PDA

View Full Version : Click.Giftload April 2, 2011



Valerie Byrnes
2011-04-02, 19:21
Spybot reveals Click.Giftload on my computer. I have read "what to do before posting" and have followed the suggestions. I have Spybot, Malwarebytes, Sophos, and Combofix loaded and have used them all in an effort to clean up my computer previously. Nothing works.
I have Windows Vista Home, Service Pack 2. I have tried to update Windows, but it will won't let me.

I used ERUNT to back up my computer.
Here is my DDS log from 4-2-11:

Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-08-24 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-02-24 Includes\Adware.sbi (*)
2011-03-15 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-16 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-15 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-08 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

I appreciate any advice you can give me. Thanks,
Val

Blottedisk
2011-04-04, 03:24
Hi Val,

Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


Please follow these steps in order:


Step 1 | Download DDS from any of the links below:

Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr )
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com )
Link 2 (http://www.forospyware.com/sUBs/dds )

--------------------------------------------------------------------
Save it to your desktop.
Please disable any anti-malware program that will block scripts from running before running DDS.
Double-Click on dds and a command window will appear. This is normal.
Shortly after two logs will appear:
DDS.txt
Attach.txt
A window will open instructing you save & post the logs.
Save the logs to a convenient place such as your desktop.
Post the contents of the DDS.txt report in your next reply.
Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.


Step 2 | Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe ) to your desktop.

Double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it


Step 3 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror (http://gmer.net/download.php ) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip ) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------


Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260 ) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif


GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:

IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)

http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif )
Click the image to enlarge it

Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm ).

Valerie Byrnes
2011-04-04, 20:15
Thanks for your assistance. I appreciate it.

I've attached the DDS zipped attach and the aswMBR text. I will post this and then disconnect my internet and get the GMER.
Here is my DDS log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Val at 9:55:00.61 on Mon 04/04/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.991 [GMT -7:00]
.
AV: Sophos Anti-Virus *Disabled/Outdated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Disabled/Outdated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\VService\VService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\etMon.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Val\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\Aware.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\Marker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Val\Desktop\dds.pif
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies\smart notebook\NotebookPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Delicious Toolbar: {61d1c847-df80-423a-8c6d-dc03b97e6ebe} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: Delicious Sidebar: {9d19c405-ba93-461b-871f-97992cc45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [etMonitor] c:\windows\etMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SMART Board Service] c:\program files\smart technologies\smart product drivers\SMARTBoardService.exe
mRun: [SMART SNMP Agent] c:\program files\smart technologies\smart product drivers\SMARTSNMPAgent.exe -e
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
StartupFolder: c:\users\val\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\val\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\val\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\smartb~1.lnk - c:\program files\smart technologies\smart product drivers\SMARTBoardTools.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2C887991-08F0-11DC-A9B2-0012F0B227DD} - {B8D8B1D0-83AF-451B-8CD9-8F1BF4ED8FEA} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {2C887992-08F0-11DC-A9B2-0012F0B227DD} - {9D19C405-BA93-461b-871F-97992CC45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {2C887993-08F0-11DC-A9B2-0012F0B227DD} - {4D3D441F-9543-4941-B664-2EDCF9FC1B56} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\progra~1\sophos\sophos~1\sophos_detoured.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2010-7-20 93192]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2010-7-20 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2010-7-20 98304]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2010-7-20 266240]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-7-20 172032]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2010-7-20 794624]
R2 VService;ECS Button Volume Control Service;c:\program files\vservice\VService.exe [2008-5-19 65536]
R3 AVerBDA6x;AVerBDA6x service;c:\windows\system32\drivers\AVerBDA716x.sys [2008-4-30 932864]
R3 DCamUSBET;ET USB 2750 Camera;c:\windows\system32\drivers\etDevice.sys [2008-3-1 131712]
R3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\drivers\etFilter.sys [2008-5-13 183168]
R3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\drivers\etScan.sys [2007-9-7 6656]
R3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\drivers\SMARTMouseFilterx86.sys [2010-6-15 11048]
R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\drivers\SMARTVHidMini2000x86.sys [2010-6-15 14120]
R3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\drivers\SMARTVTabletPCx86.sys [2010-6-15 13440]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-7-20 20288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-8-28 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-31 03:05:23 -------- d-s---w- C:\ComboFix
2011-03-29 03:48:01 60416 ---ha-w- c:\windows\system32\iashabel.dll
2011-03-29 03:47:36 -------- d-----w- c:\progra~2\cMfMkEdKiEl05200
2011-03-29 03:19:13 -------- d-----w- c:\users\val\appdata\local\Google
2011-03-27 03:53:06 -------- d-sh--w- C:\$RECYCLE.BIN
2011-03-27 03:53:02 -------- d-----w- c:\users\val\appdata\local\temp
2011-03-27 02:49:17 89088 ----a-w- c:\windows\MBR.exe
2011-03-27 02:49:16 31232 ----a-w- c:\windows\NIRCMD.exe.SHS
2011-03-27 02:49:16 256512 ----a-w- c:\windows\PEV.exe
2011-03-27 02:49:15 161792 ----a-w- c:\windows\SWREG.exe
2011-03-27 02:49:14 98816 ----a-w- c:\windows\sed.exe
2011-03-27 02:05:37 714590 ----a-w- c:\windows\unins000.exe
2011-03-27 02:04:39 -------- d-----w- c:\program files\Quick Web Player
2011-03-20 08:28:42 -------- d-----w- c:\progra~2\dBlPaIe05200
2011-03-20 06:14:51 0 ----a-w- c:\users\val\appdata\local\Bpovepova.bin
2011-03-18 18:34:05 -------- d-----r- c:\users\val\Dropbox
2011-03-18 18:08:40 -------- d-----w- c:\users\val\appdata\roaming\Dropbox
2011-03-18 08:33:56 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{3d6a7c66-bb44-44eb-80af-b82c630132f9}\mpengine.dll
2011-03-11 02:20:58 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-11 02:20:58 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-11 02:20:58 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-11 02:20:58 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-11 02:20:50 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-11 02:20:50 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-06 22:54:42 768544 ----a-w- c:\windows\system32\nvcplui.exe
2011-03-06 22:54:42 420384 ----a-w- c:\windows\system32\nvcpl.cpl
2011-03-06 22:54:42 313888 ----a-w- c:\windows\system32\nvexpbar.dll
2011-03-06 22:54:42 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
2011-03-06 22:54:16 442368 ----a-w- c:\windows\system32\nvudisp.exe
2011-03-06 22:53:00 -------- d-----w- c:\users\val\{6228f660-d68c-4346-b9fe-bc6af5febcde}
2011-03-06 22:52:54 442368 ----a-w- c:\windows\system32\NVUNINST.EXE
2011-03-06 22:21:09 1696256 ----a-w- c:\windows\system32\gameux.dll
2011-03-06 22:21:08 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-03-06 22:21:08 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-03-06 22:20:58 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-03-06 22:19:49 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
.
==================== Find3M ====================
.
2011-02-03 01:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST3320820AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85816439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8581c7d0]; MOV EAX, [0x8581c84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x8204D11B] -> \Device\Harddisk0\DR0[0x8517BAC8]
3 CLASSPNP[0x880408B3] -> nt!IofCallDriver[0x8204D11B] -> [0x84A07468]
5 acpi[0x826426BC] -> nt!IofCallDriver[0x8204D11B] -> [0x84A27B98]
\Driver\atapi[0x854849E8] -> IRP_MJ_CREATE -> 0x85816439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-1 -> \??\IDE#DiskST3320820AS_____________________________3.AAD___#5&36ac8861&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 625142446 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 9:56:54.35 ===============

Valerie Byrnes
2011-04-04, 21:05
I hope this tells you more than it tells me!! Again, thank you for your help. V

Blottedisk
2011-04-04, 21:18
Hi Val,


Unfortunately your machine appears to have been infected by the TDSS rootkit/backdoor infection. These kind of malwares are very dangerous. Backdoor Trojans provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.


If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps

Please read the following for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451 )
What Should I Do If I've Become A Victim Of Identity Theft? (http://www.usdoj.gov/criminal/fraud/websites/idtheft.html#whatifvictim )
Identity Theft Victims Guide - What to do (http://www.privacyrights.org/fs/fs17a.htm )


Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063 )
Where to draw the line? When to recommend a format and reinstall? (http://miekiemoes.blogspot.com/2008/06/malware-removal-where-to-draw-line.html )

Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.


Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


Please double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".

Click the Scan button to start scan.
When scan finishes, press the Fix Button. Once the Fix is done, press the Save Log button and save the log to your desktop. You need to reboot your computer when its done before you do anything else, then post the log that will be on your desktop.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix.png )
Click the image to enlarge it

Valerie Byrnes
2011-04-05, 06:56
Thank you for all of the information. Looks like I've got trouble on my hands.

I will take your advice and change all of my passwords and alert all financial institutes.

How did the "backdoor" hacker get access and how can I prevent it from happening again, whether I clean this computer or get a new one?

I have Sophos Anti-Virus on and it runs daily.

I brought home my work laptop and hooked up to my home wireless. It started acting similar, redirecting my searches on the internet and booting me off. My son complains of the same thing when he visits and uses his computer.
Makes me think my problem may start with my internet provider. My system is secured.

I'd like to backup some of my files before I wipe out my OS and Windows. Will the virus follow my files to a jumpdrive?

After I save a few files, I think I'd like to go ahead and try cleaning the system. I don't have anything to lose. However, I do worry about trusting this computer again with secure information.

Thanks for your time,
Val

Blottedisk
2011-04-05, 19:55
Hi Val,



How did the "backdoor" hacker get access and how can I prevent it from happening again, whether I clean this computer or get a new one?


Here's a good read on how to prevent infections:

How did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279)



I'd like to backup some of my files before I wipe out my OS and Windows. Will the virus follow my files to a jumpdrive?


It depends on which files, but it is possible. If you backup your documents, pictures, spreadsheets, etc it will be ok. In any case, If you want to give it a try and clean the machine, I would recommend you to do the backup once we finish.



After I save a few files, I think I'd like to go ahead and try cleaning the system. I don't have anything to lose. However, I do worry about trusting this computer again with secure information.


When you feel ready to start, please create a new restore point and then go ahead with the instructions from my previous post (aswMBR).


To create a new restore point:


Click Start
Right click on My Computer
Select Properties
From the tasks pane on the left, click System Protection
Select a disk (place check mark in box if it is not already checked) from the list, usually C:, and click on the Create button.
Type a name to describe this restore point (ex. "Before malware removal")
Click Create button
When finished, Windows opens a window stating that the restore point was created successfully.

Valerie Byrnes
2011-04-08, 07:22
Thank you for the advice. I have been resetting passwords,etc. I plan to follow your directions and clean my machine this weekend. I will be in touch.
Val

Blottedisk
2011-04-08, 15:38
:bigthumb:

Remember to create a restore point before starting with aswMBR.

Valerie Byrnes
2011-04-13, 07:14
Thank you for your advice. I will be out of town for the next two weeks on business and will not have time to work on my computer. If I need further assistance I will begin a new post to you. Thank you.

Blottedisk
2011-04-15, 22:53
You are welcome. I shall close the topic now. If you need this topic reopened, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please read the guidelines to request assistance (http://forums.spybot.info/showthread.php?t=288 ) and begin a New Topic.