infected with Clkoptimizer

twistitup · Jan 31, 2005

Howdy

Windows XP
Professional
Version 2002
Sevice Pack 2

Intel(R) Penium(R)
Mobile CPU 1000MHz
996 MHz, 384MB of RAM

I have been infected with clkoptimizer for 2 weeks now and tried to remove it several times. It reinstalls when I restart.

I have read and done READ ME FIRST BEFORE ASKING FOR SUPPORT. Done the scans in safe mode with restore off.

Webroot Spy Sweeper finds it in (Treats in Memory) and as a (Registry Entry) and also these files:
c:/winnt/system32/pcuzgi.dll
c:/winnt/system32/aepuzs.dll
c:/winnt/system32/qhumpx.exe
It removes them and everything is fine until I reboot then they are back.

If you want me to run and attach a HijackThis log I can.

Thanks in advance, appreciate it.

chaslang · Jan 31, 2005

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

twistitup · Jan 31, 2005

firstly thanks alot for your help

here is my log.
This is post a scan and remove with Spy Sweeper so I am not getting pop ups but will once I restart.
If you would prefer a log after restart let me know.

Shout out to ya

twistitup · Feb 1, 2005

not sure why the log file didn't attach so here it is again - sorry
if you want me to do the log after restart let me know.

thanks

chaslang · Feb 1, 2005

Yes I will need a log after reboot but I can see a real nasty in there already:

O4 - Global Startup: nhgpyf.exe

This may take some work. I going to give you some stuff to do at the end of this message.

Also the below should not be necessary and it is never a good idea to add things to your Trusted Zone. Is this something you put there? Do you know that it is really required?
O15 - Trusted Zone: http://isweb1.rockefeller.edu

Download the below tools but only run what I request:

Pocket KillBox

VX2.BetterInternet Finder XP/2k - Version Msg126

Generic Find It Tool - NT/2000/XP

Extract all the files from the Generic Find It Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment.

twistitup · Feb 1, 2005

YO

So I have some nasty little gritters,

Both these logs are done after a reboot.

For your info, after reboot
Spy sweeper detects nhgpyf.exe in startup folder it says I can remove but I have done this before and it just comes back in 10 seconds.
When I open a webpage Spy sweeper detects Clkoptimizer running.

If I do a scan with Ad-aware SE it finds the nasties CoolWebSearch and VX2

I did not remove any of these.

As for this
O15 - Trusted Zone: http://isweb1.rockefeller.edu
I'm not sure how it got there Rockefeller is the university I go to and live at. I presume it is not required and can be removed.

Thanks I can see the end of the pop up tunnel...

chaslang · Feb 1, 2005

Copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg. Doubleclick it and grant it permission to merge in the registry entries.
Quote:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-

We have some files that we need to delete using Killbox (instructions on how to do this are further down):

C:\WINNT\system32\qhumpx.exe
C:\WINNT\system32\aepuzs.dll
C:\WINNT\system32\pcuzgi.dll
C:\WINNT\system32\vpuyqg.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nhgpyf.exe

and C:\WINNT\system32\kwuoyq.exe

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINNT\system32\kwuoyq.exe (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINNT\system32\qhumpx.exe

1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINNT\system32\kwuoyq.exe into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

After reboot post another log from this new find.bat program and also post a new HJT log. Let me know if you get any errors when you reboot. Write down the exact message if you do get any. DO NOT REBOOT at this point until you get the next instructions from me. Doing so could cause this trojan to mutate and spread.

twistitup · Feb 1, 2005

wow this is crazy shit.

I think it all went well.

After doing killbot I did the reboot and got these message in this order.
-------------------------------------------------------------
C:\WINNT\system32\qhumpx.exe
C:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft wimdows applications. Choose 'Close' to terminate the application.

Close Ignore
----------------------------------------------------------------
- I choose 'close' hope this was correct
----------------------------------------------------------------
C:\DOCUME~1\ALLUSE~1\Programs\Startup\nhgpyf.exe
C:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft wimdows applications. Choose 'Close' to terminate the application.

Close Ignore
----------------------------------------------------------------
- I choose 'close' hope this was correct
----------------------------------------------------------------
Then Spy sweeper Start up shield detected the file nhgpyf.exe saying it will start when windows starts.
I had the option to remove but did not, just closed Spy sweeper and did the logs.
----------------------------------------------------------------
Also when I run find.bat I get this message
C:\WINNT\system32\cmd.exe
C:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft wimdows applications. Choose 'Close' to terminate the application.

Close Ignore
----------------------------------------------------------------
I choose ignore to this one so I could run the progam and do the log, this also happened when I did the initial log with find.bat maybe I should've told you this in my last post. - sorry.

---------------------------------------------------------------
Its fun deleting this little critter, thanks again you are a saviour..

chaslang · Feb 2, 2005

You're welcome!

Exit all browsers and run HJT and have it fix the below line:

O4 - Global Startup: nhgpyf.exe

Then rescan with HJT and make sure it is gone.
Now reboot and keep track of any error messages again.
Scan again with HJT and post your log.

twistitup · Feb 2, 2005

went well again, no error messages at start up however once again
Spy sweeper Start up shield detected the file nhgpyf.exe saying it is a program that will install when windows starts.
I had the option to remove but did not, just closed Spy sweeper and did the log with HJ.

However I did some web surfing and don't seem to be getting pop-ups so am I at the end of the tunnel?

chaslang · Feb 2, 2005

twistitup said:

went well again, no error messages at start up however once again
Spy sweeper Start up shield detected the file nhgpyf.exe saying it is a program that will install when windows starts.
I had the option to remove but did not, just closed Spy sweeper and did the log with HJ.

However I did some web surfing and don't seem to be getting pop-ups so am I at the end of the tunnel?
Click to expand...

That's strange! The line is no longer in your log meaning it is not loading. Do another reboot, if you get the message again, allow SpySweeper to remove it and let's see what happens.

If that still does not fix this completely post another find.bat log from the Generic Tool.

twistitup · Feb 2, 2005

Looks like you have managed to kill another Trojan and make another person very happy.

Spy sweeper seems to be happy after re-boot and removal of file.

Not getting any pop ups while surfing.

So thumbs up systems are go.

Thanks heaps.

chaslang · Feb 2, 2005

You're welcome!

You should now perform the steps in the below link to help avoid future problems:

How to Protect yourself from malware!

Log in or Sign up

infected with Clkoptimizer

twistitup Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

twistitup Private E-2

twistitup Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

twistitup Private E-2

Attached Files:

hijackthis.log

output.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

twistitup Private E-2

Attached Files:

hijackthis.log

output.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

twistitup Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

twistitup Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member