Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Click.GiftLoad ... ugh.

  1. #1
    Junior Member
    Join Date
    Apr 2011
    Posts
    10

    Default Click.GiftLoad ... ugh.

    Great site here... kudos to all the volunteers!

    I am also having problems with ths nasty Click.GiftLoad problem.
    Everytime I reboot and rerun Spybot, it's always catching it. And
    yes, I'm getting web page redirects as well.

    I can't seem to upload or post from my infected computer, so I'm typing this from my work computer (had the email the DDS file to myself) as I'm getting a time out connection error on my infected computer when posting to this site... I also ran TDSSKiller yesterday, but that came up empty as it could not find anything.

    I appreciate any assistance that can be provided.

    Thanks in advance!
    Attached Files Attached Files

  2. #2
    Security Expert shelf life's Avatar
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,095

    Default

    hi,

    Based on the log you really shouldnt be using the machine. It also should have no connectivity, if your not sure how to stop this you should power it off. Just because your getting a time out dosnt mean there is no connectivity going on.

    You have a rootkit on your machine. They hide malicious files and components from traditional antivirus/antimalware software. Rootkits bury themselves deep in the operating system. Special software is needed to detect and remove them. Even if symptoms are gone and logs are clean its still not a 100% guarantee that your machine is clean once a rootkit has been detected and removed. You should consider a complete reformat/reinstall of Windows as an option.

    The best source for information on how to do this would be the computer manufacturers website.

    To manually clean up the computer with current utilities proceed as follows:

    We will get a download to use.Its called combofix. There is a guide to read first, read through the guide on another machine if you have to then apply the directions on your own machine. See if you can actually get to the link to download it directly onto the compromised machine.
    1) run combofix and post the log
    2) run tdsskiller again and post its log

    Guide to using Combofix
    How Can I Reduce My Risk?

  3. #3
    Junior Member
    Join Date
    Apr 2011
    Posts
    10

    Default

    Thank you very much for responding... I have had the computer disconnected (basically pulled the ethernet cable) the past few days except for downloading potential antivirus scan/tools such as HIjackThis, aswMBR, ATF-Cleaner, OTL, ComboFix, TDSSKiller and the suite of sysinternal apps. The only other time my computer was connected is the few minutes a day to email my logs to my work address so I can log onto this forum here to post from work.

    Here is the ComboFix and TDSS logs (TDSS did not find anything). Note, becasue my computer was disconnected when I ran ComboFix, it did not download the Recovery Console, but it did continue on. Also ran MBAM and Spybot afterwards just to see if it could find and viruses... MBAM turned up empty and Spybot again found Click.Giftload.

    I also ran DDS to see what it would say and it also still thinks there is a Rootkit.

    Thank you.
    Attached Files Attached Files

  4. #4
    Security Expert shelf life's Avatar
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,095

    Default

    thanks for the info. Please post the DDS log. Also go here. See step number 8 on how to get a Gmer log posted.
    How Can I Reduce My Risk?

  5. #5
    Junior Member
    Join Date
    Apr 2011
    Posts
    10

    Default

    Thank you...

    An interesting thing about GMER... it wanted to unclick all non-system partitions and drives... is it possible that the problem can hide in a non-system partition or drive? Just wanted to validate that.

    I know the ultimate last resort down the line is to format the drive, but I was wondering if it came down to that, would formatting the system partition be enough? Any thoughts?

    I will provide the logs tonight when I get home from work...

    Thanks again!

  6. #6
    Junior Member
    Join Date
    Apr 2011
    Posts
    10

    Default

    Quote Originally Posted by battousai View Post
    Thank you...

    An interesting thing about GMER... it wanted to unclick all non-system partitions and drives... is it possible that the problem can hide in a non-system partition or drive? Just wanted to validate that.

    I know the ultimate last resort down the line is to format the drive, but I was wondering if it came down to that, would formatting the system partition be enough? Any thoughts?

    I will provide the logs tonight when I get home from work...

    Thanks again!
    That should read - "An interesting thing about the GMER instructions"....

  7. #7
    Security Expert shelf life's Avatar
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,095

    Default

    The possible rootkit isnt showing up in the combofix log either, or tdsskiller. The tdss family of rootkits reside in the master boot record. Any partition that is bootable could harbor the rootkit. I dont think that a non system partition is bootable.
    How Can I Reduce My Risk?

  8. #8
    Junior Member
    Join Date
    Apr 2011
    Posts
    10

    Default

    Here are the logs... Thanks again for your time!
    Attached Files Attached Files

  9. #9
    Security Expert shelf life's Avatar
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,095

    Default

    Ok, yet another download. Are you getting any re-directs when browsing?

    Please also download MBRcheck to your desktop


    Double click MBRCheck.exe to run (Vista and Win 7 right click and select Run as Administrator)

    It will show a Black screen with some information that will contain either the below line if no problem is found:

    Done! Press ENTER to exit...

    Or you will see more information like below if a problem is found:

    Found non-standard or infected MBR.

    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.

    MBRCheck will create a log on your desktop named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

    Attach this log to your reply

    while your at it:
    Download aswMBR.exe To your desktop.
    Double click the aswMBR.exe to run it
    Click the "Scan" button to start scan
    On completion of the scan click save log, save it to your desktop and post in your next reply also.
    Last edited by shelf life; 2011-05-06 at 23:06.
    How Can I Reduce My Risk?

  10. #10
    Junior Member
    Join Date
    Apr 2011
    Posts
    10

    Default

    Attached are the logs... when I ran the aswMBR and saved the log, my antivirus program picked up virus in a MBR.dat file that was created on my desktop (antivirus program got rid of it). Just an FYI.

    Thanks for the help!
    Attached Files Attached Files

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •