Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

clicksearch link hijack removal

  • 24-05-2005 11:48pm
    #1
    Registered Users, Registered Users 2 Posts: 2,823 ✭✭✭


    Hi Folks

    I am really hoping someone here can help me with this as I am at the end of my patience now and am seriously considering the possibility of introducing my pc to my hammer to see if that will fix the problem....

    The problem is:
    Any of the links on any of my webpages seem to have been hijacked and are all diverted to the "clicksearch.com" website. I cant see any suspicous programs running or any suspicous files in my C: or in windows. I am using Ad-Aware to search for adware and spyware and Norton anti-virus, along with zone-alarm so i can't see how this happened. I really need help here so any ideas or links to removal info is greatly apprechiated.

    P.S. I dont know if this has been discussed before as i cant view any of the forums (links are diverted!!!) but will be able to see replies to this topic as they are emailed to me

    SO PLEASE PLEASE HELP


Comments

  • Registered Users, Registered Users 2 Posts: 19,608 ✭✭✭✭sceptre


    Hijack This

    Generally does the trick.


  • Registered Users, Registered Users 2 Posts: 3,612 ✭✭✭Lord Nikon


    I use Spybot - Search and Destroy
    WinPatrol and Microsoft Anti Spyware

    After installing these and getting the latest security updates from Microsoft, I have no problems with HiJacking. WinPatrol is brilliant, if something tries to install in the backround, Winpatrol asks you if you want to install it. Simple yet effective.


  • Registered Users, Registered Users 2 Posts: 2,942 ✭✭✭Mac daddy


    post the hijack this log and i will check it for you


  • Closed Accounts Posts: 2 oddball91


    Hello! I noticed this thread in a Google search, as I had the same problem as this fellow this morning. I opened up a browser window, and BAM, I had a dozen icons on my desktop ranging from "Home Loans" to "Cheap Cigarettes" to "Viagra" to "Sports Betting", new favorites, etc. I think I've managed to purge SpySheriff, ZToolbar, and the Clicksearch hijack from the system, but I'm still having some problems with the icons still reappearing on my desktop. HijackThis log as follows:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:53:06 PM, on 6/5/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Cacheman\Cacheman.exe
    C:\FRAPS\FRAPS.EXE
    C:\WINDOWS\System32\win32.exe
    C:\Program Files\Creative\ShareDLL\Mediadet.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\WINDOWS\Nhksrv.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\gopy.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FFF5092F-7172-4018-827B-FA5868FB0478} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe gopy.dll, DllRegisterServer
    O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
    O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
    O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: eBay - Homepage (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://docs.us.dell.com/systemprofiler/SysPro.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EC89A9C5-C46B-4F90-BB0F-F3DA86822A20}: Domain = nyu.edu
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EC89A9C5-C46B-4F90-BB0F-F3DA86822A20}: NameServer = 128.122.253.92,128.122.253.37
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nyu.edu
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nyu.edu
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nyu.edu



    I'd appreciate any feedback you could give, either on the current problem or on pre-existing problems. Thanks.


  • Closed Accounts Posts: 364 ✭✭odie


    Hi

    I had a similar issue over the weekend, the usuals could not remove it. Spybot - Lavasoft adware - Norton.

    Found this utility and it not only found and fixed the issue but found other items that were lurking on my HD. Removed them too.

    http://www.ewido.net/en/
    Updated signature files are here. http://www.ewido.net/en/download/updates/

    I set it up - went into safe mode and ran from there. Sorted


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,942 ✭✭✭Mac daddy


    Now, download all of the programs listed below that you don't already have, but please do not run the programs until you are instructed to do so.

    Download LSPFix here: http://www.cexx.org/lspfix.zip

    Download AdAware from here: http://www.majorgeeks.com/download506.html
    Install, read the help files, and then run the Update.

    Download Spybot Search+Destroy here: http://www.safer-networking.org/en/download/index.html
    Install, read this: http://www.safer-networking.org/en/tutorial/index.html
    and then run the Update and enable all protection.

    hmmm looks like you have a dell pc if not mistaking

    Next:
    Disable the System Restore feature in Windows XP (you can re-enable it again once your system is clean). Here's a link on how to do this (get online if you need to for it looking up):

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

    Now onto the removal process: Get off line and close ALL browser windows before you continue.

    Run HiJackThis, and have it fix the following.

    Delete these items:

    O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\gopy.dll

    O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe gopy.dll, DllRegisterServer

    O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
    O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
    ^^^ download manager if yes and you still use leave if not uninstall.

    O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll

    Next:
    You will need to be in Safe Mode for the rest of this removal. Reboot your system and bring it up in Safe Mode (tap F5 or F8 when starting Windows).
    Next:
    Clear all temp folders for each user on this system (WinXP has up to 4 of them) and the Temporary Internet Files Folder and then empty your "Recycle Bin".

    In XP, here are some locations of Temp files:
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet ...EMPTY THIS folder
    C:\Documents and Settings\Username\Local Settings\Temporary Internet Files ... EMPTY THIS folder
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files ... EMPTY THIS folder
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files ... EMPTY THIS folder
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files... EMPTY THIS folder
    Now close that window.

    Next: Run Ad-Aware and close program after it has run.

    Next: Run Spybot S&D and close program after it has run.

    Next: Run LSPFix, which will fix the broken Winsock connections. Close LSPFix.

    Also check the following -
    Press start/ run / type "services.msc - There is one there called messenger what is the status of it - If automatic set to disable don't worry it is not the same as msn messenger!! if this is on you can get pop up on your desktop.

    Final Step!: Reboot the system into Normal Mode, run HJT again and post the new log file here.

    Your log isn't to bad from looking at it


  • Closed Accounts Posts: 2 oddball91


    Well, I did exactly as you told me, and all of the pop-ups and icons and basically every symptom of the problem is gone. My background is back (and alterable) again. Problem is, now HijackThis, the Task Manager, and some other programs are crashing like mad with the "*** has encountered an error and must close" excuse. Any idea what could be causing this?

    Thanks.


  • Registered Users, Registered Users 2 Posts: 2,942 ✭✭✭Mac daddy


    send me the application event logs via msn

    i will check them


Advertisement