Based on the log you really shouldnt be using the machine. It also should have no connectivity, if your not sure how to stop this you should power it off. Just because your getting a time out dosnt mean there is no connectivity going on.
You have a rootkit on your machine. They hide malicious files and components from traditional antivirus/antimalware software. Rootkits bury themselves deep in the operating system. Special software is needed to detect and remove them. Even if symptoms are gone and logs are clean its still not a 100% guarantee that your machine is clean once a rootkit has been detected and removed. You should consider a complete reformat/reinstall of Windows as an option.
The best source for information on how to do this would be the computer manufacturers website.
To manually clean up the computer with current utilities proceed as follows:
We will get a download to use.Its called combofix. There is a guide to read first, read through the guide on another machine if you have to then apply the directions on your own machine. See if you can actually get to the link to download it directly onto the compromised machine.
1) run combofix and post the log
2) run tdsskiller again and post its log
Guide to using Combofix
Thank you very much for responding... I have had the computer disconnected (basically pulled the ethernet cable) the past few days except for downloading potential antivirus scan/tools such as HIjackThis, aswMBR, ATF-Cleaner, OTL, ComboFix, TDSSKiller and the suite of sysinternal apps. The only other time my computer was connected is the few minutes a day to email my logs to my work address so I can log onto this forum here to post from work.
Here is the ComboFix and TDSS logs (TDSS did not find anything). Note, becasue my computer was disconnected when I ran ComboFix, it did not download the Recovery Console, but it did continue on. Also ran MBAM and Spybot afterwards just to see if it could find and viruses... MBAM turned up empty and Spybot again found Click.Giftload.
I also ran DDS to see what it would say and it also still thinks there is a Rootkit.
thanks for the info. Please post the DDS log. Also go here. See step number 8 on how to get a Gmer log posted.
An interesting thing about GMER... it wanted to unclick all non-system partitions and drives... is it possible that the problem can hide in a non-system partition or drive? Just wanted to validate that.
I know the ultimate last resort down the line is to format the drive, but I was wondering if it came down to that, would formatting the system partition be enough? Any thoughts?
I will provide the logs tonight when I get home from work...
That should read - "An interesting thing about the GMER instructions"....
Originally Posted by battousai
The possible rootkit isnt showing up in the combofix log either, or tdsskiller. The tdss family of rootkits reside in the master boot record. Any partition that is bootable could harbor the rootkit. I dont think that a non system partition is bootable.
Here are the logs... Thanks again for your time!
Ok, yet another download. Are you getting any re-directs when browsing?
Please also download MBRcheck to your desktop
Double click MBRCheck.exe to run (Vista and Win 7 right click and select Run as Administrator)
It will show a Black screen with some information that will contain either the below line if no problem is found:
Done! Press ENTER to exit...
Or you will see more information like below if a problem is found:
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
MBRCheck will create a log on your desktop named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
Attach this log to your reply
while your at it:
Download aswMBR.exe To your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply also.
Last edited by shelf life; 2011-05-06 at 22:06.
Attached are the logs... when I ran the aswMBR and saved the log, my antivirus program picked up virus in a MBR.dat file that was created on my desktop (antivirus program got rid of it). Just an FYI.
Thanks for the help!