TheTechGuide Forum

General Category => Tech Clinic => Topic started by: aceydeucy on May 26, 2005, 10:52:38 AM

Title: clicksearchclick problem
Post by: aceydeucy on May 26, 2005, 10:52:38 AM

I have been searching all the threads for possible assistance with clicksearchclick.  I have posted by HJT file below.  Can anyone please help!  

Logfile of HijackThis v1.99.1
Scan saved at 4:13:51 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\Services\{363D56B1-146B-4771-AFE5-6E29F03250FB}\SVCHOST.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\Services\{E23BAABE-EFCC-4D3B-91AD-FFDE8C4B1817}\SVCHOST.EXE
C:\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9 (http://\"http://www.clicksearchclick.com/index.php?aff=9\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{E23BAABE-EFCC-4D3B-91AD-FFDE8C4B1817}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{363D56B1-146B-4771-AFE5-6E29F03250FB}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: NEW Click to Update Rebate Now Files.lnk = RebateNow\NEW Click to Update Rebate Now Files.bat
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.co...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.co...t/c381/chat.cab\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.co...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.co...v45/yacscom.cab\")
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://acedc7/connectcomputer/nshelp.dll (http://\"http://acedc7/connectcomputer/nshelp.dll\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuit.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuit.../ITDetector.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ACEDC.local
O17 - HKLM\Software\..\Telephony: DomainName = ACEDC.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ACEDC.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TeleVantage Workstation Service (TvWksSvc) - Artisoft Inc. - C:\Program Files\Common Files\Artisoft\TeleVantage\TvWksSvc.exe

Title: clicksearchclick problem
Post by: guestolo on May 26, 2005, 08:57:29 PM

Please SAVE these instructions to a Notepad file and save it to your Desktop

Disconnect from the Internet, close all browser windows, including this one

Open Hijackthis>>Open Misc tools section>>Open "Delete a File On Reboot"
In the File name field copy and paste (Don't type this in)
The whole path to the file name in bold directly below

C:\WINDOWS\System32\Services\{363D56B1-146B-4771-AFE5-6E29F03250FB}\SVCHOST.EXE

Then click the OPEN button
Hijackthis should prompt you that the file will be deleted and to Reboot your computer
DON'T allow to reboot yet
Instead, do the same for this full path to the file name

C:\WINDOWS\System32\Services\{E23BAABE-EFCC-4D3B-91AD-FFDE8C4B1817}\SVCHOST.EXE

And then this one
C:\WINDOWS\System32\spoolsrv32.exe

After entering the last one can allow the computer to Reboot
Or Reboot anyways

Back in Windows
Don't open any browsers
Find and delete this folder
C:\WINDOWS\System32\Services <-this folder


Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9 (http://\"http://www.clicksearchclick.com/index.php?aff=9\")

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{E23BAABE-EFCC-4D3B-91AD-FFDE8C4B1817}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{363D56B1-146B-4771-AFE5-6E29F03250FB}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer again

Back in Windows
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Back in Windows

Run another scan with Hijackthis and post a fresh log

Could you also let me know what this is related too
O4 - Startup: NEW Click to Update Rebate Now Files.lnk = RebateNow\NEW Click to Update Rebate Now Files.bat

Title: clicksearchclick problem
Post by: Guest_aceydeucy_* on May 27, 2005, 01:25:28 PM

thank you so much for responding.  We are in the process of moving today, so this will  have to be done after the weekend.  I will perform all the steps and post a new HJT.  The last file is a company software required file.  Thank you again!  I will post the HJT next week. Have a good holiday!