TechSpot

Need help removing trojan-clicker.win32.wistler.a

Solved
By ramonsterns
Aug 24, 2010
  1. Kapersky's TDSSKiller found it, and it's in my \Hardisk0\MBR.

    I posted this in my other thread in the Windows OS forum:

    "So I've been infected with a virus (trojan-clicker.win32.wistler.a) and it decided to stick itself in my Master Boot Record. So after doing some research, I found out I could easily get rid of it by using a Recovery Disk for Vista, so I downloaded it from "neosmart.net", mounted it on a virtual drive, and it didn't start up, it just opens up the inside and shows me a couple of folders. So I decided to try and burn it onto a CD-R, but the same thing happens.

    What am I doing wrong?

    Thanks

    EDIT: I have Windows Vista (32mb) SP2"

    I managed to boot up the Recovery disk, went to the cmndprompt and typed "bootrec.exe /mbrfix" (without the quotation marks) and it's still there, so I don't know what to do.

    Help!

    EDIT: I'm sorry if I don't make any sense or didn't provide some information, I'm rather distressed, please let me know if what information you may need from me.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,719   +268

  3. ramonsterns

    ramonsterns TS Enthusiast Topic Starter Posts: 752   +12

    GMER Log is too big, what should I do?


    --------------------------------------------------

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18943

    8/24/2010 4:14:36 PM
    mbam-log-2010-08-24 (16-14-36).txt

    Scan type: Quick scan
    Objects scanned: 122721
    Time elapsed: 5 minute(s), 19 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 47,719   +268

  5. ramonsterns

    ramonsterns TS Enthusiast Topic Starter Posts: 752   +12

  6. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ========================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. ramonsterns

    ramonsterns TS Enthusiast Topic Starter Posts: 752   +12

    Here you go, hope I did it right.
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    I assume, you ran TDSSKiller?
    If so, please, post its log. It should be located in C:\ folder.

    ========================================================================

    Run MBRCheck again.

    When it's done you'll see the following line:
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Press the Y key and then press Enter

    When the program asks you to Enter your choice, enter 2 and press the Enter key.

    Next the program will ask you to Enter the physical disk number to fix (0-99, -1 to cancel):
    Enter 1 and press the Enter key.

    Next the program will show Available MBR codes:, followed by a list of operating systems.
    Please enter 3 for Windows Vista, and then press Enter.

    Next the program will prompt for confirmation.
    Type YES and hit Enter.

    When it's done there should be a text file with the results on your desktop.
    Please copy and paste it back here.

    Then reboot, run MBRCheck again and post new log.
     
  9. ramonsterns

    ramonsterns TS Enthusiast Topic Starter Posts: 752   +12

    10characters
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    When you're done with MBRCheck, please re-run TDSSKiller and post fresh log.
     
  11. ramonsterns

    ramonsterns TS Enthusiast Topic Starter Posts: 752   +12

    Also a quick question, is it possible for a virus to infect a router? If so, how do I fix that?
     

    Attached Files:

     
  12. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Yes, it's possible, but we'll check on it later, when we know, your computer is clean.

    BTW, don't edit your previous posts, because, if I didn't look, I wouldn't even know, you postsed new MBRCheck logs.

    Now, TDSSKiller didn't cure the infection and MBRCheck didn't fix it either.

    What is drive E? Internal 2nd drive, or some external drive?

    Delete your Combofix file, download fresh one, run it and post fresh log.
     
  13. ramonsterns

    ramonsterns TS Enthusiast Topic Starter Posts: 752   +12

    Sorry, the first one I posted I forgot to do the extra options. I replaced it with one where I did.


    drive E is a 2nd Internal Hard Drive
     
  14. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    OK, go ahead with Combofix.
     
  15. ramonsterns

    ramonsterns TS Enthusiast Topic Starter Posts: 752   +12

    I went ahead with Combofix, but my Norton refuses to turn on auto protect.
     

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    It looks better :)

    Please, re-run MBRCheck and TDSSKiller.
     
  17. ramonsterns

    ramonsterns TS Enthusiast Topic Starter Posts: 752   +12

    TDSSKiller still detects it.
     

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Have you ever had any Windows version installed on drive E?
    What do you have on that drive right now?


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\kgpcpy.cfg
    
    
    Folder::
    c:\program files\AVG
    C:\SZKGFS.dat
    c:\programdata\SITEguard
    c:\programdata\STOPzilla!
    c:\program files\Common Files\iS3
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  19. ramonsterns

    ramonsterns TS Enthusiast Topic Starter Posts: 752   +12

    I made the text file, disabled my network card, and uninstalled Norton, then ran combofix with the text file, but it still told me that Norton was active, so I went ahead anyways and when it was done it did not give me a log file, should I try it again?
     
  20. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    See, if you can locate combofix.txt file in C:\ folder.
    If it's not there, re-run it.
     
  21. ramonsterns

    ramonsterns TS Enthusiast Topic Starter Posts: 752   +12

    Here.

    Say, is it normal for none of my programs (including all of the tools you've asked me to download) to work after Combofix is ready? They all give me a message about the program using a registry key that needs to be deleted and won't work until I restart my computer.

    I didn't think to mention this because I thought it might be normal.
     

    Attached Files:

  22. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    This is what you have to do.
    You can restart now.
     
  23. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Combofix log looks good now :)

    Any current issues?


    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  24. ramonsterns

    ramonsterns TS Enthusiast Topic Starter Posts: 752   +12

    They're too big to post, so I'm attaching them here.
     

    Attached Files:

  25. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    You didn't say:
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.