virus/malware keeps redirect google searches to cliccker.cn
41 replies, posted
My brother went on my pc, he used internet explorer despite me telling him to use firefox. Well he saw one of those ads that say about speeding up your pc, and the stupid prick clicked it. Now I seem to have some form of malware/spyware on my pc, it really annoys me. I can search fine in google, but when I click a result ( to open it ) it auto redirects to "www.cliccker.cn " Luckily since I use Firefox, no-script catches it before it loads.
Any help?
[url]http://www.malwarebytes.org/[/url]
Download, install, and scan your computer
If that doesn't fix the problem, try this
[url]http://free.avg.com/download?prd=afe[/url]
I've tried several anti-virus's so far ( removing each and restarting between ) None of them have stopped the problem. I've searched my start-up list it's clean, same with services. My hosts file is completely clean.
All my past system restore points are gone, and any new ones are deleted within seconds of being created.
I've searched around, and there is several other people on the internet with this same problem. One thing I've noticed is each of the posts by other people are all within the past 2-3 days.
Hmm... Can you access any sites like Microsoft and such? I've had a virus before that did something similar , it even went far enough to block access to websites with anti-viruses and such. And If I tried to run McAffee it would restart my PC. I ended up pulling over AVG Free from my main computer via flash drive and it got rid of the problem in a few seconds. But hell, you said most anti-viruses don't work so that's completely out of the the question. But I think that's the most people can offer you if you don't have and system restore points or anything like that. You could always take important files onto a flashdrive and format your hard drive...
[QUOTE=cdlink14;16743080]I've tried several anti-virus's so far ( removing each and restarting between ) None of them have stopped the problem. I've searched my start-up list it's clean, same with services. My hosts file is completely clean.
All my past system restore points are gone, and any new ones are deleted within seconds of being created.
I've searched around, and there is several other people on the internet with this same problem. One thing I've noticed is each of the posts by other people are all within the past 2-3 days.[/QUOTE]
Same exact issue I have after my sister visited some anime websites.
I have noscript too, can't make system restore points etc.
I've used Spybot, Ad-aware, Malwarebytes, AVG, CCleaner, Windows Defender, HijackThis (which came up with a totally clean log), etc and none have worked at all.
I mean it doesn't seem to do anything except redirect google links. It's annoying though, and it's caused several other issues which I have now fixed by running/doing all the above (including making it so I couldn't boot into windows until I used my xp recovery disk to do a chkdsk I created).
The only lead I have is a couple of files malwarebytes tends to consistantly pick up in the system32 folder after every scan. Problem is, the files never get removed by any program and they don't actually exist in the folder either when I navigate to it via explorer (I have it so all hidden files are shown).
Definately a very advanced rootkit of some kind.
I had this problem a month ago, nothing worked, I ended up having to reformat my shit. Good luck.
Try reinstalling Firefox and see if that helps.
[QUOTE=KorJax;16749455]The only lead I have is a couple of files malwarebytes tends to consistantly pick up in the system32 folder after every scan. Problem is, the files never get removed by any program and they don't actually exist in the folder either when I navigate to it via explorer (I have it so all hidden files are shown).[/QUOTE]
You can try hard deleting the files through the command prompt if you haven't already.
[editline]02:40AM[/editline]
This thread is making me nervous about my computer's safety :frown:
I had the same exact issue. My flash drive caught a nasty STD from my friends PC.
I just reformatted.
But do that as a last ditch effort. Try scanning in safe mode.
I had this happen too.
Your firefox is set to use a proxy. Just turn it off and bam, fixed.
[QUOTE=Razzie;16749731]I had this happen too.
Your firefox is set to use a proxy. Just turn it off and bam, fixed.[/QUOTE]
There's that problem out of the way, but there could be something else lurking in the system files.
Spybot S&D
Ok, I found the true culprit. "Global Skynet Virus" ( seems to be completely new, unrelated to the 1994 virus ) and the cure, was to run hitman pro [url]http://www.surfright.nl/en/downloads/[/url]
The virus creates the following files ( completely invisible to explorer ( rootkit ))
C:\WINDOWS\System32/SKYNETmkidotgw.dll
C:\WINDOWS\System32/SKYNETmqjbpfyk.dat
C:\WINDOWS\System32\drivers\SKYNETonhqhxlv.sys
C:\WINDOWS\System32/SKYNETdbosrqrs.dll
C:\WINDOWS\System32/SKYNETtympmyod.dat
Ran through with that, it found the skynet virus inside my pc. It then asked me to register to remove it. Instead I just clicked the " get 30 day trial key " it auto acquired the key, and then removed the virus. Afterwards I uninstalled the hitmanpro program, and everything is running smooth again.
[QUOTE=Razzie;16749731]I had this happen too.
Your firefox is set to use a proxy. Just turn it off and bam, fixed.[/QUOTE]
Nope, no proxy is being used.
I'll try the hitman pro idea.
SKYNET??
Fuck we're all doomed [IMG]http://sa.tweek.us/emots/images/emot-crying.gif[/IMG]
Serious:
Boot into safe mode and remove the stubborn files there.
Nevermind... hitman pro crashes everytime I try to use it.
Oh well, looks like I'm screwed.
[editline]03:44PM[/editline]
[QUOTE=Van-man;16754671]SKYNET??
Fuck we're all doomed :cry:
Serious:
Boot into safe mode and remove the stubborn files there.[/QUOTE]
They don't exsist though according to windows. You can't delete them because windows can't detect it being there but they are there.
[QUOTE=KorJax;16754679]Nevermind... hitman pro crashes everytime I try to use it.
Oh well, looks like I'm screwed.
[editline]03:44PM[/editline]
They don't exsist though according to windows. You can't delete them because windows can't detect it being there but they are there.[/QUOTE]
Hm... very strange...
I'll have a look for alternate ways to remove the virus for you.
Well it works but as soon as I click "next" on the start screen, the program crashes with an "has to close" error.
[QUOTE=KorJax;16755721]Well it works but as soon as I click "next" on the start screen, the program crashes with an "has to close" error.[/QUOTE]
Are you running it in safe mode?
No
Should I?
Also what OS are you running and what version of Hitman Pro? 32/64 bit?
[editline]08:26PM[/editline]
@ Collin SSX :
I don't think it's possible to run in safe mode, since it scans the files using scan cloud, ( or some similar named online virus scanner ) ( Kinda like virustotal/jotti )
[QUOTE=cdlink14;16758330]Also what OS are you running and what version of Hitman Pro? 32/64 bit?
[editline]08:26PM[/editline]
@ Collin SSX :
I don't think it's possible to run in safe mode, since it scans the files using scan cloud, ( or some similar named online virus scanner ) ( Kinda like virustotal/jotti )[/QUOTE]
Safe mode with networking will allow that. Press F8 while booting up and select "safe mode with networking"
I'll try that. I just use winxp 32bit
How long does it take to scan on average?
[QUOTE=KorJax;16758515]I'll try that. I just use winxp 32bit
How long does it take to scan on average?[/QUOTE]
for me about 5mins. ( it only scans the windows Dir, and all the other important parts of the drive )
Still not working. I'm hearing the program is pretty bad for your PC though and that it's crash prone, so maybe it's best not to use it.
[editline]10:26PM[/editline]
Okay I need a way to find/delete hidden registry entries and files. Problem is all the programs I can find can only *FIND* them and they don't give me the option to remove it. Here's a log file from some rootkit revealer:
[code]Results:
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geyekrbwqwbrnv\main
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geyekrbwqwbrnv\modules
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geyekrbwqwbrnv -> start
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geyekrbwqwbrnv -> type
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geyekrbwqwbrnv -> group
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geyekrbwqwbrnv -> imagepath
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\geyekrbwqwbrnv\main
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\geyekrbwqwbrnv\modules
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\geyekrbwqwbrnv -> start
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\geyekrbwqwbrnv -> type
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\geyekrbwqwbrnv -> group
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\geyekrbwqwbrnv -> imagepath
Hidden value : HKEY_USERS\S-1-5-21-2574369418-1331126156-492310143-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3F72A9E7-E3E1-E9B5-39DC-2EAD1691569F} -> abececbbocajmephfmaibkgciabknlblhj
Hidden value : HKEY_USERS\S-1-5-21-2574369418-1331126156-492310143-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3F72A9E7-E3E1-E9B5-39DC-2EAD1691569F} -> bbececbbocajmephfmdiohkglpfkpihpaecc
Hidden value : HKEY_USERS\S-1-5-21-2574369418-1331126156-492310143-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{87651026-10F1-A428-DC37-925438D48480} -> iaaplbjggfmefddjea
Hidden value : HKEY_USERS\S-1-5-21-2574369418-1331126156-492310143-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{87651026-10F1-A428-DC37-925438D48480} -> haoobnllmppmkdjp
Hidden value : HKEY_USERS\S-1-5-21-2574369418-1331126156-492310143-1006\Software\SecuROM\License information -> datasecu
Hidden value : HKEY_USERS\S-1-5-21-2574369418-1331126156-492310143-1006\Software\SecuROM\License information -> rkeysecu
Hidden process : wuauclt.exe (PID: 2948)[/code]
The "gey" stuff is definatly the cause. Malwarebytes recognized similar hidden DLL's with that name but was unable to delete them. I just need a way to delete these hidden files
NOTE: It's hidden which means it's impossible to find it via windows explorer/command line! And it doesn't show up in regedit because it is hidden as well!
[QUOTE=KorJax;16760225]Still not working. I'm hearing the program is pretty bad for your PC though and that it's crash prone, so maybe it's best not to use it.
[editline]10:26PM[/editline]
Okay I need a way to find/delete hidden registry entries and files. Problem is all the programs I can find can only *FIND* them and they don't give me the option to remove it. Here's a log file from some rootkit revealer:
[code]Results:
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geyekrbwqwbrnv\main
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geyekrbwqwbrnv\modules
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geyekrbwqwbrnv -> start
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geyekrbwqwbrnv -> type
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geyekrbwqwbrnv -> group
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geyekrbwqwbrnv -> imagepath
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\geyekrbwqwbrnv\main
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\geyekrbwqwbrnv\modules
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\geyekrbwqwbrnv -> start
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\geyekrbwqwbrnv -> type
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\geyekrbwqwbrnv -> group
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\geyekrbwqwbrnv -> imagepath
Hidden value : HKEY_USERS\S-1-5-21-2574369418-1331126156-492310143-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3F72A9E7-E3E1-E9B5-39DC-2EAD1691569F} -> abececbbocajmephfmaibkgciabknlblhj
Hidden value : HKEY_USERS\S-1-5-21-2574369418-1331126156-492310143-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3F72A9E7-E3E1-E9B5-39DC-2EAD1691569F} -> bbececbbocajmephfmdiohkglpfkpihpaecc
Hidden value : HKEY_USERS\S-1-5-21-2574369418-1331126156-492310143-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{87651026-10F1-A428-DC37-925438D48480} -> iaaplbjggfmefddjea
Hidden value : HKEY_USERS\S-1-5-21-2574369418-1331126156-492310143-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{87651026-10F1-A428-DC37-925438D48480} -> haoobnllmppmkdjp
Hidden value : HKEY_USERS\S-1-5-21-2574369418-1331126156-492310143-1006\Software\SecuROM\License information -> datasecu
Hidden value : HKEY_USERS\S-1-5-21-2574369418-1331126156-492310143-1006\Software\SecuROM\License information -> rkeysecu
Hidden process : wuauclt.exe (PID: 2948)[/code]
The "gey" stuff is definatly the cause. Malwarebytes recognized similar hidden DLL's with that name but was unable to delete them. I just need a way to delete these hidden files
NOTE: It's hidden which means it's impossible to find it via windows explorer/command line! And it doesn't show up in regedit because it is hidden as well![/QUOTE]
you're better off asking somebody to create you a program to forcefully remove those keys from your registry.
I can try myself tomorrow, but it will only be a small program made in Autoplay Media Studio ( LUA )
You mean something doesn't exsist like that?
I tried doing reg.exe but when I did the delete parameter it said "Access is denied".
[QUOTE=iownuall;16742880][url]http://www.malwarebytes.org/[/url]
[/QUOTE]
This.
Free registry and malware checker, so far I've used it on 3 different PC's that were crashing with a virus app much like the one you are complaining about and they all worked fine after using it.
I've used it, didn't work. It detected some of these similar things and tried to fix them, but failed at actually solving my problem.
Sorry, you need to Log In to post a reply to this thread.
