Please help - Clicksearchclick browser hijack

mjgreen60 · Jun 12, 2005

Hi there,

I am currently trying to sort a friend's computer which I think has been hijacked by clicksearchclick. I am assuming it is this as his homepage has been changed to www.clicksearchclick.com. Also whenever he starts the computer a pop-up appears saying that "Windows Explorer has encountered a problem and needs to close" etc - the standard one that everyone knows and loves!!

I have run ad-aware which found a few problems but not much, I have also tried to install spybot S&D but there is a problem with downloading the appropriate files. Ccleaner found a whole wealth of things and I had it sort them.

I have followed all of the other advice from the removal section and he is still infected.

I have scanned with HJT and have the log file - would it help if I posted it.

I would be really grateful for any help as I am stumped!!

Many thanks,

Matt

chaslang · Jun 12, 2005

Before we get to a HijackThis log, we have standard cleanup processes to follow. Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

mjgreen60 · Jun 13, 2005

Hi Chaslang,

Thanks for the reply - I ran all of the scans in the tutorial. Some of the anti-spyware scans came up with a few things which were succesfully treated. However, the problem still seems to exist!!

I have attached a copy of the log and would be really grateful if you could cast your eye over it and suggest any alterations.

Many thanks,

Matt

chaslang · Jun 13, 2005

Your OS and IE versions are way out of date and represent a major security risk. After we fix your current problems you must get updated. We will cover this later.

Do you really use all these messenger programs? Especially Logitech which is a cause of problems as seen in your log!

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-716D61783548} - (no file)
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721316} - (no file)
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{169CADB6-2E23-4B14-B8C0-EADA576FB623}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{F0305D5D-2DFE-45A1-A37A-302DA0CA37B1}\SECURITY.EXE
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars 2.2\WiseUpdt.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\hkhpa.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/dld/317.chm::/file.exe
O18 - Protocol: bw+0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {6D4A1378-791F-4526-8D56-621AB47B41C2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q603507_disk.dll

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\Services <--- the whole folder
C:\WINDOWS\q603507_disk.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.
Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

mjgreen60 · Jun 13, 2005

Hi Chaslang,

Thank you so so much for all of your help. Hopefully it has worked, the homepage seems to be staying the same etc. However, the "windows explorer has encountered a problem and needs to close. We are sorry for the inconvenience" pop-up still keeps coming up as soon as I start windows, clicking the Send Error Report or Don't Send buttons just refreshes the screen and it appears again - could this be linked? If not, do you know of any fixes?

I am really stuck.

Thanks once again for all your help.

Matt
P.S. I have attached the new log file.

chaslang · Jun 13, 2005

Let's first finish with current problems before worrying about the Explorer error.

How do you connect to the internet (dial-up, cable, DSL, etc)?

Please download L2MeFix Tool

Move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!
Now reconnect and come back here and post as attachments the l2mfix log. Do not reboot or shutdown your PC after posting this log.

mjgreen60 · Jun 14, 2005

Hi there,

Thanks once again for your help - I have done all you suggested and have attached the report to this - not a clue what it all means but I'm guessing you do!!

Many thanks,

Matt

chaslang · Jun 14, 2005

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad.

Again, don't run any other files in the L2MFix folder.

Okay after doing the above DO NOT REBOOT. Now reconnect to the internet and come back here and post and attach the L2MeFix Log.

Also post a new HijackThis log.

mjgreen60 · Jun 14, 2005

Hi Chaslang,

I know I keep saying it, but I am really grateful for all you have done and are still doing!!

Have run the two scans and have attached the two logs.

Many thanks once again,

Matt

chaslang · Jun 14, 2005

You're welcome. The below line:

O20 - Winlogon Notify: style2 - C:\WINDOWS\q603507_disk.dll

still worries me.

Click Start, Run and enter regedit and click OK. Navigate to the below registry key by clicking the +'s to expand things like you would in Windows explorer:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian

- Right click over "Guardian" in the left pane.
- Left click on "Permissions"
Now at the top of the form under the Group or user name: heading
- Left click "SYSTEM" once to highlight it.
In the bottom Permissions for System part of the form:
- Under the Deny column check all boxes that are enabled (this may only be Full Control and Read)
- Left click Apply
- Left Click OK

Say "OK" to any warnings about permissions
NOW immediately Reboot your PC into safe mode.
Now see if you can delete the below file.
C:\WINDOWS\q603507_disk.dll

NOTE: If you do not find that registry key, just come back and tell me.

chaslang · Jun 14, 2005

If my previous message did not help get rid of this O20 line, follow the steps below:

Please download Process Explorer unzip it to a folder where you can find it later to run.

Download Pocket Killbox and save it to its own folder where you can find it. Extract it from the ZIP file. We will run it later

Now reboot your PC into safe mode with no networking support. Run all steps below in safe mode until told to reboot in normal mode.

Run Process Explorer (double click on procexp.exe)

In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of q603507_disk.dll once and then click the kill button.

After you have killed all of the q603507_disk.dll's under winlogon click OK.

Next double click on explorer.exe and again click once on each instance of q603507_disk.dll then click the kill button. Click on the Threads tab at the top.

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following.

O20 - Winlogon Notify: style2 - C:\WINDOWS\q603507_disk.dll

Now click fix checked and close HijackThis.

Double click on Killbox.exe and then check the delete on reboot button.

Enter the following filepath and filename into the Full path of file to delete box

C:\WINDOWS\q603507_disk.dll

Click the red circle with the white x and say yes to delete and yes to the prompt to reboot. Allow your computer to reboot into normal mode.

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.

mjgreen60 · Jun 15, 2005

Hi,

I tried to locate the registry key you said about, however I couldn't find it. I did find the C:\WINDOWS\q603507_disk.dll file however I was refused access to delete even though it wasn't checked as read only.

I ran process explorer and there were no cases on the dll running so I ran killbox and it seems to have removed it from the system effectively. This has thankfully stopped the problem with explorer - thanks so much. I ran HJT and noticed that the O20 entry is still there, but as you can see on the attachment, it is coming up as file missing - should I try fixing it with HJT again?

Are there any more steps you think i should take? I assume from what you said earlier, the system needs updating. Will this just be a case of running Windows Update?

Many thanks once again,

Matt

P.S. HJT log is attached

chaslang · Jun 15, 2005

Run HJT and have it fix the below line:

O20 - Winlogon Notify: style2 - C:\WINDOWS\q603507_disk.dll (file missing)

Double check yourself and make sure that line goes away. Just let me know the result.

Then follow all the steps in the below thread to help keep you clean. The first step in that thread is a link to Windows Update:

How to Protect yourself from malware!

mjgreen60 · Jun 16, 2005

Hi Chaslang,

I have run HJT which eventually got rid of the 020 line, have checked it again and it has now gone.

Thanks so much for all your help in this - would have been lost without you.

Have shown him how to do all the updates and told him to keep on top of them now!! (First new one this time was released in 2002!!)

Many thanks once again,

Matt

chaslang · Jun 16, 2005

You're welcome!

Log in or Sign up

Please help - Clicksearchclick browser hijack

mjgreen60 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

mjgreen60 Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

mjgreen60 Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

mjgreen60 Private E-2

Attached Files:

report.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

mjgreen60 Private E-2

Attached Files:

log.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

mjgreen60 Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

mjgreen60 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member