win32:trojano-1384

I have 2 of this trojan locked in the Avast chest, but I have no idea how to get rid of them from there… help please?? Also my browsers both firefox and IE keep getting redirected to “clicksmartclick.com” I have done about everything I can to correct this except I have no idea what to look for in the registry to delete it help there too?? Thank you!

In the chest, right click on them (one at a time) and select “delete”.

Better use Ad-aware and/or spybot and/or ewido for that (links for them can be found at my website). Also, use “hijackthis” and post a logfile in this thread.

They can do no harm in the chest.
However, I would recommend you don’t delete them for a week or two to ensure that there movement to the chest doesn’t have any adverse effect on your system (if identified incorrectly, it could be a required file and its early deletion could impact on your system).

Ok here is a log of the hijack this:
Logfile of HijackThis v1.99.1
Scan saved at 8:50:12 AM, on 5/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\Services{32091851-1402-42CC-B039-EE3980F0B4E4}\SVCHOST.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\win32.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [WCOLOREAL] “C:\Program Files\COMPAQ\Coloreal\coloreal.exe”
O4 - HKLM..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Service Host] C:\WINDOWS\System32\Services{32091851-1402-42CC-B039-EE3980F0B4E4}\SVCHOST.EXE
O4 - HKLM..\Run: [Disk Keeper] C:\WINDOWS\System32\Services{32091851-1402-42CC-B039-EE3980F0B4E4}\SECURITY.EXE
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU..\Run: [Aaou] C:\Documents and Settings\Beverly\Application Data\othb.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {759ED4EB-F60A-4355-8098-8673C8B7DA52} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O15 - Trusted Zone: http://*.nvidia.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O17 - HKLM\System\CCS\Services\Tcpip..{60BDD2FD-ADFB-428D-875E-F51AE0B507B4}: NameServer = 207.69.188.187 207.69.188.186
O21 - SSODL: System - {B8322946-256C-46E0-A846-88D1D256D90D} - vr_sys.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FLEXlm License Manager - Unknown owner - C:\Program Files\Common Files\AliasWavefront Shared\licensing\etc\lmgrd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Thank for your help, I have been working on this for DAYS!!

Your online log file analysis: http://hijackthis.de/logfiles/42517631ad98ae77f299a3f3a4694b09.html
(ignore anything that is reffering to avast, those are false possitives)

This is what Eddy’s HJT analyzer says:

CHECKING HIJACKTHIS, WINDOWS, INTERNET EXPLORER AND FIREWALL :

Old version of Internet Explorer detected, please update.
IMMEDIATLY visit http://windowsupdate.microsoft.com and install ALL security patches/updates.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.


THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

r1 - hklm\software\microsoft\internet explorer\main
o4 - global startup: microsoft works calendar reminders.lnk = ?
o15 - trusted zone: *.windupdates.com
o21 - ssodl: system - {b8322946-256c-46e0-a846-88d1d256d90d} - vr_sys.dll (file missing)
o23 - service: flexlm license manager - unknown owner - c:\program files\common files\aliaswavefront shared\licensing\etc\lmgrd.exe (file missing)

Also, see if you can find those two files:
C:\WINDOWS\System32\win32.exe
C:\WINDOWS\System32\Services{32091851-1402-42CC-B039-EE3980F0B4E4}\SVCHOST.EXE and submit them to Jotti (http://virusscan.jotti.org/), they might be viruses that are not identified by avast.

Adding to Spyros advice the .exe will also need some attention

vxh8jkdq2.exe Google is your best friend

I am sorry that it took so long to get back to you…had to work. I found and zipped up the Win32.exe file, while I was in the system 32 file I also found these that are all created the same day that I started having problems and they were all created within a few minutes of each other. May I delete these??
vx.tll
vxgame3
vxgamet2
vxh8jkdq1
vxh8jkdq2
vxh8jkdq6
vxh8jkdq7
vxh8jkdq8
maybe this will solve some of my problems like that blasted clicksearchclick thing that keeps comming back no matter what I do. Thanks again!!

If they are in the system32 folder I would say yes because it seems a strange location for them (but what are the extensions (.dll?). A quick google search showes them to be a part of the Win32/SillyDl.IQ!Trojan, Trojan-Downloader.Win32.Agent.km trojan.

Also see http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=42421 for more info.

Also useful as a diagnostic tool and help get rid of registry entries of the Run command for kernels32.exe mentioned in the above link - Download HiJackThis.zip - HJT Information HiJackThis Tutorial
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

Hi, it is me again :-
David, I went to the CS site and did a scan and it found 8 yes, 8!! I got them all cleaned up except for one and that is the win32.Daoser.D, it is a security .dll file it is in the sys32\services file and I cannot clean it nor will it allow me to delete it. I tried to drop it into the chest and also to drop it into the user option in the virus chest, neither one worked. I am now going to search for the way to remove it from my system… sheesh!

Hi, take a look here http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_STARTPGE.EH it might help you, especially the “solution” & “technical details”.

Hi Spyros, thanks for taking time to help me also! I went to Trend micro found your page and went to scan with their Housecall but everytime I hover over a link it will take me right to Clicksearchclick.com, I went to your site and looked at some of the options you have listed but I cannot get any of them either for the same reason.
It is almost like this bug thinks! It will not allow me to go anywhere that I would be able to remove it. What to do now?? Is my only recourse to take my computer back down to factory condition?? I am so frustrated by this one.

Your browser home page/search has been hijacked, post another hijackthis log.

Regain control install firefox and use it as your primary browser.

If you haven’t already got this software (freeware), download, install, update and run it.

  1. Ad-Aware
  2. Spybot Search and Destroy
  3. Spywareblaster

HI again David, first I just want to say how very much I appreicate all the help I have received here! I have spy bot and Ad Aware and neither of them caught this however, I was able to stop them from auto starting by deleting some values (per the Trend Micro website) so now I am not being redirected. I ran the “Housecall” and it found yet another 2 trojans… that it cannot repair. I have already backed up the files that mean the most to me and I am so very very sick of trying to get rid of all of this. I am just going to take the computer back to factory condition.
Let me end by saying that I have learned my lesson about surfing where I should not, and that so called “free programs” sometimes have a hefty price. Thank you all so much for the help. Shiollie

Trojans (even if they were detected by avast) generally can’t be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can’t do any harm and you can investigate the infected warning.

I would say starting from square one is probably a little severe in this case (but if that is what you wish, it is your system), as it will take some time to do.

I would also recommend that you use firefox as your default browser and only use IE for sites that won’t display or work without IE (such as windows update, etc.). Firefox is less suceptable to the Adware/Spyware that has plagued you as it doesn’t use activeX, BHOs and is not an integral part of the OS, so any defeat of IE security could have a direct affect on the OS security.

Shiollie,

You could do a double check with these programs: they both have working free trials and catch Trojans that anti-virus programs miss.

TDS-3 (Download the definitions file and move to the program folder.)

http://tds.diamondcs.com.au/

and TrojanHunter

http://www.trojanhunter.com/

Ewido Free is also worth a try;

http://www.ewido.net/en/

Good news this morning!! ;D Last night I thought I would try just one more thing before I took drastic measures… believe me, I was NOT looking forward to reinstalling everything… anyway, I downloaded and ran the Ewido program and it caught yet 17 more trojans, maybe because I had a trojan installer placed in my system, I deleted all of those and then ran the scan again this morning and it found only 2 more that are now gone from my system. My computer is running the way it should again. I could not have done any of this without all of your help. Thank you all sooo very much!!! I have made my firefox my default browser!