Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]Need Help Removing Klone Virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 tacky2883

tacky2883

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 20 July 2007 - 10:16 AM

Hi, I just came home from work to see my avg goin crazy with ie popping up too. my avg won't do a thing but it says i have the klone virus...I searched around the web reading up on it..but i don't know wut to do.. but i read other threads here dat u helped sum ppl already. so i was wonderin if you can help me too. thx in advance. o yea apparently i lost internet connection on da comp too so i'll be on another comp.

    Advertisements

Register to Remove


#2 SNOWHITE

SNOWHITE

    Retired GTG Staff

  • Authentic Member
  • PipPip
  • 165 posts

Posted 20 July 2007 - 05:05 PM

Hello tacky2883 :)

My name is SNOWHITE and I will be helping you with your Malware problem.

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
If you are unable to connect to internet, download the tools from another computer and transfer them into the infected one, using usb stick or cd.

Regards,
SNOWHITE
Posted Image

#3 tacky2883

tacky2883

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 20 July 2007 - 07:08 PM

heres the hijackthis log,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:59 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IME\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\D9A8EA92.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\RprCaoc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\IME\csrss.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\OCINS\idnsvr.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\ad_2236.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\ad_2236.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ant.sina.unio...om/indaxsx.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ant.sina.unio...om/indaxsx.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.c...esearch-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.c...msearch-en.html
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\system32\IME\csrss.exe"
O2 - BHO: sosHlpr Class - {00C104F7-0F5C-470C-ABCF-A5B2E70752F1} - C:\WINDOWS\system32\wbdics.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEAux Class - {7605CC7C-00FD-4A5F-BAFD-828342DE6279} - C:\PROGRA~1\OCINS\ieaux.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Internt] C:\WINDOWS\system32\internt.exe
O4 - HKLM\..\Run: [Program file] C:\WINDOWS\system32\progmon.exe
O4 - HKLM\..\Run: [SmCtrlDrv] D;]XJOEPXT]tztufn43]Svoemm43/fyf!D;]XJOEPXT]tztufn43]deoqsi/emm!Tubsu
O4 - HKLM\..\Run: [IdnSvr] C:\Program Files\OCINS\idnsvr.exe
O4 - HKLM\..\Run: [Sysmppcv] "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\SysTdSvr.dll",Start
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [猥orrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [dbrj] C:\WINDOWS\system32\drivers\iExplorer.exe
O4 - HKLM\..\Policies\Explorer\Run: [zsms] rundll32.exe C:\WINDOWS\system32\mcdsrv16_070720.dll start
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Chinese Navigation - {B012491E-8FA4-4851-AA9B-22E33784FBAD} - C:\Program Files\OCINS\config.exe
O9 - Extra 'Tools' menuitem: Chinese Navigation - {B012491E-8FA4-4851-AA9B-22E33784FBAD} - C:\Program Files\OCINS\config.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload....Plugin11USA.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...9.11/ttinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload....Plugin10USA.cab
O23 - Service: 177708A - Unknown owner - C:\WINDOWS\system32\1B75311A.EXE (file missing)
O23 - Service: Alerter COM+ - Unknown owner - C:\WINDOWS\system32\IME\svchost.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Net Login Helper (netlog) - Unknown owner - C:\WINDOWS\system32\SCardSver.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Procedure Call System(RPCS) (RpcPr) - Unknown owner - C:\WINDOWS\system32\RpcPr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows SystemDown (Windowze) - Unknown owner - C:\WINDOWS\system32\servetes.exe

--
End of file - 8904 bytes

#4 SNOWHITE

SNOWHITE

    Retired GTG Staff

  • Authentic Member
  • PipPip
  • 165 posts

Posted 20 July 2007 - 07:18 PM

Hello tacky2883,

There is a backdoor trojan detected on your system. This gives hackers full access to everything stored on the computer!

I recommend these actions:

1) use a known secure computer to change all of your online passwords
2) contact your bank and credit card company for possible unauthorised transactions

More info can be found here:


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


Some further reading:

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft...gmt/sm0704.mspx

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

If you choose to format and reinstall see this link for instructions:
http://www.cyberwalk...nstall-faq.html

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.


Best regards,
SNOWHITE
Posted Image

#5 tacky2883

tacky2883

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 20 July 2007 - 08:13 PM

thx for helping me dis far...i decided to let my friend take care of it..since he usuallys fixes my computer..

#6 SNOWHITE

SNOWHITE

    Retired GTG Staff

  • Authentic Member
  • PipPip
  • 165 posts

Posted 21 July 2007 - 06:44 AM

Hello tacky2883 :)

thx for helping me dis far...i decided to let my friend take care of it..since he usuallys fixes my computer..


You are welcome. Thanks for letting us know of your decision :)

I will keep your thread open for a couple of days. Should you have any questions, please feel free to ask.
  • SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
  • Select the Security tab
    o Click once on the Internet icon so it becomes highlighted.
    o Select Custom Level .
    • Change 'Download signed ActiveX controls' to Prompt
    • Change 'Download unsigned ActiveX controls' to Disable
    • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    • Change 'Installation of desktop items' to Prompt
    • Change 'Launching programs and files in an IFRAME' to Prompt
    • Change 'Navigate sub-frames across different domains' to Prompt
    • When all these changes have been made, click on the OK button.
    o If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Select OK to exit the Internet Properties page.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see this link:
Understanding and Using Firewalls



SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here:
http://www.bleepingcomputer.com/forums/tutorial49.html


IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here:
http://www.spywarewarrior.com/uiuc/resource.htm


COMODO BOClean
BOClean runs automatically in the background without interfering with your work and kills malwares INSTANTLY the moment they activate without giving them the chance to invade your machine. A tutorial on installing this product can be found here:
http://www.comodo.com/boclean/boclean.html


WINPATROL
Download and install the free version of Winpatrol. A tutorial for this product is located here:
http://www.winpatrol.com/features.html


SUPERAntiSpyware Home Edition
Another effective program for helping remove some of the more difficult infections.
http://www.superantispyware.com/downloadfile.html
  • More Secure Browser - Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, and Opera
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

See these links for more information:

Foistware & How To Avoid It
Browser Hijacking & How to Stop It
Rogue/Suspect Anti-Spyware Products & Web Sites
So how did I get infected in the first place?

Stand Up and Be Counted ---> Posted Image <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Happy surfing and stay clean! :wavey:
SNOWHITE
Posted Image

#7 SNOWHITE

SNOWHITE

    Retired GTG Staff

  • Authentic Member
  • PipPip
  • 165 posts

Posted 30 July 2007 - 12:59 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
SNOWHITE
Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users