# Friends Pc too infected to post log



## Gibzy (Jun 13, 2005)

After recieving such good help to get rid of the spyware in my computer i referred the site to a friend. However his computer is so infected with the spyware that includes the hijacker 'clicksearchclick', he cannot post his log onto the forum to hopefully gain assistance. Everytime he tries to post clicksearchclick takes him back to its page. He has therefore sent me what he wanted to post originally so that i can do it for him, many thanks again, ben :

---------------------------​
Hello, Im a new user, and although this is my last resort I feel its my best port of call to clean my PC without having to reformat my hard drive. My browser has been hijcaked by the clicksearchclick virus, dissallowing me to click on virtually all online links. Please Help. Here is my log but note my actual log wont post because it is too long, the files that look like this "O4 - HKLM\..\Run: [Ksg] C:\WINDOWS\System32\Rit.exe" there are actually thousands of them, all three letter files for example mem.exe of rgp.exe. Iv cut most of my log out just so you can view it. Please help me as Iv tried everything I know.

Logfile of HijackThis v1.99.1
Scan saved at 12:46:31, on 16/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\bflbnf.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\System32\svcsysreg.exe
C:\WINDOWS\Gri.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\d3as.exe
C:\WINDOWS\netfu32.exe
C:\WINDOWS\System32\Services\{2D8185B9-7C85-41B0-9045-14463A9EC669}\SVCHOST.EXE
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\Vtr.exe
C:\WINDOWS\System32\Mce.exe
C:\WINDOWS\System32\Mpi.exe
C:\WINDOWS\System32\Isb.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {90A1CA51-6A23-5DA2-64A6-7E96611FAA5E} - C:\WINDOWS\system32\ieru.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Svcsys Registry Manager] C:\WINDOWS\System32\svcsysreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Hfr] C:\WINDOWS\System32\Ibn.exe
O4 - HKLM\..\Run: [Rof] C:\WINDOWS\System32\Foo.exe
O4 - HKLM\..\Run: [Rfa] C:\WINDOWS\System32\Eto.exe
O4 - HKLM\..\Run: [Foq] C:\WINDOWS\System32\Qqr.exe
O4 - HKLM\..\Run: [Boj] C:\WINDOWS\System32\Fpk.exe
O4 - HKLM\..\Run: [Osm] C:\WINDOWS\System32\Kbr.exe
O4 - HKLM\..\Run: [Jev] C:\WINDOWS\System32\Skl.exe
O4 - HKLM\..\Run: [Jmn] C:\WINDOWS\System32\Qtr.exe
O4 - HKLM\..\Run: [Tek] C:\WINDOWS\System32\Mph.exe
O4 - HKLM\..\Run: [Qis] C:\WINDOWS\System32\Ptu.exe
O4 - HKLM\..\Run: [Mnh] C:\WINDOWS\System32\Jjq.exe
O4 - HKLM\..\Run: [Qsn] C:\WINDOWS\System32\Ikq.exe
O4 - HKLM\..\Run: [Vut] C:\WINDOWS\System32\Qjb.exe
O4 - HKLM\..\Run: [Qin] C:\WINDOWS\System32\Kna.exe
O4 - HKLM\..\Run: [Huh] C:\WINDOWS\System32\Kqq.exe
O4 - HKLM\..\Run: [Tak] C:\WINDOWS\System32\Ero.exe
O4 - HKLM\..\Run: [Odk] C:\WINDOWS\Idn.exe
O4 - HKLM\..\Run: [Fbh] C:\WINDOWS\System32\Fbf.exe
O4 - HKLM\..\Run: [Kfh] C:\WINDOWS\System32\Uvl.exe
O4 - HKLM\..\Run: [Pno] C:\WINDOWS\System32\Lro.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{2D8185B9-7C85-41B0-9045-14463A9EC669}\SVCHOST.EXE
O4 - HKLM\..\Run: [Lan] C:\WINDOWS\System32\Jhd.exe
O4 - HKLM\..\Run: [Gvc] C:\WINDOWS\System32\Huo.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [iyrjkbp] c:\windows\system32\bflbnf.exe r
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{2D8185B9-7C85-41B0-9045-14463A9EC669}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Nbg] C:\WINDOWS\Dmr.exe
O4 - HKCU\..\Run: [Fcg] C:\WINDOWS\System32\Ahr.exe
O4 - HKCU\..\Run: [Emb] C:\WINDOWS\System32\Sqa.exe
O4 - HKCU\..\Run: [Rdc] C:\WINDOWS\System32\Evc.exe
O4 - HKCU\..\Run: [Lap] C:\WINDOWS\System32\Faj.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - 
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/128adbb864e83b...ip/RdxIE601.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DF5F31D-3817-41AF-9754-EBB8A02923D9}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F015248-BD84-4FB2-9FCA-28337D7F9E6F}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEBA3C3E-0DA2-485C-B226-DEE0E146A216}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6C19CAB-D16E-4FD5-98A0-91AFA9942443}: NameServer = 199.166.31.3,199.5.157.128
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\d3as.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)


----------



## tj416 (Nov 18, 2004)

Hi Gibzy,

_You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet._

*Prepare CWShredder for use:*
Download CWShredder.
Save CWShredder.exe to a convenient location.
Please do not do anything with it yet.

*Prepare cwsserviceremove.reg for use:*
Download cwsserviceremove.zip.
Unzip cwsserviceremove.reg to your desktop but do not run it yet.

*Prepare AboutBuster for use:*
Download AboutBuster.
Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "*OK*" at the prompt with instructions.
Click "*Update*" and then "*Check For Update*" to begin the update process.
If any updates exist please download them by clicking "*Download Update*".
You should not run the program yet so click "*Exit*".

*Boot into Safe Mode:*
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

*Run CWShredder:*
Double-click on CWShredder.exe.
Click "*Fix ->*" and click "*OK*" at the prompt.
CWShredder will scan and clean your system of CWS files.
Click "*Next->*" and then "*Exit*".

*Run AboutBuster and save the logs:*
Browse to where you saved AboutBuster and run AboutBuster.exe.
Click "*OK*" at the directions *Read: Important!* prompt.
Click "*Start*" and then "*OK*" to allow AboutBuster to scan for Alternate Data Streams.
Click "*Yes*" at the *About:Buster* prompt to allow it to shutdown explorer.exe.
Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click "*Save Log...*". Make sure you save it as I will need a copy of it.
Click "*Exit*" and "*Exit*" again to exit AboutBuster.

*Remove the offending service:*
Double-click the cwsserviceremove.reg file you downloaded at the beginning.
Answer Yes when prompted to add the contents to the registry.

*Clean out temporary files:*
Start | Run | type *cleanmgr* | OK
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Click "*OK*" to remove them.
Click "*Yes*" to confirm the deletion.

*Restart your computer normally to return to normal mode.*
*Free TrendMicro Housecall scan:*
Vist the TrendMicro Housecall website.
Select your country from the drop-down list and click "*Go*".
Choose "*Yes*" at the ActiveX Security Warning prompt.
Please wait while the Housecall engine is updated.
Select the drives to be scanned by placing a check in their respective boxes.
Check the "*Auto Clean*" box.
Click "*SCAN*" in order to begin scanning your system.
Please be patient while Housecall scans your system for malicious files.
If not auto-cleaned, remove anything it finds.
Click "*Close*" to exit the Housecall scanner.
Choose "*Yes*" at the HouseCall message prompt.

*Prepare your reply:*
Please post a fresh HijackThis log
Please post the AboutBuster log.
Please note any complications you had.


----------



## cybertech (Apr 16, 2002)

Click here to download pskill.zip
http://www.sysinternals.com/files/pskill.zip

Extract/unzip pskill.exe to your system32 folder. It is a zip and *the exe must be extracted/unzipped to system32* for this to have any chance of working.

------------------------------

Download and Save Spywadfix to your computer from this link: http://www.thespykiller.co.uk/files/spywadfix.exe

It will automatically extract to c:\spywad where it needs to be to run and will automatically open the remove spywad.vbs script for you ready to paste in the line mentioned below

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

It will open an Input box. Paste this line into the box

< insert full path and name of file here>< this will be the 3 letter name shown as running in running processes in a HJT log and will normally be C:\windows\Xxx.exe (the first letter is normally a Capital)>

The script will kill that process, backup and then delete any matching files in System32 and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.

The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

** Script Does not remove the orphaned run entries.

Finally, it will Run hijackthis so that you can remove the orphaned run entries and anything else as instructed by your Advisor on the forums.

If hijackthis doesn't start, run it manually.

--------------------------
When finished, post the contents of Spywad.txt and a new Hijackthis log.

If the files deleted are all found to be part of the infection and nothing important has been deleted, you will be instructed to delete the entire Spywad Folder after you have cleaned up all other User Profiles on that system.

Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

I have included another vbs to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the C:\Spywad folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

Then run hijackthis and remove the entries as directed by your Forum Advisor.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then either reboot or log off & on again to change the desktop settings

You will need to do this step for every user account


----------

