my laptop was hit hard by the clicksearchclick.com spyware/virus cluster today and I've been working on it for a while. What I've done so far:
Used killbox, smitfraud, and went into safemode using hijackthis to remove some malicious stuff in accordance to some other clicksearchclick threads in this forum.
Ran Microsoft Antispyware, Ad-Aware Antispyware, Windows CleanUp, and CWShredder to clean up some bits and pieces.
the laptop is running a lot better, and appears to be back in order, but I'm still nervous about putting it back online because I'm not convinced that I got everything out of it.
Check it out:
Logfile of HijackThis v1.99.1
Scan saved at 9:23:19 PM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\RioMSC.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\[NAME]\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [befxqer] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [xjhfdqk] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [bawyevt] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [alfjbhc] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [wckbdlh] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [lhcfoej] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [wdntjxe] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [eddoaej] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [rsvnaca] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [oafmuff] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [iaqtifr] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [pwekmvb] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [tpbrojm] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [dgechjd] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [wqpdyck] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [crmmreq] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [jpadbmt] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [grkmygj] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [rkbnpgj] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [yrhojqo] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [bgtbhdq] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [hgelles] c:\windows\xdiolan.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O16 - DPF: {23F9F3F9-FDB0-3EEF-EF7B-216C470ECC14} - http://69.50.182.94/1/gdnUS1882.exe
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://200.9.36.139/wg_webeye.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...bio5_3_16_0.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
mahalo!!
Edited by supermungky, 25 May 2005 - 01:47 AM.