-
Click giftload help request
Hello,
A few days ago I began experiencing browser redirects and computer running slower than usual. I ran Search & Destroy and discovered a recurring click giftload issue. I attempted to eradicate it on my own scanning with Spybot Search and Destroy, Malwarebytes, and McAfee. None of these were successfull.
I also attempted to run TDDSKiller but it would error after 80% loaded.
After doing further research I discovered this excellent forum, and after reading several threads determined this problem was beyond my capacity to repair on my own.
I proceeded as follows:
1. I restored my computer to the earliest available restore point.
2. Re-ran Spybot Search and Destory to try and supress click giftload during this session.
3. Re-read the "Before you post" sticky
4. Backed up my registry using ERUNT
5. Ran DDS (Log to follow below)
6. Wrote this help request
I am seeking assistance in removing this nasty problem, and if possible a review and advice on how to close any security holes my computer may have. I would also be extremely apreciative of any additional recomendations for computer cleanup to restore it to good speed and health and remove anything unnecessary lingering on the computer.
Thank you for any time and assistance you can offer.
***I made one edit to the DDS report: replaced user name wherever applicable with with ZZZZZ***
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by ZZZZZ at 14:17:24.52 on Tue 04/19/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2034 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AirPort\APAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ZZZZZ\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.mail.ru/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn2\YTNavAssist.dll
mWinlogon: Userinit=userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101102184633.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
dRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-31 386840]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2004-8-2 11264]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-31 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-3 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-31 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-31 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-31 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-31 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-31 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-31 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-31 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-31 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-31 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-31 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-31 88544]
S2 0038861303013094mcinstcleanup;McAfee Application Installer Cleanup (0038861303013094);c:\windows\temp\003886~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\003886~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-31 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-31 84264]
.
=============== Created Last 30 ================
.
2011-04-17 13:41:54 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-17 13:41:54 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-17 03:46:01 -------- d-----w- c:\docume~1\ZZZZZ&~1\applic~1\Malwarebytes
2011-04-17 03:45:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-17 03:45:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-16 21:31:50 -------- d-----w- c:\docume~1\ZZZZZ&~1\applic~1\Malwarebytes(2)
2011-04-16 20:37:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-16 20:37:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-16 02:22:05 114688 --sha-r- c:\windows\system32\hpzsnt09Q.dll
2011-04-07 15:11:22 -------- d-----w- c:\program files\iTunes
2011-04-06 00:26:48 -------- d-----w- C:\e
2011-04-06 00:26:46 -------- d-----w- C:\Data
2011-03-30 17:15:45 -------- d-----w- c:\program files\Sports Mogul
.
==================== Find3M ====================
.
2011-03-23 18:15:57 857 --sha-w- c:\windows\system32\mmf.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-75FRA0 rev.77.07W77 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AC6D4E7]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ac737d0]; MOV EAX, [0x8ac7384c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8AC8FAB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8AC21240]
\Driver\atapi[0x8ACCFF38] -> IRP_MJ_CREATE -> 0x8AC6D4E7
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AC6D332
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 14:20:15.94 ===============
-
-
Hi Ken,
As per your instructions I downloaded tdsskiller.exe to my desktop. However I am still encountering the problem I had before. When I launch tdsskiller.exe it initializes to 80%, hangs, and then I receive an error message that it has encountered a problem and needs to close.
I rebooted and tried to run tdsskiller in safe mode but got the same result.
I restarted again in normal mode and re-ran Spybot-Search and Destroy.
I await your further instructions. I will not be using the computer for any purpose without your instructions.
Thank you so much for your continued assistance.
-
-
Hi Ken,
Here is the requested log from aswMBR.
One edit: computer name changed to "ZZZZZ"
swMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-22 13:56:54
-----------------------------
13:56:54.203 OS Version: Windows 5.1.2600 Service Pack 3
13:56:54.203 Number of processors: 2 586 0x209
13:56:54.203 ComputerName: ZZZZZ UserName:
13:56:54.812 Initialize success
13:57:08.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:57:08.859 Disk 0 Vendor: WDC_WD800BB-75FRA0 77.07W77 Size: 76293MB BusType: 3
13:57:08.859 Device \Driver\atapi -> DriverStartIo 8ac64332
13:57:08.859 Disk 0 MBR read error
13:57:08.875 Disk 0 MBR scan
13:57:08.875 MBR BIOS signature not found 0
13:57:08.875 Disk 0 scanning sectors +156232125
13:57:08.875 Disk 0 scanning C:\WINDOWS\system32\drivers
13:57:25.093 Service scanning
13:57:28.156 Disk 0 trace - called modules:
13:57:28.156 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89a05c30]<<
13:57:28.156 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aca0ab8]
13:57:28.171 Scan finished successfully
-
Hi,
This is where we are at, the bad guys read these forums also looking at what were doing to try to bork our fixes, evidently they have prevented TDSSKiller from running. There have been numerous threads in the past few days that are having the same problems you are. aswMBR wont fix this problem either, it looks like your MASTER BOOT RECORD is infected but we need to find out for sure. When you ran aswMBR and saved the file, there should also be an other file named MBR.dat, I need you to right click on it and save it as a Zipped file to your desktop and then upload it to this site to confirm your MBR is infected
You need to enable windows to show all files and folders, instructions Here
Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again
Look on your desktop for MBR.zip
If the site is busy you can try this one
http://virusscan.jotti.org/en
-
Here are the results of the MBR.zip virus total scan.
AhnLab-V3 2011.04.23.00 2011.04.22 -
AntiVir 7.11.6.251 2011.04.22 -
Antiy-AVL 2.0.3.7 2011.04.22 -
Avast 4.8.1351.0 2011.04.22 -
Avast5 5.0.677.0 2011.04.22 -
AVG 10.0.0.1190 2011.04.22 -
BitDefender 7.2 2011.04.22 -
CAT-QuickHeal 11.00 2011.04.21 -
ClamAV 0.97.0.0 2011.04.21 -
Commtouch 5.3.2.6 2011.04.23 -
Comodo 8437 2011.04.22 -
DrWeb 5.0.2.03300 2011.04.22 -
Emsisoft 5.1.0.5 2011.04.22 -
eSafe 7.0.17.0 2011.04.22 -
eTrust-Vet 36.1.8286 2011.04.22 -
F-Prot 4.6.2.117 2011.04.22 -
F-Secure 9.0.16440.0 2011.04.23 -
Fortinet 4.2.257.0 2011.04.22 -
GData 22 2011.04.22 -
Ikarus T3.1.1.103.0 2011.04.22 -
Jiangmin 13.0.900 2011.04.22 -
K7AntiVirus 9.97.4451 2011.04.21 -
Kaspersky 7.0.0.125 2011.04.22 -
McAfee 5.400.0.1158 2011.04.22 -
McAfee-GW-Edition 2010.1D 2011.04.22 -
Microsoft 1.6802 2011.04.23 -
NOD32 6064 2011.04.22 -
Norman 6.07.07 2011.04.22 -
Panda 10.0.3.5 2011.04.22 -
PCTools 7.0.3.5 2011.04.21 -
Prevx 3.0 2011.04.23 -
Rising 23.54.04.06 2011.04.22 -
Sophos 4.64.0 2011.04.23 -
SUPERAntiSpyware 4.40.0.1006 2011.04.22 -
Symantec 20101.3.2.89 2011.04.22 -
TheHacker 6.7.0.1.180 2011.04.22 -
TrendMicro 9.200.0.1012 2011.04.22 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.23 -
VBA32 3.12.16.0 2011.04.22 -
VIPRE 9090 2011.04.22 -
ViRobot 2011.4.22.4424 2011.04.22 -
VirusBuster 13.6.317.0 2011.04.22 -
Additional informationShow all
MD5 : 4a29867afb2ca45291965d7b39bd96c9
SHA1 : ff3fac8df2430f78d2666c820caf5cd4f8d9e303
SHA256: 50ad343834f222616998214d1e2bc232b29b9f936821d5bb4bb2aa5eb8e62f2c
ssdeep: 3:vhjO9/n/i/yn3b21rnxim9/n/i//llPlKS/+lMt:5jOCaCtnxpC1l/+lE
File size : 120 bytes
First seen: 2011-04-22 22:05:41
Last seen : 2011-04-22 22:09:27
TrID:
ZIP compressed archive (100.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
ExifTool:
file metadata
FileSize: 120 bytes
FileType: ZIP
MIMEType: application/zip
ZipBitFlag: 0
ZipCRC: 0xb2aa7578
ZipCompressedSize: 8
ZipCompression: Deflated
ZipFileName: MBR.dat
ZipModifyDate: 2011:04:22 13:58:01
ZipRequiredVersion: 20
ZipUncompressedSize: 512
-
Hmmm strange.
Unless you know that you have a Recovery Console be sure to install this one, we may need it
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- See this Link for programs that need to be disabled and instruction on how to disable them.
- Remember to re-enable them when we're done.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Last edited by ken545; 2011-04-23 at 02:05.
-
Hi Ken,
Hope your weekend was well. I had some unexpected difficulty proceeding with the scan per your instructions. The details are as follows...
I read and re-read all the instructions and prepared to run the combo fix scan. I disabled McAfee ( the provided instructions are out of date for McAfee's newer interface). The computer was running extremely slow.
Started Combofix, dowloaded from the link you provided, and knew something was wrong right away. It began by telling me Mcafee was not disabled, though I checked several times to verify that it was. I then recieved an error message saying that combofix might have been patched by a virus and should not be used. Further attempts to run it resulted in it unexpectedly quitting.
Additionally, I checked task manager and saw a lot of new processes that should not have been there (firefox, iexplorer, etc -though no additional windows were open). I disconected my dsl cable, restored mcafee, deleted combofix off of my desktop, and rebooted. Computer stalled during the shutdown and I was forced to hard reset. At this point I was terrified my computer was dead.
The computer did reboot very very slowly. I kept the dsl cable disconnected. I then remembered that I had made a disk with various repair/recovery programs on a completely unconnected computer about a week ago when the problems began anticipating it might be usefull if I could not connect to the internet. I located the copy of combofix that I had on the disk and moved it to my desktop, disabled McAfee, and tried to run it.
Combofix loaded sucessfully this time, but gave a message saying it was out of date and would run with limited functionality. I figured it would be better than nothing so I proceeded. This generated " Log1 " which I have attached. I then rebooted my computer.
This time the computer rebooted very quickly and seemed to run about as fast as I can recently remember. However, when I ran Spybot again I could see click giftload was still there. I then restored my internet connection, and attempted to use your instructions again. I downloaded combofix from your link, disabled Mcafee, and ran your version of combofix.
This time it appeared to run smoothly and generated "Log 2" which I have also attached. I was surprised that the log said McAfee firewall was on, even though I checked and double checked that it was disabled.
I also suddenly remembered that around the time all the problems started during a reboot I saw some kind of message flash while windows was loading up. The only thing I was able to catch was something about a partition. This made me check disk management to see if perhaps there was a hidden partition or something. To my surprise disk management would not loacate even my local C:\ drive and is completely empty! I tried refresh and rescan, but no luck. I hope this helps in diagnosing the problem.
Hopefully I did not do any further damage to my computer and we can continue to resolve this problem. I thank you and appreciate your assistance very much, and await your further instructions.
As per ususal I made log edits to replace "user name" with "ZZZZZ".
-
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules