943,840 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > Click me! .. keeps coming back no matter what!
Ad:
Permalink
Apr 9th, 2005
0

Click me! .. keeps coming back no matter what!

Expand Post »
Hi there,

I am very very sick by having to fight this little bugger. I just cant get rid of this spam, spybot, trojan, hacktool, virus, whatever. I really need some professional help because if I can't fix this I will :cry: all day. I am going through some real life stuff right now and I seriously cant have this along with it. I need this system and just BLEAGH..

Go through this with me step by step and hopefully I can suddenly fix it.

Ok, out of the blue I have this green little icon on my desktop that says Click me. Of course I know I didnt put it there, so I won't click it - but that is not even the point. Popup banners appear everywhere and various other virusses and trojans and worms start to appear as if they're having a party.

After fighting this all day I am now about to give up and throw away this damn computer (at least the hard drive)

PLEASE help me try to fight this, people always come to me to help them and I have nobody to turn to but hopefully you.

Today I have run at least 3 different anti spyware, bot destroyers, adware removers, anti virus and trojan hunters .. I've done safe mode reboots a zillion times to check and check again. And when everything says 0 found again I reboot and the f0kkuhr is there again.

Seriously, it is no longer funny for me anymore.

I never have issues, and if I do these programs catch them in time and remove them properly. But this one.. this little f0ckah I just cant get rid of.

What do you need to know? What is my FIRST step?

Attached is the screenshot of that damn green icon that keeps re-appearing on my desktop after each reboot, prompts me to yes/no for some dailup and during the time the system is on pops up at random some crap advertisements.

Do you recognize it? which worm, spyware, etc is this? Where do I find removal instructions on it?
Attached Thumbnails
Click image for larger version Name: green_icon.gif Views: 48 Size: 2.6 KB ID: 1045  
Similar Threads
Reputation Points: 115
Solved Threads: 2
Junior Poster
floris is offline Offline
152 posts
since Jan 2004
Permalink
Apr 9th, 2005
0

Re: Click me! .. keeps coming back no matter what!

I see that you have a little HJT icon there too. Can you paste us your HJT log please? Thanks!
Administrator
Staff Writer
Reputation Points: 1422
Solved Threads: 162
The Queen of DaniWeb
cscgal is offline Offline
13,645 posts
since Feb 2002
Permalink
Apr 9th, 2005
0

Re: Click me! .. keeps coming back no matter what!

Logfile of HijackThis v1.99.1
Scan saved at 1:26:56, on 10-4-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\Internet\DU Meter\DU Meter\DUMeter.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\Adobe\acrobat\Distillr\Acrotray.exe
C:\Program Files\Pulse\Pulse.exe
E:\Internet\Trillian\trillian.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\floris\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vBulletin.nl/community/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vbulletin.nl/community
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\floris\Application Data\Mozilla\Profiles\default\8bvnhz95.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\floris\Application Data\Mozilla\Profiles\default\8bvnhz95.slt\prefs.js)
O1 - Hosts: 217.155.49.105 www.example.com
O4 - HKLM\..\Run: [DU Meter] E:\Internet\DU Meter\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [Fortis Secure Layer Config] cseinst.exe -o-h
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "e:\Adobe\acrobat\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [firlnin] H:\TMP\Tijdelijke Internet-bestanden\Content.IE5\YHGRYLA5\delf061225[1].exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitecav32.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\netherlands.exe -N
O4 - HKCU\..\Run: [Pulse] C:\Program Files\Pulse\Pulse.exe -splash
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://e:\Adobe\acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://e:\Adobe\acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://e:\Adobe\acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://e:\Adobe\acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://e:\Adobe\acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://e:\Adobe\acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://e:\Adobe\acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://e:\Adobe\acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\Office\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1107951478468
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PestPatrol Remote - PestPatrol, Inc. - C:\Program Files\Common Files\PestPatrol\ppRemoteService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Reputation Points: 115
Solved Threads: 2
Junior Poster
floris is offline Offline
152 posts
since Jan 2004
Permalink
Apr 9th, 2005
0

Re: Click me! .. keeps coming back no matter what!

But when I check a checkbox and click to fix it, it doesnt do dick. It appears to be ready, but when I click scan again it is still there.
No matter which item I select.
Reputation Points: 115
Solved Threads: 2
Junior Poster
floris is offline Offline
152 posts
since Jan 2004
Permalink
Apr 9th, 2005
0

Re: Click me! .. keeps coming back no matter what!

the confirm box is netherlands.exe

and after reboot and clearing out all procs from run, runonce, etc.. I get this:

Process list saved on 1:53:35, on 10-4-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
[pid] [full path to filename] [file version] [company name]
500 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
584 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
628 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
640 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
792 C:\WINDOWS\System32\Ati2evxx.exe 6.14.10.4112 ATI Technologies Inc.
808 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
940 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1208 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
1468 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe 103.0.4.3 Symantec Corporation
1512 C:\WINDOWS\System32\GEARSEC.EXE 1.0.0.3 GEAR Software
1552 C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe 1.0.1117.0 Network Associates, Inc.
1600 C:\Program Files\Norton AntiVirus\navapsvc.exe 11.0.9.16 Symantec Corporation
1632 C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe 11.0.9.16 Symantec Corporation
1672 C:\Program Files\Common Files\PestPatrol\ppRemoteService.exe 5.0.1.2 PestPatrol, Inc.
1804 C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe 5.4.4.17 Symantec Corporation
1852 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe 1.0.1.47 Symantec Corporation
1880 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1908 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe 1.8.54.419 Symantec Corporation
180 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 103.0.4.3 Symantec Corporation
324 C:\Program Files\Common Files\pestpatrol\PPMCActiveDetection.exe 5.0.1.2 PestPatrol, Inc.
1044 C:\WINDOWS\system32\Ati2evxx.exe 6.14.10.4112 ATI Technologies Inc.
1064 C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
2244 C:\WINDOWS\system32\wuauclt.exe 5.4.3790.2182 Microsoft Corporation
2484 E:\Internet\DU Meter\DU Meter\DUMeter.exe 3.0.3.96 Hagel Technologies
2492 C:\Program Files\Motherboard Monitor 5\MBM5.EXE 5.3.7.0 Alex van Kaam
2564 C:\Program Files\Pulse\Pulse.exe 1.0.0.1
3372 C:\Documents and Settings\floris\Bureaublad\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.

DLLs loaded by process C:\WINDOWS\System32\smss.exe:
[full path to filename] [file version] [company name]
C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 Microsoft Corporation
Attached Thumbnails
Click image for larger version Name: green_icon2.gif Views: 41 Size: 11.2 KB ID: 1046  
Reputation Points: 115
Solved Threads: 2
Junior Poster
floris is offline Offline
152 posts
since Jan 2004
Permalink
Apr 9th, 2005
0

Re: Click me! .. keeps coming back no matter what!

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1elete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.
You might want to print out or copy & paste to notePad , these instructions as you will need to close this browser window to fix with hijackthis !

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O1 - Hosts: 217.155.49.105 www.example.com

O4 - HKLM\..\Run: [firlnin] H:\TMP\Tijdelijke Internet-bestanden\Content.IE5\YHGRYLA5\delf061225[1].exe


O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitecav32.exe

O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\netherlands.exe -N

Fix this on unless you set it with spybot or something else .
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present.



Now reboot into safe mode and delete the following files and folders if found .

H:\TMP\Tijdelijke Internet-bestanden\Content.IE5\YHGRYLA5\delf061225[1].exe ,,,,,,,,delete file


C:\windows\system32\elitecav32.exe,,,,,,,delete file

C:\WINDOWS\system32\netherlands.exe,,,,,,,,,delete file



to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log
Team Colleague
Reputation Points: 1056
Solved Threads: 792
I hate 20 Questions
caperjack is offline Offline
12,723 posts
since Aug 2003

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Any help will be greatly appreciated...
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: explorer.exe crashes when right-click .mp3s- HJT log





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC