Hijack This: Trojan Clicker.FMZ

[Btech]

I've been lurking here for a few days trying to resolve my virus issue. Prior to reading this forum I had been using the Spy-bot and Adware programs. I then tried the free version of AVG and after it scans it keeps showing a virus called 'ibbaibb.dll' and its backup file. Looked at the info and says it a BHO file...this makes sense as my internet has been very very slow.

I have, however, since tried CWshredder...didn't seem to work and also Hijack This. Please see my HJT log below. HJT labels describes it as 'Trojan horse Clicker.FMZ' I've ran HJT scans and then ran them again in Safe Mode with networking...then ran Kerpasky but that did not seem to help with this virus. Also tried a Trend Micro virus scanner and it showed a virus in: C:\ProgramFiles\MyWebSearch\bar\1.bin\M3NTSTBR.JAR (I'm thinking the reason I cannot manually delete the ibbaibb.dll file is that it might be reverting back to .jar file)

What can I do to manually delete this? Nothing seems to work at this moment. Thank you!

Logfile of HijackThis v1.99.1
Scan saved at 11:03:19 PM, on 5/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Brian\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://scripts.affiliatefuture.com/...469&programmeID=1675&mediaID=0&tracking=&url=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - (no file)
O2 - BHO: (no name) - {1BB26A5E-C72F-4423-B9B5-E8A3EF6212FE} - c:\windows\system32\ibbaibb.dll
O2 - BHO: MS Explorer - {9A5C9584-DE98-310B-21A1-899F87184987} - C:\WINDOWS\system\wmdcst32.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [*pcnut] C:\WINDOWS\security\Database\pcnut.exe
O4 - HKLM\..\Run: [*tasklog] C:\WINDOWS\Driver Cache\tasklog.exe
O4 - HKLM\..\Run: [*mfcdb] C:\WINDOWS\Fonts\mfcdb.exe
O4 - HKLM\..\Run: [*taskvga] C:\WINDOWS\java\Packages\taskvga.exe
O4 - HKLM\..\Run: [*inetsvr] C:\WINDOWS\Cursors\inetsvr.exe
O4 - HKLM\..\Run: [*wavedisk] C:\WINDOWS\Fonts\wavedisk.exe
O4 - HKLM\..\Run: [*coms] C:\WINDOWS\Web\PRINTERS\coms.exe
O4 - HKLM\..\Run: [*infoplay] C:\WINDOWS\Config\infoplay.exe
O4 - HKLM\..\Run: [*comcmd] C:\WINDOWS\system32\1054\comcmd.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O20 - Winlogon Notify: ecemjftf - C:\WINDOWS\SYSTEM32\ibbaibb.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

 

[John McKenna]

Btech,

Can I be brutal?

The best thing you can do for this machine is format it and install a legitimate licensed version of Windows XP on it. A completely unpatched Operating System (with no Service packs) yet showing Service pack 1 installed for Internet Explorer is a strong indication of an unlicensed copy of Windows.

Logfile of HijackThis v1.99.1
Scan saved at 11:03:19 PM, on 5/10/2007
Platform: Windows XP SP1 should show up here (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

MGADiag.exe will give you a definitive answer to the OS's legitimacy.

 

[Btech]

Does it really show that my windows is unlicensed? I find that odd b/c I bought the computer and Windows XP (brand new) through CITES (Campus Information Technologies and Educational Services) when I started college at UofI. It was some sort of a program deal for students with Microsoft, Dell (or other manufacturers), and the school...got a cheaper price on the computer and a much cheaper price on MS Office products, etc. I would highly doubt the school would sell unlicensed or pirated versions of windows. If my memory serves me correctly, I do believe that Windows XP was preinstalled on the comp.

I am aware that SP2 has not been installed on my machine yet. That's my fault.

I understand if you are unwillingly to help b/c you feel that I have pirated my software but I asure you that I have not. I could scan my original receipts and agreements if needed.

Not trying to make a big stink here, I'm just looking for some friendly advise. Thank you.

 

[Emperor_nero]

Does it really show that my windows is unlicensed? I find that odd b/c I bought the computer and Windows XP (brand new) through CITES (Campus Information Technologies and Educational Services) when I started college at UofI. It was some sort of a program deal for students with Microsoft, Dell (or other manufacturers), and the school...got a cheaper price on the computer and a much cheaper price on MS Office products, etc. I would highly doubt the school would sell unlicensed or pirated versions of windows. If my memory serves me correctly, I do believe that Windows XP was preinstalled on the comp.

No it does not say that I believe he was just guessing that because SP2 isn't installed that it might be pirated.

I am aware that SP2 has not been installed on my machine yet. That's my fault.

I would really recommend installing SP2 it's a lot more secure.

I understand if you are unwillingly to help b/c you feel that I have pirated my software but I asure you that I have not. I could scan my original receipts and agreements if needed.

I'm sure that's not necessary.

Not trying to make a big stink here, I'm just looking for some friendly advise. Thank you.

Your not making a big stink, you've done nothing wrong here. Your willing to more cooperative than I think I would be.

Now I'm sorry but I can't read HJT logs (yet) so hopfully Buzz1927 will be along to help you soon.

 

[John McKenna]

No it does not say that I believe he was just guessing that because SP2 isn't installed that it might be pirated.

Not guessing, posting from experience. The OS is unpatched but IE has SP1. If Btech runs MGADiag.exe he'll know one way or another. Alternatively, clicking HERE to download and install Service Pack 1a and choosing the 'Network Installation' link and posting a fresh log should enable us to help from a position of strength.

I would really recommend installing SP2 it's a lot more secure

Indeed it would but installing SP2 on such an infected machine would more than likely make it even more more unstable.

Your not making a big stink, you've done nothing wrong here. Your willing to more cooperative than I think I would be.

Agreed. I'm more than willing to help but if we're fighting a losing battle from the start there's not much point in proceeding further from a "security" point of view. If it transpires the OS is unlicensed, my previous suggestion stands like an oak as the safest form of action for both Btech and every other internet user.


Btech, can you run the various diagnostics and let us know how you get on?

 

[Btech]

Okay, I've run the MGADiag.exe and it says: 'Validation Status: Genuine' (the text Genuine is in green). I'd post a screenshot but I'm not exactly sure what's relevant to 'hackers' or 'thieves' (I'm paranoid at times..haha)....the product key is protected but like I said, not sure what else could be used for malicious purposes.

John, why do you recommend installing the SP1a Network Installation instead of the Express? It's about 134 mb compared to 30 mb....I have plenty of space so that's really not my concern. Is there an advantage like more custom options, assuming it's a little more in depth/complicated.....keep in mind I'm not computer illiterate (although it may seem so since I came to this forum) but I'm not as "up to speed" as most of you on here.

BTW, I have looked and looked for the past 2 nights and have tried to download the SP1a service pack (Express). I've found the links through microsoft, but I just cannot seem to find correct link to download it. I'm thinking I'm blind. Even tried the Update history for my comp. on the Microsoft website and the SP1a download link just doesn't seem work....takes me to a dialog box that's reads more like information box. It's really aggrevating me. I'm going to keep at it tomorrow....

Thanks in advance!

 

[John McKenna]

John, why do you recommend installing the SP1a Network Installation instead of the Express? It's about 134 mb compared to 30 mb....I have plenty of space so that's really not my concern. Is there an advantage like more custom options, assuming it's a little more in depth/complicated....

You've answered your own question with your next comments. Unpatched Operating Systems always seem to have problems with the express installation which usually points to an Active X issue or yet again a validation issue.
The Network installation is a full standalone download which you then have to execute manually.

 

[Btech]

It's not looking good at this moment. I've downloaded the SP1a Network Install. I rebooted with and w/o the internet cable connected.....while trying to run the install, the SP1a aborted the installation. What next? Take it to a 'pro'? Any suggestions?

On a side note, since going through some of these steps/actions my internet speed has been faster....very close to what it was before my problem and my overall comp. speed hasn't been slowed down one bit. A little confused.

 

[John McKenna]

If SP1a aborted the installation it yet again points towards an unlicensed copy of Windows. Without this basic Service Pack, your machine is a sitting duck and cleaning it would be a pointless exercise. I'm afraid my opening suggestion stands. The best thing you can do is purchase a new copy of Windows XP.

 

[Btech]

I was afraid you were going to say that. I'm going to keep investigating because I know this is a licensed version of XP. Until I find the time to take my comp. somewhere, I guess for now all I can do is chalk it up to stubbornness and plain stupidity on my part for not keeping my comp. up to date.

Thank you for your patience and the advice....I'm sure I'll be back browsing the pages for some good info....and hopefully have some good news from my end. Thanks!

 

[John McKenna]

No worries, good luck!

 

[bluedishwasher]

one thing, if you want to analyze your hijack this log in the new version of hijack this there is a feature after the scan called "analyze this" which shows if anything it has detected is a threat, or you can simply copy and paste the log to this address.