Solved Need help removing trojan-clicker.win32.wistler.a

[ramonsterns]

Kapersky's TDSSKiller found it, and it's in my \Hardisk0\MBR.

I posted this in my other thread in the Windows OS forum:

"So I've been infected with a virus (trojan-clicker.win32.wistler.a) and it decided to stick itself in my Master Boot Record. So after doing some research, I found out I could easily get rid of it by using a Recovery Disk for Vista, so I downloaded it from "neosmart.net", mounted it on a virtual drive, and it didn't start up, it just opens up the inside and shows me a couple of folders. So I decided to try and burn it onto a CD-R, but the same thing happens.

What am I doing wrong?

Thanks

EDIT: I have Windows Vista (32mb) SP2"

I managed to boot up the Recovery disk, went to the cmndprompt and typed "bootrec.exe /mbrfix" (without the quotation marks) and it's still there, so I don't know what to do.

Help!

EDIT: I'm sorry if I don't make any sense or didn't provide some information, I'm rather distressed, please let me know if what information you may need from me.

 

[Broni]

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[ramonsterns]

GMER Log is too big, what should I do?


--------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

8/24/2010 4:14:36 PM
mbam-log-2010-08-24 (16-14-36).txt

Scan type: Quick scan
Objects scanned: 122721
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Broni]

Upload the file(s) here: http://uploadmb.com/
Post download link (Direct Link).

 

[ramonsterns]

Upload the file(s) here: http://uploadmb.com/
Post download link (Direct Link).

http://www.uploadmb.com/dw.php?id=1282700744

Here you go, thank you Broni.

 

[Broni]

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

========================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[ramonsterns]

Here you go, hope I did it right.

 

[Broni]

I assume, you ran TDSSKiller?
If so, please, post its log. It should be located in C:\ folder.

========================================================================

Run MBRCheck again.

When it's done you'll see the following line:
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Press the Y key and then press Enter

When the program asks you to Enter your choice, enter 2 and press the Enter key.

Next the program will ask you to Enter the physical disk number to fix (0-99, -1 to cancel):
Enter 1 and press the Enter key.

Next the program will show Available MBR codes:, followed by a list of operating systems.
Please enter 3 for Windows Vista, and then press Enter.

Next the program will prompt for confirmation.
Type YES and hit Enter.

When it's done there should be a text file with the results on your desktop.
Please copy and paste it back here.

Then reboot, run MBRCheck again and post new log.

 

[ramonsterns]

10characters

 

[Broni]

When you're done with MBRCheck, please re-run TDSSKiller and post fresh log.

 

[ramonsterns]

When you're done with MBRCheck, please re-run TDSSKiller and post fresh log.

Also a quick question, is it possible for a virus to infect a router? If so, how do I fix that?

 

[Broni]

Yes, it's possible, but we'll check on it later, when we know, your computer is clean.

BTW, don't edit your previous posts, because, if I didn't look, I wouldn't even know, you postsed new MBRCheck logs.

Now, TDSSKiller didn't cure the infection and MBRCheck didn't fix it either.

What is drive E? Internal 2nd drive, or some external drive?

Delete your Combofix file, download fresh one, run it and post fresh log.

 

[ramonsterns]

Yes, it's possible, but we'll check on it later, when we know, your computer is clean.

BTW, don't edit your previous posts, because, if I didn't look, I wouldn't even know, you postsed new MBRCheck logs.

Now, TDSSKiller didn't cure the infection and MBRCheck didn't fix it either.

What is drive E? Internal 2nd drive, or some external drive?

Delete your Combofix file, download fresh one, run it and post fresh log.

Sorry, the first one I posted I forgot to do the extra options. I replaced it with one where I did.


drive E is a 2nd Internal Hard Drive

 

[Broni]

OK, go ahead with Combofix.

 

[ramonsterns]

I went ahead with Combofix, but my Norton refuses to turn on auto protect.

 

[Broni]

It looks better

Please, re-run MBRCheck and TDSSKiller.

 

[ramonsterns]

TDSSKiller still detects it.

 

[Broni]

Have you ever had any Windows version installed on drive E?
What do you have on that drive right now?


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\kgpcpy.cfg


Folder::
c:\program files\AVG
C:\SZKGFS.dat
c:\programdata\SITEguard
c:\programdata\STOPzilla!
c:\program files\Common Files\iS3


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[ramonsterns]

I made the text file, disabled my network card, and uninstalled Norton, then ran combofix with the text file, but it still told me that Norton was active, so I went ahead anyways and when it was done it did not give me a log file, should I try it again?

 

[Broni]

See, if you can locate combofix.txt file in C:\ folder.
If it's not there, re-run it.

 

[ramonsterns]

Here.

Say, is it normal for none of my programs (including all of the tools you've asked me to download) to work after Combofix is ready? They all give me a message about the program using a registry key that needs to be deleted and won't work until I restart my computer.

I didn't think to mention this because I thought it might be normal.

 

[Broni]

They all give me a message about the program using a registry key that needs to be deleted and won't work until I restart my computer.

This is what you have to do.
You can restart now.

 

[Broni]

Combofix log looks good now

Any current issues?


Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[ramonsterns]

They're too big to post, so I'm attaching them here.

 

[Broni]

You didn't say:

Any current issues?