[carlos_el_criado]

help...i can't get rid of this terrible clicksearchclick thingy
my desktop is conquered by its website and keeps flashing white and grey in colour. a few days ago, actually, the situation was even worse. nothing appeared on my desktop after logging in. juz that i ran panda antivirus and spybot to eliminate some of the clicksearchclick malware. i wonder if it will go off again so better terminate clicksearchclick asap. any help would be greatly appreciated, thanks.

Logfile of HijackThis v1.99.1
Scan saved at 18:42:56, on 10/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\KAV2005\KWatch.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Babylon\Babylon.exe
C:\WINDOWS\system32\Q9.EXE
C:\WINDOWS\system32\QTRAYIME.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {A4F08C33-F2D4-4E48-B016-6BDCD3508FD8} - C:\WINDOWS\System32\ldid.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_1633.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O18 - Filter: text/html - {85689524-0926-454E-BD99-342F56396849} - C:\WINDOWS\System32\ldid.dll
O18 - Filter: text/plain - {85689524-0926-454E-BD99-342F56396849} - C:\WINDOWS\System32\ldid.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: Kingsoft Personal Firewall Service (KPfwSvc) - Unknown owner - C:\KAV2005\KPfwSvc.EXE (file missing)
O23 - Service: Kingsoft Antivirus KWatch Service (KWatchSvc) - Kingsoft Corporation - C:\KAV2005\KWatch.EXE
O23 - Service: Windows Update Service (wuamgrd) - Unknown owner - C:\WINDOWS\System32\wuamgrd.exe (file missing)

Edited by carlos_el_criado, 10 June 2005 - 05:07 AM.

[Advertisements]

Welcome to GTG.

Update to XP Service Pack 1a as soon as possible. Hold off on SP2 until you are all clear to go.

Download Process Explorer.

Reboot into Safe Mode:

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ldid.dll once and then click the kill button.

After you have killed all of the ldid.dll's under winlogon click ok.

Next double click on explorer.exe and again click once on each instance of ldid.dll then click the kill button. Once you have done that click ok again.

Go to Start->Run and type in services.msc and hit OK. Then look for Windows Update Service (wuamgrd) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Run a scan in HijackThis. Make SURE that ALL your browsers are closed now. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {A4F08C33-F2D4-4E48-B016-6BDCD3508FD8} - C:\WINDOWS\System32\ldid.dll
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_1633.dll"
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O18 - Filter: text/html - {85689524-0926-454E-BD99-342F56396849} - C:\WINDOWS\System32\ldid.dll
O18 - Filter: text/plain - {85689524-0926-454E-BD99-342F56396849} - C:\WINDOWS\System32\ldid.dll
O23 - Service: Windows Update Service (wuamgrd) - Unknown owner - C:\WINDOWS\System32\wuamgrd.exe (file missing)

Go to Start->Run and type in regsvr32 /u sfg_1633.dll and hit OK.

Delete these files:

C:\WINDOWS\System32\sfg_1633.dll
C:\WINDOWS\System32\ldid.dll

Restart and run this scan:

Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoft...ucts/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Restart and post a new HijackThis log.

[greyknight17]

Welcome to GTG.

Update to XP Service Pack 1a as soon as possible. Hold off on SP2 until you are all clear to go.

Download Process Explorer.

Reboot into Safe Mode:

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ldid.dll once and then click the kill button.

After you have killed all of the ldid.dll's under winlogon click ok.

Next double click on explorer.exe and again click once on each instance of ldid.dll then click the kill button. Once you have done that click ok again.

Go to Start->Run and type in services.msc and hit OK. Then look for Windows Update Service (wuamgrd) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Run a scan in HijackThis. Make SURE that ALL your browsers are closed now. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {A4F08C33-F2D4-4E48-B016-6BDCD3508FD8} - C:\WINDOWS\System32\ldid.dll
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_1633.dll"
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O18 - Filter: text/html - {85689524-0926-454E-BD99-342F56396849} - C:\WINDOWS\System32\ldid.dll
O18 - Filter: text/plain - {85689524-0926-454E-BD99-342F56396849} - C:\WINDOWS\System32\ldid.dll
O23 - Service: Windows Update Service (wuamgrd) - Unknown owner - C:\WINDOWS\System32\wuamgrd.exe (file missing)

Go to Start->Run and type in regsvr32 /u sfg_1633.dll and hit OK.

Delete these files:

C:\WINDOWS\System32\sfg_1633.dll
C:\WINDOWS\System32\ldid.dll

Restart and run this scan:

Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoft...ucts/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Restart and post a new HijackThis log.

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.