clicksearch link hijack removal

neacy69

Hi Folks

I am really hoping someone here can help me with this as I am at the end of my patience now and am seriously considering the possibility of introducing my pc to my hammer to see if that will fix the problem....

The problem is:
Any of the links on any of my webpages seem to have been hijacked and are all diverted to the "clicksearch.com" website. I cant see any suspicous programs running or any suspicous files in my C: or in windows. I am using Ad-Aware to search for adware and spyware and Norton anti-virus, along with zone-alarm so i can't see how this happened. I really need help here so any ideas or links to removal info is greatly apprechiated.

P.S. I dont know if this has been discussed before as i cant view any of the forums (links are diverted!!!) but will be able to see replies to this topic as they are emailed to me

SO PLEASE PLEASE HELP

sceptre

Hijack This

Generally does the trick.

Lord Nikon

I use Spybot - Search and Destroy
WinPatrol and Microsoft Anti Spyware

After installing these and getting the latest security updates from Microsoft, I have no problems with HiJacking. WinPatrol is brilliant, if something tries to install in the backround, Winpatrol asks you if you want to install it. Simple yet effective.

Mac daddy

post the hijack this log and i will check it for you

oddball91

Hello! I noticed this thread in a Google search, as I had the same problem as this fellow this morning. I opened up a browser window, and BAM, I had a dozen icons on my desktop ranging from "Home Loans" to "Cheap Cigarettes" to "Viagra" to "Sports Betting", new favorites, etc. I think I've managed to purge SpySheriff, ZToolbar, and the Clicksearch hijack from the system, but I'm still having some problems with the icons still reappearing on my desktop. HijackThis log as follows:

Logfile of HijackThis v1.97.7
Scan saved at 4:53:06 PM, on 6/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\FRAPS\FRAPS.EXE
C:\WINDOWS\System32\win32.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\gopy.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FFF5092F-7172-4018-827B-FA5868FB0478} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe gopy.dll, DllRegisterServer
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: eBay - Homepage (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://docs.us.dell.com/systemprofiler/SysPro.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC89A9C5-C46B-4F90-BB0F-F3DA86822A20}: Domain = nyu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC89A9C5-C46B-4F90-BB0F-F3DA86822A20}: NameServer = 128.122.253.92,128.122.253.37
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nyu.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nyu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nyu.edu



I'd appreciate any feedback you could give, either on the current problem or on pre-existing problems. Thanks.

odie

Hi

I had a similar issue over the weekend, the usuals could not remove it. Spybot - Lavasoft adware - Norton.

Found this utility and it not only found and fixed the issue but found other items that were lurking on my HD. Removed them too.

http://www.ewido.net/en/
Updated signature files are here. http://www.ewido.net/en/download/updates/

I set it up - went into safe mode and ran from there. Sorted

Mac daddy

Now, download all of the programs listed below that you don't already have, but please do not run the programs until you are instructed to do so.

Download LSPFix here: http://www.cexx.org/lspfix.zip

Download AdAware from here: http://www.majorgeeks.com/download506.html
Install, read the help files, and then run the Update.

Download Spybot Search+Destroy here: http://www.safer-networking.org/en/download/index.html
Install, read this: http://www.safer-networking.org/en/tutorial/index.html
and then run the Update and enable all protection.

hmmm looks like you have a dell pc if not mistaking

Next:
Disable the System Restore feature in Windows XP (you can re-enable it again once your system is clean). Here's a link on how to do this (get online if you need to for it looking up):

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

Now onto the removal process: Get off line and close ALL browser windows before you continue.

Run HiJackThis, and have it fix the following.

Delete these items:

O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\gopy.dll

O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe gopy.dll, DllRegisterServer

O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
^^^ download manager if yes and you still use leave if not uninstall.

O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll

Next:
You will need to be in Safe Mode for the rest of this removal. Reboot your system and bring it up in Safe Mode (tap F5 or F8 when starting Windows).
Next:
Clear all temp folders for each user on this system (WinXP has up to 4 of them) and the Temporary Internet Files Folder and then empty your "Recycle Bin".

In XP, here are some locations of Temp files:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet ...EMPTY THIS folder
C:\Documents and Settings\Username\Local Settings\Temporary Internet Files ... EMPTY THIS folder
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files ... EMPTY THIS folder
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files ... EMPTY THIS folder
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files... EMPTY THIS folder
Now close that window.

Next: Run Ad-Aware and close program after it has run.

Next: Run Spybot S&D and close program after it has run.

Next: Run LSPFix, which will fix the broken Winsock connections. Close LSPFix.

Also check the following -
Press start/ run / type "services.msc - There is one there called messenger what is the status of it - If automatic set to disable don't worry it is not the same as msn messenger!! if this is on you can get pop up on your desktop.

Final Step!: Reboot the system into Normal Mode, run HJT again and post the new log file here.

Your log isn't to bad from looking at it

oddball91

Well, I did exactly as you told me, and all of the pop-ups and icons and basically every symptom of the problem is gone. My background is back (and alterable) again. Problem is, now HijackThis, the Task Manager, and some other programs are crashing like mad with the "*** has encountered an error and must close" excuse. Any idea what could be causing this?

Thanks.

Mac daddy

send me the application event logs via msn

i will check them