my internet explorer has been taken over by clicksearchclick
its taken my homepage, gives me popups, interferes with my google searches and also redirects about 70% of my links to their website.
here is my log
Logfile of HijackThis v1.99.1
Scan saved at 9:44:53 PM, on 1/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Documents and Settings\bernd\My Documents\Hagens Bernd stuff\winmx354beta3\WinMX.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\E_S00RP2.EXE
C:\WINDOWS\System32\svchost.exe
C:\oldfiles\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\msxct.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINDOWS\System32\Services\{ED2AB275-14CE-4B80-ABE9-3EB59EC04C56}\SVCHOST.EXE
C:\WINDOWS\System32\win32.exe
C:\WINDOWS\system32\w?nword.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\oldfiles\PROGRA~1\INCRED~1\bin\IncMail.exe
c:\windows\system32\jrrxtt.exe
C:\WINDOWS\nmstt.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\OldFiles\Program Files\Opera\opera.exe
C:\Documents and Settings\bernd\My Documents\Ian's Stuff\fix\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...ndex.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.swr3.de/m...usik/webradio/"); (C:\Documents and Settings\bernd\Application Data\Mozilla\Profiles\default\04b9sttw.slt\prefs.js)
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll
O2 - BHO: (no name) - {F525626F-ABDB-DC06-D097-A50FAB974AB2} - C:\WINDOWS\System32\sjxwoyb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O6 "USB001" /M "Stylus C43"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.AMS /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{ED2AB275-14CE-4B80-ABE9-3EB59EC04C56}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{ED2AB275-14CE-4B80-ABE9-3EB59EC04C56}\SECURITY.EXE
O4 - HKLM\..\Run: [578P32U] filrstart.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [sys5917] C:\WINDOWS\sys5917.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [zpzndfs] c:\windows\system32\jrrxtt.exe
O4 - HKLM\..\Run: [_Cat2] C:\WINDOWS\nmstt.exe
O4 - HKCU\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /M "Stylus C43"
O4 - HKCU\..\Run: [IncrediMail] C:\oldfiles\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [WinMX] C:\Documents and Settings\bernd\My Documents\Hagens Bernd stuff\winmx354beta3\WinMX.exe -m
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Smad] C:\Program Files\lese\pcrb.exe
O4 - HKCU\..\Run: [KwrFRSY4i] fauopy16.exe
O4 - HKCU\..\Run: [Imjto] C:\WINDOWS\System32\w?nword.exe
O4 - HKCU\..\Run: [sys5917] C:\WINDOWS\sys5917.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\oldfiles\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://allstarsearch.net/gall.php?url=
O13 - WWW Prefix: http://allstarsearch.net/gall.php?url=
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {0A8FC4BC-F678-5156-06C2-071A0B63A173} - http://69.50.182.94/1/rdgAU1953.exe
O16 - DPF: {1162685C-1D8C-1C0F-A63B-544D1EA64ED3} - http://69.50.182.94/1/rdgAU1953.exe
O16 - DPF: {11A1C8B0-760D-5954-923A-234B60610AAA} - http://69.50.182.94/1/rdgAU1953.exe
O16 - DPF: {1CB8C1E3-1E59-36D3-5758-2FA333BE30C0} - http://69.50.182.94/1/rdgAU1953.exe
O16 - DPF: {5A955635-5F70-113E-961A-0FF53A62F525} - http://69.50.182.94/1/rdgAU1953.exe
O16 - DPF: {62218ECD-AFE8-6BA8-E35A-4974043181BA} - http://69.50.182.94/1/rdgAU1953.exe
O16 - DPF: {6B422A1D-A28D-2B7D-60BD-1D2026C79CF9} - http://69.50.182.94/1/rdgAU1953.exe
O16 - DPF: {6D5A387D-60D4-309F-577E-3A16019FDA00} - http://69.50.182.94/1/rdgAU1953.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=3548
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O21 - SSODL: System - {A098F1EB-4EEE-462E-975C-3A5FB0FB2A5C} - vr_sys.dll (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP2.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
please help
Thank you
hifi
Edited by HI_FI_lo, 01 June 2005 - 07:45 AM.