ClickCompare

My computer is infected by virus ClickCompare and Avast seems not to detect it. Can someone tell me how to get rid of it.
Many thanks for an anwer.

Hi,

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Then…

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer );

Attach here Gmer logreports.

Hello
Many thanks for answering my message. I just did what you said and you will find attached the three reports you requested from me.

Regards

Hi,

Open Control PanelPrograms and Features, and remove following entries:

  • WPM17.8.0.3297
  • SaveByClick
  • SavELotS
  • Feven 1.7
  • CouppEixttEnsuion

Restart system after finishing this.

Then…

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.

Then…

Re-run FRST, check Addition.txt and attach fresh reports.

I have done what you said. The new reports are attached.
Post scriptum : so far the virus is still there.
Regards

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

AppInit_DLLs: C:\ProgramData\Intelismart webbing\Intelismartwebbing_x64.dll [4303872 2013-12-28] ()
AppInit_DLLs-x32:   c:\progra~3\inteli~1\inteli~1.dll [4123136 2013-12-28] ()
C:\ProgramData\Intelismart webbing\Intelismartwebbing_x64.dll
c:\progra~3\inteli~1\inteli~1.dll
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://fr.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x6A7FA662F78FCD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = fr
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = 
BHO: SavELotS - {3B01C44D-8FB8-B68C-D0FC-1B517C363179} - C:\ProgramData\SavELotS\t0SW09hVy.x64.dll ()
BHO: CouppEixttEnsuion - {51FDE90D-1C1B-7C3C-1382-E272E62B4936} - C:\ProgramData\CouppEixttEnsuion\toB5JkGWJ.x64.dll ()
BHO-x32: SavELotS - {3B01C44D-8FB8-B68C-D0FC-1B517C363179} - C:\ProgramData\SavELotS\t0SW09hVy.dll ()
BHO-x32: CouppEixttEnsuion - {51FDE90D-1C1B-7C3C-1382-E272E62B4936} - C:\ProgramData\CouppEixttEnsuion\toB5JkGWJ.dll ()
FF Extension: SavELotS - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\glw46whh.default\Extensions\0o_o@cxdfyz-.org
FF Extension: CouppEixttEnsuion - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\glw46whh.default\Extensions\hov.dgbs@jrapuevb.com
C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\glw46whh.default\Extensions\0o_o@cxdfyz-.org
C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\glw46whh.default\Extensions\hov.dgbs@jrapuevb.com
FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt
CHR Extension: (Feven 1.7) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajppokcpihekimknckddpgkbiphmaglg\1.26.70_0
CHR Extension: (SavELotS) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\fphealhgceajgihekhpnphbdkoigmdnb\6.3
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
C:\Users\User\AppData\Local\Temp\25829-656346-openoffice.exe
C:\Users\User\AppData\Local\Temp\adgwsukbgauoppf.exe
C:\Users\User\AppData\Local\Temp\avguidx.dll
C:\Users\User\AppData\Local\Temp\CommonInstaller.exe
C:\Users\User\AppData\Local\Temp\ICReinstall_CodecPackage.exe
C:\Users\User\AppData\Local\Temp\ICReinstall_DownloadManagerSetup.exe
C:\Users\User\AppData\Local\Temp\instloffer.exe
C:\Users\User\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe
C:\Users\User\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe
C:\Users\User\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\User\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\User\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\User\AppData\Local\Temp\LollipopInstaller.exe
C:\Users\User\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\User\AppData\Local\Temp\MouseKeyboardCenterx64_1036.exe
C:\Users\User\AppData\Local\Temp\MyClaroTB.exe
C:\Users\User\AppData\Local\Temp\oi_{9A21F653-1F17-48BF-8F1B-B91EA47B76AF}.exe
C:\Users\User\AppData\Local\Temp\Quarantine.exe
C:\Users\User\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\User\AppData\Local\Temp\toolbar_vit_sweetim.exe
C:\Users\User\AppData\Local\Temp\uninst1.exe
C:\Users\User\AppData\Local\Temp\vlc-2.0.3-win32.exe
C:\Users\User\AppData\Local\Temp\ydetect.exe
C:\Users\User\AppData\Local\Temp\_is9424.exe
hosts:
cmd: ipconfig /flushdns
Task: C:\Windows\Tasks\Feven 1.7-chromeinstaller.job => C:\Program Files (x86)\Feven 1.7\Feven 1.7-chromeinstaller.exe <==== ATTENTION
C:\Program Files (x86)\Feven 1.7
Task: {AA7F0952-5CA3-4D3D-8DE0-897F9FDAFFD0} - System32\Tasks\Feven 1.7-chromeinstaller => C:\Program Files (x86)\Feven 1.7\Feven 1.7-chromeinstaller.exe [2014-01-07] (Feven) <==== ATTENTION

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Please find attached the FixLog file

How are the things now?

Sorry, I have been away for a while. Everything seems OK now. Many thanks for your help.
Best regards.

Good, let’s remove used tools:

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

OK, I did all that. Only GMER has not been removed.
Regards

Remove it manually…

OK. Thanks again.