Free Malware Removal Forum

[Need Help1]

WindowsClick.com has ravaged my computer. I have tried everything. I tried to get rid of it using Windows Defender. Windows Defender doesn't start. I also tried Malware Bytes but that doesn't start as well. Finally, I just created a Hi Jack Log. My log is below. I would appreciate any help. This is by far the worst malware I have ever seen.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:03 PM, on 6/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {1FA04217-88FE-F85C-D5ED-830A7500A69A} - C:\WINDOWS\System32\jarf.dll (file missing)
O2 - BHO: (no name) - {1FA04266-888F-8F50-D5ED-F10A070DA69F} - C:\WINDOWS\System32\jarf.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {875EC112-06FB-2159-8F98-01A2DFA86992} - C:\WINDOWS\System32\jjlzr.dll (file missing)
O2 - BHO: (no name) - {875EC163-068A-5655-8F98-73A2ADA56997} - C:\WINDOWS\System32\jjlzr.dll (file missing)
O2 - BHO: (no name) - {95993E09-A3B7-8B4F-980A-ADC819852A9B} - C:\WINDOWS\System32\vbvhs.dll (file missing)
O2 - BHO: (no name) - {9DF5EE01-7894-0241-95DD-5330531D2492} - C:\WINDOWS\System32\bgo.dll (file missing)
O2 - BHO: (no name) - {9DF5EE06-78E7-074B-95D8-203026102495} - C:\WINDOWS\System32\bgo.dll (file missing)
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\Run: [Flashget Download Manager] Flashget.exe
O4 - HKLM\..\Run: [Device] C:\socke.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Verizon Custom Uninstall Tracking] C:\DOCUME~1\Owner\LOCALS~1\Temp\InstallHelper.exe /uninstalltrackingvendor=Verizon
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [realteks] "C:\Documents and Settings\Owner\Application Data\Google\afuya1119762.exe" 2
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunServices: [Flashget Download Manager] Flashget.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msisip] C:\WINDOWS\System32\msisip.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [nah_Shell] C:\Documents and Settings\Owner\nah_kclj.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/fi ... tup155.cab
O20 - AppInit_DLLs: interceptor.dll
O21 - SSODL: mtklefa - {2BF9371E-BB71-4FBB-65AE-2555F6577C5B} - C:\WINDOWS\System32\iklewu32.dll (file missing)
O21 - SSODL: sLAbZC - {2C100FC0-86BA-A56A-3FCC-6B805F9E0AB2} - C:\WINDOWS\System32\pwys.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing

[Dakeyras]

Hi,

I have bad news I'm afraid

You computer is infected with multiple Backdoor Trojan's and IRC Bots to name but a few.

OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system, and that is the course we strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwords.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.

[Dakeyras]

Hi

Do you require further advice and or assistance?

[Need Help1]

Hi. Thank you for your help. Is formatting my computer my only option. I would really like to avoid that if at all possible. You stated you could possibly help me clean the machine. I don't use my laptop for any financial reasons. I use it for e-mail but all of my e-mail are to my mundane drinking buddies. Nothing to really steal there. Any help would be greatly appreciated. Thanks.

[Dakeyras]

Hi

OK I will respect your decision for myself to attempt a malware removal. However regardless the situation the best advice I can impart is to actually carry out a reformat and reinstallation of the Windows operating system still. Saying that lets have a further investigation shall we but please be aware if at any point I consider your computer a lost cause I will then leave only the option of a a reformat and reinstallation of the Windows operating system OK

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Next:

We need to carry out a more in depth research of you system as follows:

• Please download Random's System Information Tool by random/random from here and save it to your desktop.

Make sure that RSIT.exe is on the your Desktop before running the application!

• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open:
  
  • log.txt will be opened maximized.
  • info.txt will be opened minimized.
• Please post the contents of both log.txt and info.txt.

When completed the above, please post back the following in the order asked for:

• How is you computer performing now, any other symptoms and or problems encountered?
• Both RSIT logs. <-- Post them individually please, IE: one Log per post/reply.

[Dakeyras]

Hi

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

[chryssi2001]

Due to lack of activity this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.