the default value set to C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe.

    One other simple and easily reversible operation is to rename the main C:\INSIGHT folder (to, for example, C:\$$$_INSIGHT) so that needed path information is no longer current, therefore the tools won't launch. This is a brute force approach, but effective and readily undone. You will get a warning message when you attempt this.

    Blue
     
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Wow i'm so unexperienced that i never thought of that:eek: . Of course, renaming it will crash it or malfunction.:D
    Brute force lol:D
     
  22. A1SteakSauce

    A1SteakSauce Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    88
    try smitfraudfix i foun that to fix my trojan problems, i dont know why though.
     
  23. rmoorley

    rmoorley Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    10
    Hello,

    I have run virtually every anti virus program in the list that snowbound kindly supplied in the link. However, the aicr trojan is still there.

    I have followed Someone's instructions and found 3 files in Insight/tools. However, I can't see how to uninstall them as within Explorer there is option to do that. I have renamed them (as a result of one of the suggestions in this thread) and I am thinking that I should just delete them. Can anyone confirm whether or not deletion is a suitable course of action or should I do something else to better effect?

    thanks,

    R
     
  24. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    You can't kill the process with task manager? Try with Process Explorer from SysInternals, or What's Running. The latter being easier and more intuitive, but not so thorough.

    If you haven't post the HijackThis log on the indicated forum, please do.

    Wait for Snowbound or Bluezannetti to reply, but consider downloading also CCleaner (CrapCleaner). It's possible that, if it was Macro Express, and already unintalled, that a reg clean will do it. Not to sure though. That's why you need to post the HIJACKTHIS LOG on this forum.
     
  25. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Forgot to say, if you're considering, be careful cleaning the registry! CCleaner is good because you can see what you're erasing. Don't just delete what it tells you to.

    Also before scanning, see what it will scan by checking/unchecking what you want. That way you know what it will look for cleaning. Still check what it it referenced to be erased. I cannot stress that enough.

    1 basic rule that i follow is in the registry, i only clean what i know to be redundant, like references to previously uninstalled programs. The rest that i don't understand, i leave it there. Maybe google them to see what it is, but i don't erase anything that i don't understand.
     
Loading...
Thread Status:
Not open for further replies.