Need help with Win32/ClickSpring Virus

Welcome to Majorgeeks!

I see you are running Vista! Do you or did you have UAC disabled?

The below are the required steps as stated in the HJT Tutorial!!


Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - only for Windows XP, 2K, & NT users
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

You forgot to attach the requested log from CounterSpy. Please attach it.

First we must disable Windows Defender's realtime protection to avoid having it get in our way.

Disable Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

Once your log is clean you can re-enable Windows Defender Real Time Protection.


Now goto Add/Remove programs and try to uninstall the below. If it fails to uninstall, just skip onto the next steps.
Outerinfo

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\Windows\?asks\w?wexec.exep.exe

After killing all the above processes, click Back. Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {716ADDF8-1B45-38B3-6553-4C71C50591C5} - C:\Windows\system32\bfjmsk.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [stwtmvgd] rundll32.exe "C:\Program Files\stwtmvgd\kxqvqluh.dll",Init
O4 - HKLM\..\Run: [jifwlizw] regsvr32 /u "C:\ProgramData\jifwlizw.dll"
O4 - HKCU\..\Run: [Itcc] C:\Windows\?racle\??rvices.exe
O4 - HKCU\..\Run: [Ieuu] "C:\Users\Ben\AppData\Roaming\ECURIT~1\regedit.exe" -vt ndrv
O4 - HKCU\..\Run: [Chbck] C:\Windows\?asks\w?wexec.exe

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now reboot in safe mode and delete the below files if found
C:\Windows\System32\wtssvtr.exe
C:\Windows\System32\bfjmsk.dll
C:\Program Files\stwtmvgd\kxqvqluh.dll
C:\ProgramData\jifwlizw.dll

Now please delete the below folder? Note that the questionmark character represents unprintable characters that were found during the scans, but they may appear to you as normal characters when you locate them using Windows Explorer. I will add comments in RED next to each item. Note the date of the folders which will help you to locate them:

Code:

"C:\Windows\"
ASKS~1        14 Sep 2007              "?asks""   [B][COLOR=red]<-- may look like Tasks[/COLOR][/B]

Now reboot into normal boot mode.

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.