Infected By 2 Trojan.clicker.cx

brunetpa

Hi,

A bitdefender's system analysis reveals a trojan.clicker.CX virus.

Our disk is split into 2 partitions :

a first Trojan is located under C:\windows\smgr.exe

a second one is located under the other partition: E:\documents\local_settings...\temp\9029000.exe (the serial number is different at each 'clone' appearence)

In fact, once a trojan (from one ot the two partition) is neutralized by bitdefender it is pretty immediately replaced at the same location(with the same name for C:\windows\smgr.exe ant at the same location with another serial number name for E:\documents ....)

It is as if the remaining trojan clones the eliminated one each time and bitdefender can't analyse and then neutralize 2 partitions in a same time.

We failed in the attemp to format the disk using windows, because the trojan from partition C: tries (itlooks as if) to connect partition E: and vice-versa

Please, anybody has an idea?

AndreiASM

You should first open your task manager (CTRL+ALT+DEL or CTRL+SHIFT+ESC) and kill any process related to the trojan. You could also go to the registry editor (START -> Run -> Regedit) and go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and delete any key that points to the worm. If you can't do tha in normal mode, reboot in safe mode and delete the key, then delete the files that the trojan dropped.

Andrei

Niels

Hello

Check also these locations: start,all programs,start up and remove if you find a suspecious entry. After that go to start,run,at the run dialog box type msconfig press enter go to startup and uncheck any suspecious entry. But I recommend that you check them first on this website before deletiming them in the registry such as Andrei mentionned as the locations I mentionned: http://castlecops.com/StartupList.html If you see a N or X you may delete the ab-icon in the registry or delete the name in start up or uncheck it in msconfig.

Also download superantispyware: http://downloads2.superantispyware.com/dow...AntiSpyware.exe Update it reboot your pc into safe mode by pressing several times on the F8 button before the windows loadingscreen and choose safe mode. Perform a complete scan. Reboot your pc afterwards and perform a deep scan with BitDefender.

Regards

Niels

miekiemoes

Also look if C:\WINDOWS\avp.exe is present and delete it, because that process is responsible for "respawning" the C:\windows\smgr.exe.

If I am not mistaken, bitdefender should flag and delete that file as well.. However, if the avp.exe is present and bitdefender doesn't flag it, it's a good idea to attach the file here for analysis.

Extra note, also check if the file C:\WINDOWS\system32\scchk32.exe is present, as they are all related, or at least, come bundled with the same malware installer.

miekiemoes

a first Trojan is located under C:\windows\smgr.exe

a second one is located under the other partition: E:\documents\local_settings...\temp\9029000.exe (the serial number is different at each 'clone' appearence)

Do you have your system variable for %temp% pointing to your E:\ drive?

You can easily find out if you go to start > run and type: %temp%

In the address bar on top, you should see to where it is pointing to. By default, it should be on the same drive C:\Documents and Settings\Your Username\Local Settings\Temp

However, I've seen people tweaking this as I guess is the case here.