Trojan horse Clicker.2.S

[Pat Scott]

When ever I Run the Microsoft AntiSpyware it always finds
this file: C\Windows\System32\sysdebug32.exe. Now I
have quarneed it and deleted that file and it is always
there. Can anyone tell me how to get rid of this
Trojan? I am running Windows XP Home addition. It says
the name is Clicker.2.S is the trojan, just can't seem to
get rid of it. I use AdAware and Spybot Search & Destroy
and CCleaner and Zone Alarm, AVG Anti Virus Free
edition. I really need help as I send out things and
people get a warning even tho I scan before I send and
nothing shows up on this end. Getting desperate. Any
help would be great

 

[AndyManchesta]

Hi Pat,

You have abit of a problem,The trojan has modified your
registry so that it allows another malware to open IE in
a pop up window.Is not that difficult to fix but if you
just delete the sysdebug32.exe file anytime you use the
internet you will get error messages like this :

Windows cannot find sysdebug32.exe. This program is
needed for opening files of type 'URL:dtdp Protocol'.
sysdebug.exe c:\" or similar

With you saying something is attaching itself to anything
you send out im not sure if thats related to this trojan
but the online scans will show if you have other problems,


Download Killbox & save to desktop

http://andymanchesta.com/Downloads/KillBox.zip


Download Ccleaner

http://download.ccleaner.com/download119bin.asp


Copy this to note pad so you can still read it in safe
mode.


Disable System Restore:

Goto start > right click my computer > choose properties

then goto system restore and check the box ' Turn off

system restore ' then press apply, you can set a new
restore point when you are clean by following the above
but unchecking turn off system restore .


Reboot into safe mode (reboot & keep tapping F8 then
choose safe mode from the list)



Click Start > Run. Type

regedit

Then click OK.


Navigate to the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\New Windows


In the right pane, delete the value:

"Allow" = "" Exit the Registry Editor. ---...eck for any other problems. Regards Andy

 

[Pat Scott]

Thanks Andy, will try anything.
Pat

-----Original Message-----


Hi Pat,

You have abit of a problem,The trojan has modified your
registry so that it allows another malware to open IE in
a pop up window.Is not that difficult to fix but if you
just delete the sysdebug32.exe file anytime you use the
internet you will get error messages like this :

Windows cannot find sysdebug32.exe. This program is
needed for opening files of type 'URL:dtdp Protocol'.
sysdebug.exe c:\" or similar

With you saying something is attaching itself to anything
you send out im not sure if thats related to this trojan
but the online scans will show if you have other problems,


Download Killbox & save to desktop

http://andymanchesta.com/Downloads/KillBox.zip


Download Ccleaner

http://download.ccleaner.com/download119bin.asp


Copy this to note pad so you can still read it in safe
mode.


Disable System Restore:

Goto start > right click my computer > choose properties

then goto system restore and check the box ' Turn off

system restore ' then press apply, you can set a new
restore point when you are clean by following the above
but unchecking turn off system restore .


Reboot into safe mode (reboot & keep tapping F8 then
choose safe mode from the list)



Click Start > Run. Type

regedit

Then click OK.


Navigate to the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\New Windows


In the right pane, delete the value:

"Allow" = "" Exit the Registry Editor. ---...ther problems. Regards Andy . [/QUOTE]

 

[AndyManc]

Cheers Pat,

Let me know if you have any problems we can use Hijack
This to show any other bad files if its needed.

Also where i put "Allow" = "" the url could be any
sitename the line should not exist so if it does its safe
to remove it.

Thats the only sysdebug32 Trojan i know of but again let
me know if its not found.I think its also referred to as
adware helper because of the changes it makes .


Andy

 

[Pat Scott]

Hi,
Me again. When I run the regedit and get to the New
Windows and click the + on that the Allow is under that
and click that and get two things, (Default) and
Security.symatic.com. Is the Symatic safe to remove. Not
real good at this as you can tell. I do not have Their
anti virus program any more.
Thanks Pat

 

[AndyManchesta]

It is fine to remove the symantec entry if you are sure
you have nothing connected to them anymore by right
clicking and then delete.



Andy

 

[AndyManc]

Hi Again i just thought id post the values on my New
Window Folder so you have something to compare it with :


New Windows

default........ (value not set)
popupMgr....... no



Then in the subfolder 'Allow'

default........ (value not set)
bravenet.com... (zero-length binary value)


so if your default now says allow = url right click and
press modify and remove the address so it says value not
set if its entered as a new value delete the value by
right clicking and choosing delete.


Andy

 

[Pat Scott]

Hi,
Well, did it all, and ran my AVG spyware and the House
calls online scan and nothing shows up. I think I might
have gotten rid of it. I sure hope so and thank you so
much for your help. Couldn't have done it without you.
Can you tell we where I find the \%Systemroot%\ file?
Said something about being in C\Windows but don't see
anything in there. I did download and run the Hijcak
This and boy, had a whole list of stuff in there. Can
send it if you still want to look at it. When I went to
delete the files in the prefetch file there must have
been a hundered of them in there. I just went ahead and
deleted them all.
Thanks again for your help and I sure hope it doesn't
come back.
Pat

 

[AndyManchesta]

Hi Pat

You may need to enable hidden files & folders to find the
file as its in the system32 folder,you could use killbox
and paste the C\Windows\System32\sysdebug32.exe. line in
then press delete on reboot or search for it manually,

To make it easier enable hidden files and folders if your
searching for the file.

Go to Start then search > goto tools on the top bar> then
click Folder Options-> then goto the View tab .

make sure that 'Show hidden files and folders' is
enabled. 'Display the contents of system folders' is
checked & 'Hide extentions for known file types ' is not
checked then press apply

You can set this back later by opening the same page and
pressing 'restore defaults' then pressing apply,

Windows XP's search feature is a little different. When
searching you click on 'All files and folders' on the
left pane,
click on the 'More advanced options' at the bottom. Make
sure that Search system folders, Search hidden files and
folders, and Search subfolders are checked.


Once you have done this you can then goto search,then all
files & folders and search for :


sysdebug32.exe


Or follow the path to the file.click start > then my
computer > then WINDOWS > then System32 > and check for
sysdebug32 (they are all listed in order in the folder so
it should be easy to find if it still exists)


If found delete,again if you have problems deleting it
goto Task Manager(Control,alt & delete) then check the
processes tab for the file (press name to sort them into
order)and end process if found,then try delete again

If you still have problems deleting it right click the
file and choose properties check the Attributes part at
the bottom for any restrictions.Uncheck both 'hidden'
& 'read only' if found then apply and try delete again

If its still refusing to go you could rename it but i
think using Killbox would be easier,Its a great tool for
files that dont want to quit


Hijack this is good to show whats on your pc,it makes it
alot easier when your trying to fix malware as you can
see whats really going on,There's a few sites where you
can copy & paste your hijack this logs to which gives you
some info on each entry (because some malware uses
genuine filenames ive seen the scanner give false results
in the past but they are very usefull as a starting point)
get advise about anything your unsure about though.

http://www.hijackthis.de/en

http://hjt.iamnotageek.com/

http://www.help2go.com/modules.php?name=HJTDetective



With the prefetch folder it is suprising how fast it
builds up in there but generally they are all harmless
and are there to help programs open faster but if you get
malware clearing the prefetch folder always helps and any
genuine programs will use the folder again when its
needed.Ccleaner is usefull for that i use it myself
everyday before shutting the pc down and its suprising
how much junk it removes.



If you feel the problems still exist or think there may
be other problems then you can send me the hijack log and
id check all the entries,either post it on here or email
it,But if all your scanners are now showing clean it may
not be needed,its up to you though,Let me know if your
hijack logs contain any 015 or 01 entries as they are
added as a result of malware . If you are clean again
you can re-enable system restore.



Here's two other free downloads that might help you keep
clean :

Spyware Blaster

http://downloads.net-
integration.net/spywareblastersetup34.exe

Prevent's the installation of ActiveX-based spyware,
adware, browser hijackers, dialers, and other potentially
unwanted pests.
Block spyware/tracking cookies in Internet Explorer and
Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in
Internet Explorer.And unlike other programs,
SpywareBlaster does not have to remain running in the
background.SpywareBlaster is freeware for personal and
educational use


Spyware Guard

http://www.javacoolsoftware.net/downloads/spywareguardsetu
p.exe

SpywareGuard provides a real-time protection solution
against spyware that is a great addition to
SpywareBlaster's protection method.

Download Protection - prevent spyware from being download
in Internet Explorer
Browser Hijacking Protection - stop browser hijacking
activity in real-time




Regards


Andy Manc

 

[AndyManchesta]

Hi Pat here is it again


You may need to enable hidden files & folders to find the
file as its in the system32 folder,you could use killbox
and paste the C\Windows\System32\sysdebug32.exe line in
then press delete on reboot or search for it manually,

To make it easier enable hidden files and folders if your
searching for the file.

Go to Start then search > goto tools on the top bar> then
click Folder Options-> then goto the View tab .

make sure that 'Show hidden files and folders' is
enabled. 'Display the contents of system folders' is
checked & 'Hide extentions for known file types ' is not
checked then press apply

You can set this back later by opening the same page and
pressing 'restore defaults' then pressing apply,

Windows XP's search feature is a little different. When
searching you click on 'All files and folders' on the
left pane,
click on the 'More advanced options' at the bottom. Make
sure that Search system folders, Search hidden files and
folders, and Search subfolders are checked.


Once you have done this you can then goto search,then all
files & folders and search for :


sysdebug32.exe


Or follow the path to the file.click start > then my
computer > then WINDOWS > then System32 > and check for
sysdebug32 (they are all listed in order in the folder so
it should be easy to find if it still exists)


If found delete,again if you have problems deleting it
goto Task Manager(Control,alt & delete) then check the
processes tab for the file (press name to sort them into
order)and end process if found,then try delete again

If you still have problems deleting it right click the
file and choose properties check the Attributes part at
the bottom for any restrictions.Uncheck both 'hidden'
& 'read only' if found then apply and try delete again

If its still refusing to go you could rename it but i
think using Killbox would be easier,Its a great tool for
files that dont want to quit


Hijack this is good to show whats on your pc,it makes it
alot easier when your trying to fix malware as you can
see whats really going on,There's a few sites where you
can copy & paste your hijack this logs to which gives you
some info on each entry (because some malware uses
genuine filenames ive seen the scanner give false results
in the past but they are very usefull as a starting point)
get advise about anything your unsure about though.

http://www.hijackthis.de/en

http://hjt.iamnotageek.com/

http://www.help2go.com/modules.php?name=HJTDetective



With the prefetch folder it is suprising how fast it
builds up in there but generally they are all harmless
and are there to help programs open faster but if you get
malware clearing the prefetch folder always helps and any
genuine programs will use the folder again when its
needed.Ccleaner is usefull for that i use it myself
everyday before shutting the pc down and its suprising
how much junk it removes.



If you feel the problems still exist or think there may
be other problems then you can send me the hijack log and
id check all the entries,either post it on here or email
it,But if all your scanners are now showing clean it may
not be needed,its up to you though,Let me know if your
hijack logs contain any 015 or 01 entries as they are
added as a result of malware . If you are clean again
you can re-enable system restore.



Here's two other free downloads that might help you keep
clean :

Spyware Blaster

http://downloads.net-
integration.net/spywareblastersetup34.exe

Prevent's the installation of ActiveX-based spyware,
adware, browser hijackers, dialers, and other potentially
unwanted pests.
Block spyware/tracking cookies in Internet Explorer and
Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in
Internet Explorer.And unlike other programs,
SpywareBlaster does not have to remain running in the
background.SpywareBlaster is freeware for personal and
educational use


Spyware Guard

http://www.javacoolsoftware.net/downloads/spywareguardsetu
p.exe

SpywareGuard provides a real-time protection solution
against spyware that is a great addition to
SpywareBlaster's protection method.

Download Protection - prevent spyware from being download
in Internet Explorer
Browser Hijacking Protection - stop browser hijacking
activity in real-time




Regards


Andy Manc

..