trojan.adclicker indestructible :(

Discussion in 'malware problems & news' started by slobberingharry, May 6, 2004.

Thread Status:
Not open for further replies.
  1. slobberingharry

    slobberingharry Registered Member

    Joined:
    May 6, 2004
    Posts:
    1
    i've got an unusual sort of trojan problem, or thats what it looks like. its called trojan.adclicker and isnt much of a threat according to symantec, but after doing their removal instructions more than once, norton finds it impossible to delete it. the last part of the instructions is to scan for viruses in safe mode, which i've done, where norton detects that adclicker is there. but it cant finish off the removal process by quarantining or deleting it. it just says sorry cant do it :( its been lurking on my computer for a while now and its annoying me. can anybody help? people have given me lots of spyblaster and hijackthis programs and that sort of thing but when i scan it its always there again. its really strangely being indestructible
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi slobberingharry :)

    Welcome to Wilders.

    Couple of questions,

    What O/S are u running?

    What is the name of the file your AV is finding it in?

    Have u posted a Hijackthis log here at Wilders in the past?

    The experts here are very good at solving these kinds of problems.



    snowbound
     
  3. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Hi slobberingharry!

    If you have an operating system (OS) WinME or newer, then you have System Restore. You have been unable to remove these trojans because they are being saved there. :rolleyes:

    To remove the trojans you need to turn off your System Restore and then run Norton in Safemode.

    Turn Off System Restore

    To turn off System Restore, follow these steps:

    Click Start, right-click My Computer, and then click Properties.
    Click the System Restore tab.
    Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
    Click Yes when you receive the prompt to the turn off System Restore.

    Safemode Instructions for All Windows Platforms

    After starting in Safemode, open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK," before proceeding.

    Run Norton and let it cleanup! :D

    Turn On System Restore

    To turn on System Restore, follow these steps:

    Click Start, right-click My Computer, and then click Properties.
    Click the System Restore tab.
    Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

    Please let us know about your results.


    Best regards and welcome to Wilders! :)
     
  4. dev55

    dev55 Guest

    hi there im a mcafee technician and there is a solution to this if you follow the instructions below

    Adclicker removal instructions

    This fix works for Windows 2000, but may work for others if you tweak it a little bit. You have to be the Administrator (full priviledges). The way it works, it loads into RAM and then uses your O/S as it's slave to replicate and try to do its damage. One of the first things we do is temporarily kill its slave off.
    -------------

    1) Quit all open apps. Kill off everything except Norton, your firewall, and anti-spyware programs, drivers.
    2) Open the Task Manager (CTRL-ALT-DEL)
    3) Find "Explorer.exe" and RIGHT-CLICK on it. Choose "end-process tree" to kill Explorer entirely.
    4) Run Norton from within the Task Manager (File->Start Task; then browser for Norton). Scan your entire disk to get rid of all those infecting DLLs (I had over 15,000).
    5) Now that the slave is killed, lets go identify the "master" still in RAM. Under the Task Manager, Launch "sysinfo32".
    6) Go to "Software Environment->Loaded Modules". Choose Advanced View. Once it's preflighted everything and displayed a list, sort it by date, so you can see what was most recently installed. Look at the Manufacturer column and look for "Melkosoft". You might see more than one evil entry.
    7) Under SysInfo32, go to "Software Environment->Startup Programs" THIS is the one that causes it to launch when Explorer.exe runs. In my case it was:

    "c:\winnt\system32\1ijx47ho080jwvthd.exe"

    Under the Task Manager, now that you know its name, go to File->Start Task and launch regedit. Search for the name. Mine was found in the registry here:

    My Computer->HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft->Windows->CurrentVersion->Run->Control handler

    :cool: DELETE the specific entry for "1ijx47ho080jwvthd.exe" (whatever yours was named).
    9) Back in the Task Manager, go to File->Start Task, and launch Explorer.exe to bring your O/S back up. Norton should not holler because when Explorer.exe starts, it no longer launches the virus.
    10) Go into where the replicating DLLs are:

    c:\winnt\system32\

    and add ".vir" to the end of the DLLs that Norton couldn't clean out because they were "in use" and couldn't be deleted (you identified these in Step #6.
    11) Reboot
    12) Go back into

    c:\winnt\system32\

    and delete all files you added the ".vir" suffix to.

    13) Lastly, run your anti-spyware program and have it search your entire disk. This will remove malicous cooks that this thing also seems to plant.
    14) Reboot.
     
Thread Status:
Not open for further replies.