Trojan-Clicker.HTML.Agent.a problem

Discussion in 'malware problems & news' started by horn, Sep 19, 2006.

Thread Status:
Not open for further replies.
  1. horn

    horn Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    97
    My KAV 6.0 is reporting after each re-boot that in start-up check detected(2)
    Trojan-Clicker.HTML.Agent.a
    At the end KAV is reporting that all treats have been successfully NEUTRALIZED-
    but not removed.
    As I mentioned those two trojans are detected after each boot or re-boot .
    Searched on the net for removal tool-nothing found.
    Seems this is a rootkit version but KAV is unable to remove it from the System yet.
    Besides is one of LOW RISK malware it's very nasty have it on your machine- even "Neutralized" for a while.
     
    Last edited: Sep 20, 2006
  2. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    After all threats have been successfully NEUTRALIZED, does it still give warnings after each re-boot?.
     
  3. horn

    horn Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    97
    Yes,it still give warnings after each re-boot?.
     
  4. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,280
    Location:
    England
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi horn,

    Although you'd probably be better off posting a HijackThis log on one of the many boards that offer help with those, can you do the following:
    • Surf to: Sophos free tools: Anti-Rootkit
    • Click the "Download" button
    • Read the conditions and fill out your Details.
    • Click the Download Sophos Anti-Rootkit link.
    • Save the sarsfx.exe to location on your harddrive where you can find it later on.
    Installing
    • Close as many applications as possible and execute sarsfx.exe by doubleclicking it.
    • Accept the EULA and install the software to the loaction of your choice.(Default is C:\SOPHTEMP)
    Running for analysis
    • In that folder find and double-click sargui.exe
    • Select the areas that you want to scan for hidden objects (Running processes, Windows registry, Local hard drives)
    • Click Start > Run and copy this command into the window %TEMP%\sarscan.log and click OK to execute.
    • A textfile will open. Post the content of that file.

    I'll gladly have a look at the log.

    Regards,

    Pieter
     
  6. horn

    horn Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    97
    @stapp,
    No removal tool or instructions found

    @Pieter,
    According your request:

    Sophos Anti-Rootkit Version 1.0 (c) 2006 Sophos Plc
    Started logging on 9/20/2006 at 20:21:48 PM
    Hidden: registry item \HKEY_USERS\S-1-5-18\Environment\TEMP
    Hidden: registry item \HKEY_USERS\S-1-5-18\Environment\TMP
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{33D9A760-90C8-11D0-BD43-00A0C911CE86}
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{33D9A761-90C8-11D0-BD43-00A0C911CE86}
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{33D9A762-90C8-11D0-BD43-00A0C911CE86}
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Microsoft GS Wavetable SW Synth
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default WaveOut Device
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\DirectSound: VIA Audio (WAVE)
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\VIA Audio (WAVE)
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Setup\CreatedLinks\Shortcut2
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\PrintHood
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Pictures
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012003072320030724
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Suffixes\video/x-ivf
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Viewers\video/x-ivf
    Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Symantec
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\conversion.js
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\s_code.js
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\menus.js
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\d2005.js
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\util.js
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\browser.js
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\m2005.css
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\go.gif
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\search.05.en.gif
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\newsletter.gif
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\i_arrow3.gif
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\basket.new.home.gif
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\0.gif
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\basket.new.ent.gif
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\russian.ru.black.gif
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\korean.kr.black.gif
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\chinese.zh.black.gif
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\earth12.gif
    Hidden: file C:\Documents and Settings\momo\Desktop\Problemi sa PC\Acronis tech\Acronis Partiton Expert\Acronis Partition Expert 2003 perform create, format, copy, move, resize partition in XP, NT and Windows 2000-2003 Server and can give its competitors like Partition Magic a run for its money_fil\logo.05.gif
    Hidden: file D:\Datoteka\podaci\Sat 1\SAT FILES\4[1].1Amon_conax_skycrypt\4.1Amon_conax_skycrypt\4.1 conax_skycrypt\41-conax.BIN
    Hidden: file D:\Datoteka\podaci\CRAKS\4.0keygen\Acid Pro 4.0 keygenerator.exe
    Hidden: file D:\Datoteka\podaci\PC files\We’re sorry, we were unable to service your request_files\js
    Hidden: file D:\Datoteka\podaci\PC files\We’re sorry, we were unable to service your request_files\css(1).css
    Hidden: file D:\Datoteka\podaci\PC files\We’re sorry, we were unable to service your request_files\css.css
    Hidden: file D:\Datoteka\podaci\PC files\We’re sorry, we were unable to service your request_files\templatecss.css
    Hidden: file D:\Datoteka\podaci\PC files\We’re sorry, we were unable to service your request_files\trans_pixel.gif
    Hidden: file D:\Datoteka\podaci\PC files\We’re sorry, we were unable to service your request_files\arrow_px_up.gif
    Hidden: file D:\Datoteka\podaci\PC files\We’re sorry, we were unable to service your request_files\gradient(1).jpg
    Hidden: file D:\Datoteka\podaci\PC files\We’re sorry, we were unable to service your request_files\ms_masthead_ltr.gif
    Hidden: file D:\Datoteka\podaci\PC files\We’re sorry, we were unable to service your request_files\gradient.jpg
    Stopped logging on 9/20/2006 at 20:26:50 PM

    >>>>>>>>>>>>
    thanks for assistance,
    horn
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Looks easy enough.

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Reboot, run a scan and let me know if it's gone.

    Regards,

    Pieter
     
  8. horn

    horn Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    97
    Hi Pieter,
    Done all according your instructions. but on new re-boot KAV is reporting that has found two Trojan programs Trojan_Clicker.HTML.Agent.a and neutralized them.
    As Object for the two files KAV nominated:
    -C:\Documents and Settings\momo\Local Settings\Temporary Intenet files\Content.IE5\C11Z0U6L\popup[1].htm and
    -C:\Documents and Settings\momo\Local Settings\Temporary Internet Files\Content.IE5\UDQRMNC1\popup[1].htm
    Regards,
    horn
     
  9. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Looks like a suspicious version of Acid Pro music software in there due to this entry.

    Hidden: file D:\Datoteka\podaci\CRAKS\4.0keygen\Acid Pro 4.0 keygenerator.exe

    I wouldn't be surprised if that is the source of at least one of your problems.

    Also delete your ie cache/temp files.


    StevieO
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi horn,

    Is the "momo" account the one you are working under?
    The infected files are in the Temporary Internet files of "momo"
    So that's the one that is infected.
    If it is another one then the one you are using, you need to use ATF while logged in under that account.

    Regards,

    Pieter
     
  11. horn

    horn Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    97
    Hi Pieter,
    Yes the "momo" is name of account under I am working.
    This Trojan is reactivateing itself on each PC restart or reboot.
    In start-up cleaning sequenze the KAV neutralizes the Trojan program , but seems can not clean-remove or delete the part which reactivate the trojan at the next restart of the PC.
    Try with Ewido4, SpyBot, Spy Sweeper, Ad-Aware,CCleaner,Trend Micro House Call on line scan to remove it -without success.
    Regards,
    horn
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    If you post a HijackThis log at Geekstogo and shoot me a PM with the link to your topic, I'd be happy to have a look at it over there.

    Regards,

    Pieter
     
  13. horn

    horn Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    97
    Hello Pieter,
    Unpossible to register on Geekstogo.
    If you agree I can post you what you ask me on PM.
    If you are interested I think I can send you RootkitRevealer Scan results.
    Regards,
    Horn
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I'll ask permission to handle your HijackThis log here.

    Regards,

    Pieter
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    You can post the HijackThis log here.

    The admins were kind enough to make an exception. :thumb:

    Regards,

    Pieter
     
  16. horn

    horn Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    97
    Hi Pieter,
    Finaly succssed to reegister .
    Actaualy doeing an Online Scan with F-Secure Online Scan.
    You can find my Hijack. this log file under name of "morog"
    Thanks for support m'8
    Regards,
    horn
     
  17. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    As horn is being helped by Pieter on another forum, and to prevent multiple assistance on different forums for the same computer, we'll close this thread now.

    Thank you Pieter for your help here. :)

    Regards,

    snap
     
Loading...
Thread Status:
Not open for further replies.