Page 1 of 4 1234 LastLast
Results 1 to 10 of 32

Thread: Click giftload help request

  1. #1
    Junior Member
    Join Date
    Apr 2011
    Posts
    16

    Default Click giftload help request

    Hello,

    A few days ago I began experiencing browser redirects and computer running slower than usual. I ran Search & Destroy and discovered a recurring click giftload issue. I attempted to eradicate it on my own scanning with Spybot Search and Destroy, Malwarebytes, and McAfee. None of these were successfull.

    I also attempted to run TDDSKiller but it would error after 80% loaded.

    After doing further research I discovered this excellent forum, and after reading several threads determined this problem was beyond my capacity to repair on my own.

    I proceeded as follows:

    1. I restored my computer to the earliest available restore point.
    2. Re-ran Spybot Search and Destory to try and supress click giftload during this session.
    3. Re-read the "Before you post" sticky
    4. Backed up my registry using ERUNT
    5. Ran DDS (Log to follow below)
    6. Wrote this help request

    I am seeking assistance in removing this nasty problem, and if possible a review and advice on how to close any security holes my computer may have. I would also be extremely apreciative of any additional recomendations for computer cleanup to restore it to good speed and health and remove anything unnecessary lingering on the computer.

    Thank you for any time and assistance you can offer.

    ***I made one edit to the DDS report: replaced user name wherever applicable with with ZZZZZ***

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by ZZZZZ at 14:17:24.52 on Tue 04/19/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2034 [GMT -5:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    svchost.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\UAService7.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\AirPort\APAgent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\ZZZZZ\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.mail.ru/
    mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn2\YTNavAssist.dll
    mWinlogon: Userinit=userinit.exe
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101102184633.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [BCMSMMSG] BCMSMMSG.exe
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [DVDSentry] c:\windows\system32\DSentry.exe
    mRun: [nwiz] nwiz.exe /install
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
    dRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
    IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
    IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-31 386840]
    R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2004-8-2 11264]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-31 84072]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-3 88176]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-31 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-31 271480]
    R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-31 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-31 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-31 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-31 141792]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-31 55840]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-31 152960]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-31 52104]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-31 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-31 88544]
    S2 0038861303013094mcinstcleanup;McAfee Application Installer Cleanup (0038861303013094);c:\windows\temp\003886~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\003886~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-31 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-31 84264]
    .
    =============== Created Last 30 ================
    .
    2011-04-17 13:41:54 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-04-17 13:41:54 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-17 03:46:01 -------- d-----w- c:\docume~1\ZZZZZ&~1\applic~1\Malwarebytes
    2011-04-17 03:45:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-17 03:45:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-16 21:31:50 -------- d-----w- c:\docume~1\ZZZZZ&~1\applic~1\Malwarebytes(2)
    2011-04-16 20:37:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-04-16 20:37:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-16 02:22:05 114688 --sha-r- c:\windows\system32\hpzsnt09Q.dll
    2011-04-07 15:11:22 -------- d-----w- c:\program files\iTunes
    2011-04-06 00:26:48 -------- d-----w- C:\e
    2011-04-06 00:26:46 -------- d-----w- C:\Data
    2011-03-30 17:15:45 -------- d-----w- c:\program files\Sports Mogul
    .
    ==================== Find3M ====================
    .
    2011-03-23 18:15:57 857 --sha-w- c:\windows\system32\mmf.sys
    2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
    2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD800BB-75FRA0 rev.77.07W77 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AC6D4E7]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ac737d0]; MOV EAX, [0x8ac7384c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8AC8FAB8]
    3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8AC21240]
    \Driver\atapi[0x8ACCFF38] -> IRP_MJ_CREATE -> 0x8AC6D4E7
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8AC6D332
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 14:20:15.94 ===============

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default




    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

    Your infected with a ROOTKIT


    Please download TDSSKiller.zip
    • Extract it to your desktop
    • Double click TDSSKiller.exe
    • Press Start Scan
      • Only if Malicious objects are found then ensure Cure is selected
      • Then click Continue > Reboot now
    • Copy and paste the log in your next reply
      • A copy of the log will be saved automatically to the root of the drive (typically C:\)
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Junior Member
    Join Date
    Apr 2011
    Posts
    16

    Default

    Hi Ken,

    As per your instructions I downloaded tdsskiller.exe to my desktop. However I am still encountering the problem I had before. When I launch tdsskiller.exe it initializes to 80%, hangs, and then I receive an error message that it has encountered a problem and needs to close.

    I rebooted and tried to run tdsskiller in safe mode but got the same result.

    I restarted again in normal mode and re-ran Spybot-Search and Destroy.

    I await your further instructions. I will not be using the computer for any purpose without your instructions.

    Thank you so much for your continued assistance.

  4. #4
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi,

    Download aswMBR.exe ( 511KB ) to your desktop.

    Double click the aswMBR.exe to run it


    Click the "Scan" button to start scan



    On completion of the scan click save log, save it to your desktop and post in your next reply
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Junior Member
    Join Date
    Apr 2011
    Posts
    16

    Default

    Hi Ken,

    Here is the requested log from aswMBR.
    One edit: computer name changed to "ZZZZZ"


    swMBR version 0.9.4 Copyright(c) 2011 AVAST Software
    Run date: 2011-04-22 13:56:54
    -----------------------------
    13:56:54.203 OS Version: Windows 5.1.2600 Service Pack 3
    13:56:54.203 Number of processors: 2 586 0x209
    13:56:54.203 ComputerName: ZZZZZ UserName:
    13:56:54.812 Initialize success
    13:57:08.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    13:57:08.859 Disk 0 Vendor: WDC_WD800BB-75FRA0 77.07W77 Size: 76293MB BusType: 3
    13:57:08.859 Device \Driver\atapi -> DriverStartIo 8ac64332
    13:57:08.859 Disk 0 MBR read error
    13:57:08.875 Disk 0 MBR scan
    13:57:08.875 MBR BIOS signature not found 0
    13:57:08.875 Disk 0 scanning sectors +156232125
    13:57:08.875 Disk 0 scanning C:\WINDOWS\system32\drivers
    13:57:25.093 Service scanning
    13:57:28.156 Disk 0 trace - called modules:
    13:57:28.156 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89a05c30]<<
    13:57:28.156 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aca0ab8]
    13:57:28.171 Scan finished successfully

  6. #6
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi,

    This is where we are at, the bad guys read these forums also looking at what were doing to try to bork our fixes, evidently they have prevented TDSSKiller from running. There have been numerous threads in the past few days that are having the same problems you are. aswMBR wont fix this problem either, it looks like your MASTER BOOT RECORD is infected but we need to find out for sure. When you ran aswMBR and saved the file, there should also be an other file named MBR.dat, I need you to right click on it and save it as a Zipped file to your desktop and then upload it to this site to confirm your MBR is infected

    You need to enable windows to show all files and folders, instructions Here

    Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again

    Look on your desktop for MBR.zip

    If the site is busy you can try this one
    http://virusscan.jotti.org/en
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #7
    Junior Member
    Join Date
    Apr 2011
    Posts
    16

    Default

    Here are the results of the MBR.zip virus total scan.

    AhnLab-V3 2011.04.23.00 2011.04.22 -
    AntiVir 7.11.6.251 2011.04.22 -
    Antiy-AVL 2.0.3.7 2011.04.22 -
    Avast 4.8.1351.0 2011.04.22 -
    Avast5 5.0.677.0 2011.04.22 -
    AVG 10.0.0.1190 2011.04.22 -
    BitDefender 7.2 2011.04.22 -
    CAT-QuickHeal 11.00 2011.04.21 -
    ClamAV 0.97.0.0 2011.04.21 -
    Commtouch 5.3.2.6 2011.04.23 -
    Comodo 8437 2011.04.22 -
    DrWeb 5.0.2.03300 2011.04.22 -
    Emsisoft 5.1.0.5 2011.04.22 -
    eSafe 7.0.17.0 2011.04.22 -
    eTrust-Vet 36.1.8286 2011.04.22 -
    F-Prot 4.6.2.117 2011.04.22 -
    F-Secure 9.0.16440.0 2011.04.23 -
    Fortinet 4.2.257.0 2011.04.22 -
    GData 22 2011.04.22 -
    Ikarus T3.1.1.103.0 2011.04.22 -
    Jiangmin 13.0.900 2011.04.22 -
    K7AntiVirus 9.97.4451 2011.04.21 -
    Kaspersky 7.0.0.125 2011.04.22 -
    McAfee 5.400.0.1158 2011.04.22 -
    McAfee-GW-Edition 2010.1D 2011.04.22 -
    Microsoft 1.6802 2011.04.23 -
    NOD32 6064 2011.04.22 -
    Norman 6.07.07 2011.04.22 -
    Panda 10.0.3.5 2011.04.22 -
    PCTools 7.0.3.5 2011.04.21 -
    Prevx 3.0 2011.04.23 -
    Rising 23.54.04.06 2011.04.22 -
    Sophos 4.64.0 2011.04.23 -
    SUPERAntiSpyware 4.40.0.1006 2011.04.22 -
    Symantec 20101.3.2.89 2011.04.22 -
    TheHacker 6.7.0.1.180 2011.04.22 -
    TrendMicro 9.200.0.1012 2011.04.22 -
    TrendMicro-HouseCall 9.200.0.1012 2011.04.23 -
    VBA32 3.12.16.0 2011.04.22 -
    VIPRE 9090 2011.04.22 -
    ViRobot 2011.4.22.4424 2011.04.22 -
    VirusBuster 13.6.317.0 2011.04.22 -
    Additional informationShow all
    MD5 : 4a29867afb2ca45291965d7b39bd96c9
    SHA1 : ff3fac8df2430f78d2666c820caf5cd4f8d9e303
    SHA256: 50ad343834f222616998214d1e2bc232b29b9f936821d5bb4bb2aa5eb8e62f2c
    ssdeep: 3:vhjO9/n/i/yn3b21rnxim9/n/i//llPlKS/+lMt:5jOCaCtnxpC1l/+lE
    File size : 120 bytes
    First seen: 2011-04-22 22:05:41
    Last seen : 2011-04-22 22:09:27
    TrID:
    ZIP compressed archive (100.0%)
    sigcheck:
    publisher....: n/a
    copyright....: n/a
    product......: n/a
    description..: n/a
    original name: n/a
    internal name: n/a
    file version.: n/a
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned

    ExifTool:
    file metadata
    FileSize: 120 bytes
    FileType: ZIP
    MIMEType: application/zip
    ZipBitFlag: 0
    ZipCRC: 0xb2aa7578
    ZipCompressedSize: 8
    ZipCompression: Deflated
    ZipFileName: MBR.dat
    ZipModifyDate: 2011:04:22 13:58:01
    ZipRequiredVersion: 20
    ZipUncompressedSize: 512

  8. #8
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hmmm strange.

    Unless you know that you have a Recovery Console be sure to install this one, we may need it

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Last edited by ken545; 2011-04-23 at 02:05.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  9. #9
    Junior Member
    Join Date
    Apr 2011
    Posts
    16

    Default

    Hi Ken,

    Hope your weekend was well. I had some unexpected difficulty proceeding with the scan per your instructions. The details are as follows...

    I read and re-read all the instructions and prepared to run the combo fix scan. I disabled McAfee ( the provided instructions are out of date for McAfee's newer interface). The computer was running extremely slow.

    Started Combofix, dowloaded from the link you provided, and knew something was wrong right away. It began by telling me Mcafee was not disabled, though I checked several times to verify that it was. I then recieved an error message saying that combofix might have been patched by a virus and should not be used. Further attempts to run it resulted in it unexpectedly quitting.

    Additionally, I checked task manager and saw a lot of new processes that should not have been there (firefox, iexplorer, etc -though no additional windows were open). I disconected my dsl cable, restored mcafee, deleted combofix off of my desktop, and rebooted. Computer stalled during the shutdown and I was forced to hard reset. At this point I was terrified my computer was dead.

    The computer did reboot very very slowly. I kept the dsl cable disconnected. I then remembered that I had made a disk with various repair/recovery programs on a completely unconnected computer about a week ago when the problems began anticipating it might be usefull if I could not connect to the internet. I located the copy of combofix that I had on the disk and moved it to my desktop, disabled McAfee, and tried to run it.

    Combofix loaded sucessfully this time, but gave a message saying it was out of date and would run with limited functionality. I figured it would be better than nothing so I proceeded. This generated " Log1 " which I have attached. I then rebooted my computer.

    This time the computer rebooted very quickly and seemed to run about as fast as I can recently remember. However, when I ran Spybot again I could see click giftload was still there. I then restored my internet connection, and attempted to use your instructions again. I downloaded combofix from your link, disabled Mcafee, and ran your version of combofix.

    This time it appeared to run smoothly and generated "Log 2" which I have also attached. I was surprised that the log said McAfee firewall was on, even though I checked and double checked that it was disabled.

    I also suddenly remembered that around the time all the problems started during a reboot I saw some kind of message flash while windows was loading up. The only thing I was able to catch was something about a partition. This made me check disk management to see if perhaps there was a hidden partition or something. To my surprise disk management would not loacate even my local C:\ drive and is completely empty! I tried refresh and rescan, but no luck. I hope this helps in diagnosing the problem.


    Hopefully I did not do any further damage to my computer and we can continue to resolve this problem. I thank you and appreciate your assistance very much, and await your further instructions.

    As per ususal I made log edits to replace "user name" with "ZZZZZ".

  10. #10
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Your Master Boot Record is infected with a rootkit , this is how we need to fix it

    Earlier on ComboFix installed the Recovery Console. We're going to use that now.
    • Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
      (you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)



    • When you get to the above screen, take note of the number that references your operating system.


    • If it's '1' like the picture above, type 1 and press Enter
    • It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.




    • Next type FIXMBR



    • If it asks if you're sure you want to write a new MBR, answer 'Y'
    • Then type EXIT to reboot the machine.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •