TheTechGuide Forum

General Category => Tech Clinic => Topic started by: flplayer67 on May 19, 2005, 02:41:44 PM

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: flplayer67 on May 19, 2005, 02:41:44 PM

hello, this is my first post here...I have a mediocre amount of computer experiance but i have no idea how to get rid of www.clicksearchclick.com...It changes my homepage, drastically slows down my computer, and keeps giving me this stupid annoying popup every 30 secs...I dunno how I got it...i ran adaware (free version), Spybot, Microsoft Antispyware, CW Shredder, and since I use Adelphia internet connection, I have a virus remover/firewall/spyware remover also from Adelphia...I htought with all my programs my computer would be impenetrable (lol, doesnt seem so does it?)...Ok, I talked to my computer programming techer ( I'm 16) and he said that even though micrsoft antispyware deletes it, www.clicksearchclick.com changes its file name so it redownloads without a problem...(very depressing)...plz help me...I need to know, can I get rid of this!?!?
thx alot, FL

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: flplayer67 on May 20, 2005, 11:58:10 AM

bump...come on some1 plz help...

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: guestolo on May 20, 2005, 12:13:11 PM

Sorry flplayer67     
I'll be away till after the weekend

In the meantime
If you could read the top of the forum on How to Post a Hijackthis log

I'll make sure I look at your log when I get back

Which won't be until late Sunday

Bump your post up if I miss it when I get back

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: flplayer67 on May 20, 2005, 02:58:53 PM

watas a highjack this log?? lol god i am a newbie...

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: flplayer67 on May 20, 2005, 04:00:12 PM

whew..ok i dowloaded the executable file for Hijackthis...I ran it and here is wat i got (its looks like arabic to me lol):
Logfile of HijackThis v1.99.1
Scan saved at 4:18:02 PM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\Services\{0F97FA46-8542-4445-9801-3468D577FABD}\SVCHOST.EXE
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp (http://\"http://channels.aimtoday.com/search/aimtoolbar.jsp\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/ (http://\"http://www.clicksearchclick.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.clicksearchclick.com/ (http://\"http://www.clicksearchclick.com/\")
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Winsecure Antivirus] SECUREANTIVIRUS.EXE
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [dtibsv] c:\windows\system32\dtibsv.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [dPR.exe] c:\windows\system32\dPR.exe
O4 - HKLM\..\Run: [EzvoLQFB] C:\windows\system32\EzvoLQFB.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [u36Q35l] dswatson.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{0F97FA46-8542-4445-9801-3468D577FABD}\SVCHOST.EXE
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{0F97FA46-8542-4445-9801-3468D577FABD}\SECURITY.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {E8D989FF-F025-419B-848A-607DB50598F0} - http://194.178.112.150/dialer-darkmedia/it/se001.exe (http://\"http://194.178.112.150/dialer-darkmedia/it/se001.exe\")
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: BlindPianoTuner on May 21, 2005, 10:30:17 PM

Run SpyBot in safe mode. To get into safe mode, reset your PC and keep pressing F8 until something comes up.

Hope this helped.

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: flplayer67 on May 22, 2005, 03:47:09 PM

yeah i did it in safe mode already i tried everything lol

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: guestolo on May 23, 2005, 11:31:19 AM

Sorry for the delay, just got back home

If you still need a hand with your log
Could you post a fresh Hijackthis log as it's been a few days
Let's make sure nothing has changed

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: flplayer67 on May 23, 2005, 12:18:59 PM

K, hey its no problem ur doin me the favor lol...Sure I'll rerun HijackThis...Gimem an hour or two Im in computer class right now...thx again, FL

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: guestolo on May 23, 2005, 12:21:45 PM

No problem, could you also, when you post the log back
Open Hijackthis>>Open Misc tools section>>Open the Uninstall Manager
Click the SAVE LIST button

Save the list too desktop and then copy and paste it back here, thanks

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: flplayer67 on May 23, 2005, 05:10:54 PM

k, here it is:
Logfile of HijackThis v1.99.1
Scan saved at 6:08:50 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\Services\{0F97FA46-8542-4445-9801-3468D577FABD}\SVCHOST.EXE
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/ (http://\"http://www.clicksearchclick.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.clicksearchclick.com/ (http://\"http://www.clicksearchclick.com/\")
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Winsecure Antivirus] SECUREANTIVIRUS.EXE
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [dtibsv] c:\windows\system32\dtibsv.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [dPR.exe] c:\windows\system32\dPR.exe
O4 - HKLM\..\Run: [EzvoLQFB] C:\windows\system32\EzvoLQFB.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [u36Q35l] dswatson.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{0F97FA46-8542-4445-9801-3468D577FABD}\SVCHOST.EXE
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{0F97FA46-8542-4445-9801-3468D577FABD}\SECURITY.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {E8D989FF-F025-419B-848A-607DB50598F0} - http://194.178.112.150/dialer-darkmedia/it/se001.exe (http://\"http://194.178.112.150/dialer-darkmedia/it/se001.exe\")
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: guestolo on May 23, 2005, 05:18:04 PM

Can you still do the following

Quote

Open Hijackthis>>Open Misc tools section>>Open the Uninstall Manager
Click the SAVE LIST button

Save the list too desktop and then copy and paste it back here, thanks

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: flplayer67 on May 23, 2005, 06:14:32 PM

k srry i forgot to do that: here are the programs on teh list i copied:
Ad-Aware SE Personal
AOL Instant Messenger
Freedom Security & Privacy
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 1
LimeWire 4.8.1
LiveUpdate 1.7 (Symantec Corporation)
Microsoft AntiSpyware
Microsoft Office XP Professional
Spybot - Search & Destroy 1.3
Symantec AntiVirus Client
Viewpoint Media Player
WildTangent Web Driver
Windows Media Format Runtime
Wireless PCI Card Configuration Utility

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: guestolo on May 23, 2005, 08:24:43 PM

Please Print this out or save these instructions to a Notepad file and save it to your Desktop

Download and UNZIP to Desktop iSearch.zip
So you now have iSearch.reg extracted to desktop
[attachment=238:attachment]

Disconnect from the Internet, close all browser windows, including this one
Also know how to start in safe mode in advance
I'll need you to do this shortly

Open Hijackthis>>Open Misc tools section>>Open "Delete a File On Reboot"
In the File name field copy and paste (Don't type this in)
The whole path to the file name in bold directly below

C:\WINDOWS\System32\Services\{0F97FA46-8542-4445-9801-3468D577FABD}\SVCHOST.EXE

Then click the OPEN button
Hijackthis should prompt you that the file will be deleted and to Reboot your computer
DON'T allow to reboot yet
Instead, do the same for this full path to the file name

C:\WINDOWS\System32\Services\{0F97FA46-8542-4445-9801-3468D577FABD}\SECURITY.EXE

This time allow the computer to reboot or
Restart the computer anyways
Into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, right before windows loads, or use the link
I supplied for a more detailed explanation

Once in safe mode

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Optionally, you can now Access your Add/Remove Programs and remove
if you don't use them
Viewpoint Media Player
WildTangent Web Driver

Stay in safe mode
Manually navigate to
Find and delete these files or folders if found
FILES
C:\WINDOWS\system32\drivers\delprot.sys <-file
c:\windows\system32\dtibsv.exe <-file
C:\WINDOWS\System32\exp.exe
c:\windows\system32\dPR.exe
C:\windows\system32\EzvoLQFB.exe
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\isrvs\desktop.exe
Do a SEARCH for the next files and remove if found
SECUREANTIVIRUS.EXE
dswatson.exe <-don't confuse it with drwatson.exe

FOLDERS
C:\WINDOWS\isrvs <-folder
C:\WINDOWS\System32\picsvr <-folder
C:\WINDOWS\System32\Services <-folder
C:\WINDOWS\System32\nsvsvc <-folder

Delete the next folders if you removed either Wildtangent and/or Viewpoint Media Player, Both may of been added by AIM
C:\Program Files\WildTangent
C:\Program Files\ViewPoint

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/ (http://\"http://www.clicksearchclick.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.clicksearchclick.com/ (http://\"http://www.clicksearchclick.com/\")

O4 - HKLM\..\Run: [Winsecure Antivirus] SECUREANTIVIRUS.EXE

If StopZilla isn't installed any more, please fix the next entry too
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart

O4 - HKLM\..\Run: [dtibsv] c:\windows\system32\dtibsv.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [dPR.exe] c:\windows\system32\dPR.exe
O4 - HKLM\..\Run: [EzvoLQFB] C:\windows\system32\EzvoLQFB.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [u36Q35l] dswatson.exe

O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{0F97FA46-8542-4445-9801-3468D577FABD}\SVCHOST.EXE
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{0F97FA46-8542-4445-9801-3468D577FABD}\SECURITY.EXE

O16 - DPF: {E8D989FF-F025-419B-848A-607DB50598F0} - http://194.178.112.150/dialer-darkmedia/it/se001.exe (http://\"http://194.178.112.150/dialer-darkmedia/it/se001.exe\")
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Afterwards, Double click on iSearch.reg and allow to Add or Merge to the registry

Restart back to Normal mode

IF prompted at ANY time of a change by Microsoft's Anti-Spyware software
ALLOW the changes so it won't interfere with any fixes we are trying to do

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Do another scan with Hijackthis and post back a fresh Log

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: flplayer67 on May 24, 2005, 11:56:25 AM

whew! ok lol thx ill try it today...thx, FL

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: flplayer67 on May 24, 2005, 05:37:09 PM

wow! thx so much!!! my computer is soo unbeleivably faster, i could tell u put some time into helping me, thx Guestolo...I have anotehr HijackThis log here it is:

Logfile of HijackThis v1.99.1
Scan saved at 6:35:11 PM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.clicksearchclick.com/ (http://\"http://www.clicksearchclick.com/\")
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: guestolo on May 24, 2005, 05:55:05 PM

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.clicksearchclick.com/ (http://\"http://www.clicksearchclick.com/\")

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Run another scan with Hijackthis and supply a fresh log

How many Active Anti-Virus software do you have running on startup?
It's not a good Idea to run more than one
More than one can cause a conflict and battle for the same background scanning and resources
I see Symantec's === Command's AV

And possibly, but you may not be using all the features of Freedom's
http://www.freedom.net/ (http://\"http://www.freedom.net/\")

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: flplayer67 on May 25, 2005, 11:18:00 AM

k i will ( Im in computer class again haha), btw my AIM wont work now...everytiem i run it it says critical error category 4?? maybe cuz i deleted wildtangent? if i go to add/remove programs...uninstall AIM completely, then go to www.aim.com adn redowload it, will AIM work then do u think?? cuz my stepmom almost killed me when AIM didnt work (she called me a computer nerd hahaha). thx Guestolo for all of this...If u could just answer this Question I would really appreciate it thx, FL /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: flplayer67 on May 25, 2005, 05:30:48 PM

k here it is:

Logfile of HijackThis v1.99.1
Scan saved at 6:30:05 PM, on 5/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\hijackthis.exe

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: guestolo on May 25, 2005, 06:48:27 PM

That may be a problem with having to allow AIM through your firewall
Can you check your settings in your Firewall and ensure you have allow AIM to connect

Also, I asked you this earlier

How many Active Anti-Virus software do you have running on startup?
It's not a good Idea to run more than one
More than one can cause a conflict and battle for the same background scanning and resources
I see Symantec's === Command's AV

And possibly, but you may not be using all the features of Freedom's
http://www.freedom.net/ (http://\"http://www.freedom.net/\")

What features of Freedoms do you have enabled?

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: flplayer67 on May 26, 2005, 11:56:39 AM

um lets c i have norton, microsoft anitspyware, and freedom run on startup...yeah i need to stop that...and i did check my firewall from freedom it was blocking AIM, so now that works...oh yeah, on Freedom---the antispyware doesnt work...ill just reinstall it...thx!

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: culus on May 26, 2005, 03:54:36 PM

LOG REMOVED, please read the following link

~guestolo~

http://www.thetechguide.com/forum/index.php?showtopic=14623 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=14623\")

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: guestolo on May 26, 2005, 06:43:24 PM

Personally, I would just activate Microsoft's Anti-spyware protection
But I'll leave that up to you

I would also do the following
If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: Guest on June 04, 2005, 01:32:42 PM

Hi I have the same exact problem since today morning. I am trying this right now! will be back soon to let you know if this process works for me. thanks.

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: Guest on June 04, 2005, 02:41:49 PM

Hi
This is Guest again.
BIIIIIIIIGGGGGGGGG THANKSSSSSSSSSSSSSSSSSSSSSSSSSSS
IT DID WORK.

I could not find any of the file listed in above help file.

ALthough , the only two log i could fix in HIJACKTHIS were:

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{16F0EB89-0F04-4808-AFEF-73F3087C3BF7}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{16F0EB89-0F04-4808-AFEF-73F3087C3BF7}\SECURITY.EXE


Thanks again,
Guest.

Title: www.clicksearchclick.com!! MAKE IT STOP!
Post by: guestolo on June 05, 2005, 07:29:15 AM

Locking this topic as the original poster's problems are resolved