# trojan clicker.win32.vb.wmproblem!



## dirtman1 (Oct 28, 2005)

could someone please check out these hjs logs please as i am being over run with kaspersky virus alarms and a ndt2.sys is trying to connect to the internet every few seconds which i believe may be a rootkit!

kav report:

11/12/2007 05:36:08	File C:\WINDOWS\system32\Indt2.sys: detected Trojan program 'Trojan-Clicker.Win32.VB.wm'.
11/12/2007 05:36:08	Security threats have been detected. You are advised to neutralize them immediately.
11/12/2007 05:36:08	File C:\WINDOWS\system32\Indt2.sys: is still infected, postponed.
11/12/2007 05:36:22	File c:\windows\system32\indt2.sys: detected Trojan program 'Trojan-Clicker.Win32.VB.wm'.
11/12/2007 05:47:35 Update completed successfully
11/12/2007 07:59:00	File C:\WINDOWS\system32\Indt2.sys: detected Trojan program 'Trojan-Clicker.Win32.VB.wm'. User: NT AUTHORITY\NETWORK SERVICE, computer: localhost.
11/12/2007 08:06:27 Update completed successfully
11/12/2007 10:26:23 Update completed successfully
11/12/2007 11:02:39	File c:\windows\system32\indt2.sys: deleted.
11/12/2007 11:14:38	Running process C:\Documents and Settings\dave phillips\Desktop\dss.exe: detected modification of riskware 'RootShell'.
11/12/2007 11:20:47	Process C:\Documents and Settings\dave phillips\Desktop\dss.exe (PID 3468) successfully terminated.
11/12/2007 11:20:47	Process C:\DOCUME~1\DAVEPH~1\LOCALS~1\Temp\~sbjhhfu.tmp\regdump.bat (PID 1876) successfully terminated.
11/12/2007 11:21:02	Running process C:\Documents and Settings\dave phillips\Desktop\dss.exe: added to exclusion list.
11/12/2007 11:22:26	File C:\WINDOWS\system32\Indt2.sys: is still infected, skipped by user.
11/12/2007 11:29:14	Process (PID 2548) tried to access Kaspersky Internet Security process (PID 1936), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
11/12/2007 11:29:30	Protection of your computer is not running. You are advised to resume protection.
11/12/2007 11:31:17	Protection of your computer started.
11/12/2007 12:00:04	The application OUTLOOK.EXE has been changed
11/12/2007 12:32:26 Update completed successfully
11/12/2007 13:29:24	File C:\System Volume Information\_restore{B4A98403-90A2-47CA-B496-A2D54ACA0076}\RP32\A0011523.sys: detected Trojan program 'Trojan-Clicker.Win32.VB.wm'. User: WORKGROUP\DAVESPC$, computer: localhost.
11/12/2007 13:29:24	Security threats have been detected. You are advised to neutralize them immediately.
11/12/2007 13:29:54	File C:\System Volume Information\_restore{B4A98403-90A2-47CA-B496-A2D54ACA0076}\RP32\A0011523.sys: deleted.
11/12/2007 13:41:53	Process (PID 260) tried to access Kaspersky Internet Security process (PID 356), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
11/12/2007 13:42:11	Protection of your computer is not running. You are advised to resume protection.
11/12/2007 13:43:56	Protection of your computer started.
11/12/2007 13:44:21	File C:\WINDOWS\system32\Indt2.sys: detected Trojan program 'Trojan-Clicker.Win32.VB.wm'. User: WORKGROUP\DAVESPC$, computer: localhost.
11/12/2007 13:44:21	Security threats have been detected. You are advised to neutralize them immediately.
11/12/2007 13:44:41	File C:\WINDOWS\system32\Indt2.sys: deleted.
11/12/2007 13:44:42	File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6GW1WJRR\discover[1].exe: detected Trojan program 'Trojan-Clicker.Win32.VB.wm'. User: WORKGROUP\DAVESPC$, computer: localhost.
11/12/2007 13:44:42	Security threats have been detected. You are advised to neutralize them immediately.
11/12/2007 13:44:42	File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6GW1WJRR\discover[1].exe: deleted.
11/12/2007 13:49:01	Malicious HTTP object <http://74.54.89.66/jsp/2.0/discover.exe>: detected Trojan program 'Trojan-Clicker.Win32.VB.wm'.
11/12/2007 13:49:01	Malicious HTTP object <http://74.54.89.66/jsp/2.0/discover.exe>: access denied.
11/12/2007 13:50:41	Process (PID 336) tried to access Kaspersky Internet Security process (PID 324), but the action has been blocked by the Self-Defense component. No action on your part is necessary.

hjs log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:55:46, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\perfs.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ndt2.sys
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Stan James Poker.com Poker - {7F2F6F5A-CAE2-4954-A461-36B3757B2BFB} - C:\Microgaming\Poker\stanjamesgibMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 6865 bytes

Thanks in advance
:up:


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe

*Close all applications and browser windows before you click "fix checked".*

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):



> C:\WINDOWS\system32\perfs.exe



 Return to OTMoveIt, right click on the *"Paste List of Files/Folders to be moved"* window and choose *Paste*.
Click the red *Moveit!* button.
Close *OTMoveIt*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*








Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. *This is NOT supported for use in 9x or ME and probably will not install in those systems*

*Upgrading Java*: 

Download the latest version of *Java Runtime Environment (JRE) 6 update 3*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Check the box that says: "*Accept License Agreement*".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove programs and remove all older versions of Java!*
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.


----------

