Jump to content


Photo

Help! virus, C:\WINDOWS\secure.html


  • This topic is locked This topic is locked
1 reply to this topic

#1 ashwilkinson

ashwilkinson

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 24 July 2004 - 08:26 AM

I think i have a trojan called 'Trojan.Ecure'. I have been trying for a week to manually remove the trojan but i just dont know how. I have read numerous web pages about this trojan and how to defeat it but i just cant seem to do it. Could somebody please help me?

this is the most useful page i have found so far, http://securityrespo...ojan.ecure.html


my hijack this log is:

Logfile of HijackThis v1.97.7
Scan saved at 14:25:43, on 24/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\crmn32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\sm56hlpr.exe
C:\WINDOWS\system32\msmd32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\gxyd.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ashley\My Documents\hijack this\HijackThis.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Ashley\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yfwhf.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yfwhf.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Ashley\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yfwhf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Ashley\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yfwhf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yfwhf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yfwhf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Ashley\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5DA69830-91DD-A25B-F3C5-BD9CDB0ADEE7} - C:\WINDOWS\system32\msis32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [msmd32.exe] C:\WINDOWS\system32\msmd32.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Wocb] C:\Documents and Settings\Ashley\Application Data\raau.exe
O4 - HKCU\..\Run: [Xqavolax] C:\WINDOWS\System32\gxyd.exe
O4 - HKLM\..\RunOnce: [msiv32.exe] C:\WINDOWS\system32\msiv32.exe
O4 - HKLM\..\RunOnce: [ipil.exe] C:\WINDOWS\ipil.exe
O4 - HKLM\..\RunOnce: [addxb.exe] C:\WINDOWS\system32\addxb.exe
O4 - HKLM\..\RunOnce: [crcf.exe] C:\WINDOWS\system32\crcf.exe
O4 - HKLM\..\RunOnce: [ntoc.exe] C:\WINDOWS\ntoc.exe
O4 - HKLM\..\RunOnce: [syscn32.exe] C:\WINDOWS\syscn32.exe
O4 - HKLM\..\RunOnce: [msuk.exe] C:\WINDOWS\system32\msuk.exe
O4 - HKLM\..\RunOnce: [sdkup32.exe] C:\WINDOWS\system32\sdkup32.exe
O4 - HKLM\..\RunOnce: [winbo32.exe] C:\WINDOWS\system32\winbo32.exe
O4 - HKLM\..\RunOnce: [javaof.exe] C:\WINDOWS\system32\javaof.exe
O4 - HKLM\..\RunOnce: [atlyc.exe] C:\WINDOWS\system32\atlyc.exe
O4 - HKLM\..\RunOnce: [msrm32.exe] C:\WINDOWS\msrm32.exe
O4 - HKLM\..\RunOnce: [sysfh.exe] C:\WINDOWS\sysfh.exe
O4 - HKLM\..\RunOnce: [netnb.exe] C:\WINDOWS\system32\netnb.exe
O4 - HKLM\..\RunOnce: [atlfn.exe] C:\WINDOWS\system32\atlfn.exe
O4 - HKLM\..\RunOnce: [addws.exe] C:\WINDOWS\system32\addws.exe
O4 - HKLM\..\RunOnce: [crtt.exe] C:\WINDOWS\system32\crtt.exe
O4 - HKLM\..\RunOnce: [msbf32.exe] C:\WINDOWS\msbf32.exe
O4 - HKLM\..\RunOnce: [ntmo32.exe] C:\WINDOWS\ntmo32.exe
O4 - HKLM\..\RunOnce: [ipgu32.exe] C:\WINDOWS\system32\ipgu32.exe
O4 - HKLM\..\RunOnce: [msrq32.exe] C:\WINDOWS\msrq32.exe
O4 - HKLM\..\RunOnce: [sysbd.exe] C:\WINDOWS\sysbd.exe
O4 - HKLM\..\RunOnce: [d3yi.exe] C:\WINDOWS\system32\d3yi.exe
O4 - HKLM\..\RunOnce: [addfu.exe] C:\WINDOWS\addfu.exe
O4 - HKLM\..\RunOnce: [winpk.exe] C:\WINDOWS\winpk.exe
O4 - HKLM\..\RunOnce: [sysvu.exe] C:\WINDOWS\sysvu.exe
O4 - HKLM\..\RunOnce: [sysrj.exe] C:\WINDOWS\system32\sysrj.exe
O4 - HKLM\..\RunOnce: [mfccf.exe] C:\WINDOWS\system32\mfccf.exe
O4 - HKLM\..\RunOnce: [ntit32.exe] C:\WINDOWS\system32\ntit32.exe
O4 - HKLM\..\RunOnce: [msxn32.exe] C:\WINDOWS\system32\msxn32.exe
O4 - HKLM\..\RunOnce: [mfcmc.exe] C:\WINDOWS\mfcmc.exe
O4 - HKLM\..\RunOnce: [ipmn32.exe] C:\WINDOWS\system32\ipmn32.exe
O4 - HKLM\..\RunOnce: [ntig32.exe] C:\WINDOWS\ntig32.exe
O4 - HKLM\..\RunOnce: [sysfp32.exe] C:\WINDOWS\system32\sysfp32.exe
O4 - HKLM\..\RunOnce: [d3vw32.exe] C:\WINDOWS\d3vw32.exe
O4 - HKLM\..\RunOnce: [apiae32.exe] C:\WINDOWS\system32\apiae32.exe
O4 - HKLM\..\RunOnce: [ntzl.exe] C:\WINDOWS\system32\ntzl.exe
O4 - HKLM\..\RunOnce: [addky.exe] C:\WINDOWS\system32\addky.exe
O4 - HKLM\..\RunOnce: [netuv32.exe] C:\WINDOWS\netuv32.exe
O4 - HKLM\..\RunOnce: [iecw.exe] C:\WINDOWS\iecw.exe
O4 - HKLM\..\RunOnce: [apigk32.exe] C:\WINDOWS\system32\apigk32.exe
O4 - HKLM\..\RunOnce: [atlhk.exe] C:\WINDOWS\system32\atlhk.exe
O4 - HKLM\..\RunOnce: [appat.exe] C:\WINDOWS\appat.exe
O4 - HKLM\..\RunOnce: [d3qy.exe] C:\WINDOWS\system32\d3qy.exe
O4 - HKLM\..\RunOnce: [netdn32.exe] C:\WINDOWS\netdn32.exe
O4 - HKLM\..\RunOnce: [netgc.exe] C:\WINDOWS\system32\netgc.exe
O4 - HKLM\..\RunOnce: [crfm32.exe] C:\WINDOWS\crfm32.exe
O4 - HKLM\..\RunOnce: [javatb.exe] C:\WINDOWS\javatb.exe
O4 - HKLM\..\RunOnce: [sysar.exe] C:\WINDOWS\system32\sysar.exe
O4 - HKLM\..\RunOnce: [apinn32.exe] C:\WINDOWS\system32\apinn32.exe
O4 - HKLM\..\RunOnce: [crjo.exe] C:\WINDOWS\crjo.exe
O4 - HKLM\..\RunOnce: [winig32.exe] C:\WINDOWS\system32\winig32.exe
O4 - HKLM\..\RunOnce: [ieoz.exe] C:\WINDOWS\system32\ieoz.exe
O4 - HKLM\..\RunOnce: [ieqc32.exe] C:\WINDOWS\system32\ieqc32.exe
O4 - HKLM\..\RunOnce: [ipyg32.exe] C:\WINDOWS\ipyg32.exe
O4 - HKLM\..\RunOnce: [mskg32.exe] C:\WINDOWS\system32\mskg32.exe
O4 - HKLM\..\RunOnce: [javawb.exe] C:\WINDOWS\system32\javawb.exe
O4 - HKLM\..\RunOnce: [sysxo.exe] C:\WINDOWS\system32\sysxo.exe
O4 - HKLM\..\RunOnce: [sdkkd.exe] C:\WINDOWS\sdkkd.exe
O4 - HKLM\..\RunOnce: [appoy32.exe] C:\WINDOWS\system32\appoy32.exe
O4 - HKLM\..\RunOnce: [javace.exe] C:\WINDOWS\javace.exe
O4 - HKLM\..\RunOnce: [msgx32.exe] C:\WINDOWS\msgx32.exe
O4 - HKLM\..\RunOnce: [atlgr32.exe] C:\WINDOWS\atlgr32.exe
O4 - HKLM\..\RunOnce: [atlzr32.exe] C:\WINDOWS\atlzr32.exe
O4 - HKLM\..\RunOnce: [winpy32.exe] C:\WINDOWS\winpy32.exe
O4 - HKLM\..\RunOnce: [javaqi.exe] C:\WINDOWS\system32\javaqi.exe
O4 - HKLM\..\RunOnce: [crqg32.exe] C:\WINDOWS\crqg32.exe
O4 - HKLM\..\RunOnce: [javazk32.exe] C:\WINDOWS\javazk32.exe
O4 - HKLM\..\RunOnce: [netkw32.exe] C:\WINDOWS\netkw32.exe
O4 - HKLM\..\RunOnce: [iehp.exe] C:\WINDOWS\system32\iehp.exe
O4 - HKLM\..\RunOnce: [apiob32.exe] C:\WINDOWS\system32\apiob32.exe
O4 - HKLM\..\RunOnce: [sdkmi.exe] C:\WINDOWS\system32\sdkmi.exe
O4 - HKLM\..\RunOnce: [sysmc.exe] C:\WINDOWS\system32\sysmc.exe
O4 - HKLM\..\RunOnce: [ipse32.exe] C:\WINDOWS\system32\ipse32.exe
O4 - HKLM\..\RunOnce: [netgt32.exe] C:\WINDOWS\netgt32.exe
O4 - HKLM\..\RunOnce: [d3qh.exe] C:\WINDOWS\system32\d3qh.exe
O4 - HKLM\..\RunOnce: [netpp32.exe] C:\WINDOWS\system32\netpp32.exe
O4 - HKLM\..\RunOnce: [crzn.exe] C:\WINDOWS\crzn.exe
O4 - HKLM\..\RunOnce: [appid32.exe] C:\WINDOWS\appid32.exe
O4 - HKLM\..\RunOnce: [ipzq32.exe] C:\WINDOWS\ipzq32.exe
O4 - HKLM\..\RunOnce: [d3km32.exe] C:\WINDOWS\system32\d3km32.exe
O4 - HKLM\..\RunOnce: [d3ob.exe] C:\WINDOWS\d3ob.exe
O4 - HKLM\..\RunOnce: [ieyj32.exe] C:\WINDOWS\ieyj32.exe
O4 - HKLM\..\RunOnce: [apidb.exe] C:\WINDOWS\apidb.exe
O4 - HKLM\..\RunOnce: [crxd32.exe] C:\WINDOWS\crxd32.exe
O4 - HKLM\..\RunOnce: [sysnq.exe] C:\WINDOWS\sysnq.exe
O4 - HKLM\..\RunOnce: [atlfd32.exe] C:\WINDOWS\system32\atlfd32.exe
O4 - HKLM\..\RunOnce: [ntun.exe] C:\WINDOWS\ntun.exe
O4 - HKLM\..\RunOnce: [crgk32.exe] C:\WINDOWS\system32\crgk32.exe
O4 - HKLM\..\RunOnce: [apivk.exe] C:\WINDOWS\apivk.exe
O4 - HKLM\..\RunOnce: [sdkbv32.exe] C:\WINDOWS\system32\sdkbv32.exe
O4 - HKLM\..\RunOnce: [ipfl32.exe] C:\WINDOWS\ipfl32.exe
O4 - HKLM\..\RunOnce: [javauo32.exe] C:\WINDOWS\system32\javauo32.exe
O4 - HKLM\..\RunOnce: [netmq.exe] C:\WINDOWS\system32\netmq.exe
O4 - HKLM\..\RunOnce: [apiuy32.exe] C:\WINDOWS\system32\apiuy32.exe
O4 - HKLM\..\RunOnce: [sysdt32.exe] C:\WINDOWS\sysdt32.exe
O4 - HKLM\..\RunOnce: [nthr.exe] C:\WINDOWS\system32\nthr.exe
O4 - HKLM\..\RunOnce: [sdkal.exe] C:\WINDOWS\system32\sdkal.exe
O4 - HKLM\..\RunOnce: [d3do32.exe] C:\WINDOWS\system32\d3do32.exe
O4 - HKLM\..\RunOnce: [apist.exe] C:\WINDOWS\system32\apist.exe
O4 - HKLM\..\RunOnce: [msoj.exe] C:\WINDOWS\msoj.exe
O4 - HKLM\..\RunOnce: [crmn32.exe] C:\WINDOWS\system32\crmn32.exe
O4 - HKLM\..\RunOnce: [sdkth.exe] C:\WINDOWS\system32\sdkth.exe
O4 - HKLM\..\RunOnce: [netiq.exe] C:\WINDOWS\system32\netiq.exe
O4 - HKLM\..\RunOnce: [sdkgd.exe] C:\WINDOWS\system32\sdkgd.exe
O4 - HKLM\..\RunOnce: [apiiz32.exe] C:\WINDOWS\system32\apiiz32.exe
O4 - HKLM\..\RunOnce: [crzy32.exe] C:\WINDOWS\system32\crzy32.exe
O4 - HKLM\..\RunOnce: [ntiu.exe] C:\WINDOWS\system32\ntiu.exe
O4 - HKLM\..\RunOnce: [d3xp.exe] C:\WINDOWS\system32\d3xp.exe
O4 - HKLM\..\RunOnce: [appvi.exe] C:\WINDOWS\appvi.exe
O4 - HKLM\..\RunOnce: [addrp32.exe] C:\WINDOWS\addrp32.exe
O4 - HKLM\..\RunOnce: [ntaz32.exe] C:\WINDOWS\system32\ntaz32.exe
O4 - HKLM\..\RunOnce: [mfcls32.exe] C:\WINDOWS\system32\mfcls32.exe
O4 - HKLM\..\RunOnce: [apife32.exe] C:\WINDOWS\system32\apife32.exe
O4 - HKLM\..\RunOnce: [apihj32.exe] C:\WINDOWS\apihj32.exe
O4 - HKLM\..\RunOnce: [craw.exe] C:\WINDOWS\system32\craw.exe
O4 - HKLM\..\RunOnce: [mfcdw32.exe] C:\WINDOWS\system32\mfcdw32.exe
O4 - HKLM\..\RunOnce: [d3xg.exe] C:\WINDOWS\system32\d3xg.exe
O4 - HKLM\..\RunOnce: [apiei.exe] C:\WINDOWS\system32\apiei.exe
O4 - HKLM\..\RunOnce: [ipgx32.exe] C:\WINDOWS\system32\ipgx32.exe
O4 - HKLM\..\RunOnce: [sysbg.exe] C:\WINDOWS\sysbg.exe
O4 - HKLM\..\RunOnce: [iesc32.exe] C:\WINDOWS\system32\iesc32.exe
O4 - HKLM\..\RunOnce: [sysnq32.exe] C:\WINDOWS\sysnq32.exe
O4 - HKLM\..\RunOnce: [iehf.exe] C:\WINDOWS\system32\iehf.exe
O4 - HKLM\..\RunOnce: [sdkkj32.exe] C:\WINDOWS\sdkkj32.exe
O4 - HKLM\..\RunOnce: [cryo.exe] C:\WINDOWS\cryo.exe
O4 - HKLM\..\RunOnce: [ipvy32.exe] C:\WINDOWS\system32\ipvy32.exe
O4 - HKLM\..\RunOnce: [crsj.exe] C:\WINDOWS\system32\crsj.exe
O4 - HKLM\..\RunOnce: [sdkzj.exe] C:\WINDOWS\sdkzj.exe
O4 - HKLM\..\RunOnce: [apimk32.exe] C:\WINDOWS\system32\apimk32.exe
O4 - HKLM\..\RunOnce: [sysnt.exe] C:\WINDOWS\sysnt.exe
O4 - HKLM\..\RunOnce: [atlql.exe] C:\WINDOWS\atlql.exe
O4 - HKLM\..\RunOnce: [d3bz.exe] C:\WINDOWS\d3bz.exe
O4 - HKLM\..\RunOnce: [crua32.exe] C:\WINDOWS\system32\crua32.exe
O4 - HKLM\..\RunOnce: [sysud.exe] C:\WINDOWS\system32\sysud.exe
O4 - HKLM\..\RunOnce: [apicp.exe] C:\WINDOWS\system32\apicp.exe
O4 - HKLM\..\RunOnce: [adddz.exe] C:\WINDOWS\system32\adddz.exe
O4 - HKLM\..\RunOnce: [addrn.exe] C:\WINDOWS\addrn.exe
O4 - HKLM\..\RunOnce: [mfcxi32.exe] C:\WINDOWS\system32\mfcxi32.exe
O4 - HKLM\..\RunOnce: [nethq.exe] C:\WINDOWS\nethq.exe
O4 - HKLM\..\RunOnce: [crbx32.exe] C:\WINDOWS\crbx32.exe
O4 - HKLM\..\RunOnce: [ntms.exe] C:\WINDOWS\ntms.exe
O4 - HKLM\..\RunOnce: [d3up.exe] C:\WINDOWS\d3up.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\wsluoiro.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.1...m::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.1....chm::/load.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38188.580787037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 25 July 2004 - 10:00 AM

Closed. See http://forums.spywar...indpost&p=67597

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button