PDA

View Full Version : Click.GiftLoad HijackerC



Sisa722
2011-04-04, 01:24
Hello,
It seems I have been lucky to get infected by the Click.GiftLoad, I have followed your "Before posting read this" instructions, and below you will find the information requested.

Also, I have been receiving a pop message from Microsoft windows informing me that "Host Process for Windows Services Stopped working and was closed".
Is this all related?

Please find the DDS log and attach.txt
Your help is greatly appreciated.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Rachel at 18:06:52.94 on Sun 04/03/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1013 [GMT -4:00]
.
AV: CA Anti-Virus *Disabled/Outdated* {57B5C44D-AAB5-DBC9-741B-542BE5A132EA}
SP: CA Anti-Spyware *Disabled/Outdated* {ECD425A9-8C8F-D447-4EAB-6F599E267857}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Windows\system32\lxbccoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\STacSV.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Rachel\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [Aim6]
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Malwarebytes Anti-Malware Reboot] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] c:\program files\dell support center\gs_agent\custom\dsca.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\rachel\appdata\roaming\micros~1\windows\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\users\rachel\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {ACF93F61-9F60-4C1E-A015-E3B3812BD58C} - hxxps://login.imagesilo.com/Install/DocViewCtl/PVDMDocView400.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 adwarealert;adwarealert;c:\windows\system32\drivers\adwarealert.sys [2008-5-1 22512]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-9-9 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-9-9 21104]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-9-9 161008]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-5-8 144696]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-23 21504]
R2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe -service --> c:\windows\system32\lxbccoms.exe -service [?]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2008-9-9 255312]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-2-29 111104]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2008-9-9 185680]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-5-8 130280]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-8-29 835208]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-2-29 30192]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-2-29 73728]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
scrfile="%1" %*
.
=============== Created Last 30 ================
.
2011-04-03 14:37:02 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{85b4897c-a972-4c96-9297-70c6fce711a0}\mpengine.dll
2011-03-24 12:46:47 -------- d-----w- c:\program files\Digitech Systems
2011-03-24 12:13:26 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-24 12:13:26 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-24 12:13:26 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-11 18:12:03 -------- d-----w- c:\program files\iPod
2011-03-11 18:12:02 -------- d-----w- c:\program files\iTunes
2011-03-11 18:08:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-03-11 18:08:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-03-11 18:08:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-03-11 18:08:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-03-11 18:08:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-03-11 18:08:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-03-11 18:08:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-03-11 18:03:18 -------- d-----w- c:\program files\Bonjour
2011-03-09 02:54:05 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 02:54:04 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 02:54:04 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 02:54:04 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 02:54:01 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-09 02:54:01 2067968 ----a-w- c:\windows\system32\mstscax.dll
.
==================== Find3M ====================
.
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-15 01:08:57 257703058 ----a-w- c:\windows\DUMP4fa5.tmp
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: WDC_WD16 rev.04.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8661E439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x866247d0]; MOV EAX, [0x8662484c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81E61912] -> \Device\Harddisk0\DR0[0x85F812F0]
3 CLASSPNP[0x8819F8B3] -> ntkrnlpa!IofCallDriver[0x81E61912] -> [0x866ADB20]
\Driver\iaStor[0x86609E78] -> IRP_MJ_CREATE -> 0x8661E439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD1600BEVS-75RST0___________________04.01G04#4&20766cbe&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 18:07:56.68 ===============

Blottedisk
2011-04-04, 02:48
Hi Sisa722,


Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


Unfortunately your machine appears to have been infected by the TDSS rootkit/backdoor infection. These kind of malware is very dangerous. Backdoor Trojans provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.


If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps

Please read the following for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451 )
What Should I Do If I've Become A Victim Of Identity Theft? (http://www.usdoj.gov/criminal/fraud/websites/idtheft.html#whatifvictim )
Identity Theft Victims Guide - What to do (http://www.privacyrights.org/fs/fs17a.htm )


Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063 )
Where to draw the line? When to recommend a format and reinstall? (http://miekiemoes.blogspot.com/2008/06/malware-removal-where-to-draw-line.html )

Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.


Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


Step 1 | Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe ) to your desktop.

Double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it


Step 2 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror (http://gmer.net/download.php ) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip ) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------


Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260 ) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif


GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:

IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)

http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif )
Click the image to enlarge it

Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm ).

Sisa722
2011-04-04, 03:36
I think I will go ahead And reformat and reinstall my computer. I have a few questions:
Am I still in danger of my passwords being stolen if I do not "store" them?

Will I still be able to save pictures and documents on a USB?

Also, will I need a windows cd, because I don't think I have them I've had this laptop for a few years...

Thanks

Sisa722
2011-04-04, 03:53
Disregard my last question about the CDs, I was able to find all the CDs that came with my laptop.

Will you also be walking me through the reformat I do not know where to start.

Also, I had an SD card in the SD drive, is this also infected?

Thank you

Blottedisk
2011-04-04, 04:24
Hi Sisa722,


Wise desition :bigthumb:



Am I still in danger of my passwords being stolen if I do not "store" them?


Definitely. These infections come sometimes bundled with what is called a keylogger. Keyloggers can intercept anything you type in with your keyboard, including passwords, personal data, etc and then send this information to the offender.


Will I still be able to save pictures and documents on a USB?


In theory you can save your pictures, addresses books, documents, music, settings, saved games, etc. However some of the newest infections can infect these kind of documents also, so chances are that you reintroduce the infection after the reinstall. I would recommend you not to backup this data, however this is entirely up to you; you will have to evaluate how important these files are to run the risk and backup them.



I had an SD card in the SD drive, is this also infected?

I'm not sure, your log doesn't show any information on this drive. You can always plug-in the card to your computer and scan it with your CA antivirus. But before doing the scan, please update it (DDS log shows that it is outdated, and this is most probable the reason why you became infected in the first place).

Or, you can plug-in the card and then perform an online scan with either of the following scanners:

ESET Online Scanner (http://www.eset.com/us/online-scanner)
Panda ActiveScan (http://www.pandasecurity.com/homeusers/solutions/activescan/)

The scan will take a couple of hours and will also scan your PC. You can post the results here to me so I analyze them, if you want.



Will you also be walking me through the reformat I do not know where to start.


Of course. Can you tell me which model your Dell machine is?

Would you please also post the contents of attach.txt? (this log was also produced when you run DDS). If you can't find this log, please rerun DDS, and this time post only the contents of Attach.txt.

Sisa722
2011-04-04, 04:38
I have Dell Inspiron 1525 and I have attached the "attach" log.

As for the SD card, will it be better for me to scan after the reformating and sending to you for analyzing, as it will scan the whole PC as well?

Thanks

Sisa722
2011-04-04, 04:39
Just incase you are not able to open, or if it is not safe.

Here is the attach.txt information:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 2/29/2008 10:16:08 AM
System Uptime: 4/3/2011 5:56:38 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0WP007
Processor: Intel(R) Core(TM)2 Duo CPU T5450 @ 1.66GHz | Microprocessor | 1667/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 136 GiB total, 33.218 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.509 GiB free.
E: is CDROM (CDFS)
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.4
Advanced Audio FX Engine
Advanced Video FX Engine
AdwareAlert
AIM 6
AOL Install
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Banctec Service Agreement
Bonjour
Browser Address Error Redirector
CA Anti-Spyware
CA Anti-Virus
CA Internet Security Suite
CA Pest Patrol Realtime Protection
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Conexant HDA D330 MDC V.92 Modem
Coupon Printer for Windows
CutePDF Professional 3.6 (Evaluation)
CutePDF Writer 2.8
Dell Automated PC TuneUp
Dell DataSafe Online
Dell Getting Started Guide
Dell Support Center
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Digital Line Detect
DivX Web Player
EarthLink Setup Files
ERUNT 1.1j
Google Desktop
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) PROSet/Wireless Software
Intel® Matrix Storage Manager
iTunes
Java(TM) SE Runtime Environment 6
Laptop Integrated Webcam Driver (1.03.02.0719)
Lexmark Z500-Z600 Series
LimeWire 5.1.2
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
mCore
MediaDirect
mHelp
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Professional
Microsoft Outlook Web Access S/MIME
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Works
mMHouse
MobileMe Control Panel
Modem Diagnostic Tool
Move Networks Media Player for Internet Explorer
mPfMgr
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Music, Photos & Videos Launcher
mWMI
NetWaiting
OpenCASE Media Agent
OutlookAddinSetup
PaperVision Document Viewer Controls
Product Documentation Launcher
QuickSet
QuickTime
RealPlayer
Rhapsody
Rhapsody Player Engine
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Skype™ 4.2
Sonic Activation Module
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
TEC-IT TBarCode 9
United TravelDesk
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
User's Guides
VC80CRTRedist - 8.0.50727.762
Visual Studio 2005 Tools for Office Second Edition Runtime
WIDCOMM Bluetooth Software 6.0.1.3100
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
WinRAR archiver
.
==== End Of File ===========================

Blottedisk
2011-04-04, 05:08
As for the SD card, will it be better for me to scan after the reformating and sending to you for analyzing, as it will scan the whole PC as well?

Not really. If it's infected, it may automatically introduce the infection in the clean machine when you plug it in.


Thanks for the log. Your Dell Machine has a feature called Dell Factory Image Restore which restores your hard drive to the operating state it was in when you purchased the computer. However your Master Boot Record (MBR) is also infected, and I'm not sure if this feature will also restore your MBR to factory settings. I would recommend you to create a new topic in the Dell Support Forums and ask for guidance there:

http://en.community.dell.com/support-forums/default.aspx

Your helper there may find helpful a link to this topic.


And here's the tutorial on how to use the Dell Factory Image Restore feature:

http://support.dell.com/support/edocs/systems/xlob/dtg/en/software.htm#wp1109809

Sisa722
2011-04-04, 14:18
Here is the reply from the Dell forum:

The restore reloads only the C: partition - it does not alter the master boot record.* You will need to manually remove the rootkit.

Thanks.

Blottedisk
2011-04-04, 20:17
Hi Sisa722,


Then we could try to remove the bootkit (and also clean the D drive), so you can then use the Dell Factory Image Restore feature to restore your C drive.


The other option would be to do a complete reformat on your hard drive. I suggest you go this way.


What do you think?

Sisa722
2011-04-04, 21:04
I think I will feel better just reformatting the whole thing.

Blottedisk
2011-04-04, 21:15
I think I will feel better just reformatting the whole thing.


:bigthumb:


I would also suggest you to ask for instructions on their forum; they will give you a better guidance than me regarding the reformat.

Sisa722
2011-04-05, 02:11
I have asked them for instructions on how to do a complete reformat and below is the link of of instructions they sent me. Can you please take a quick look to see if this is what I need to do?

http://support.dell.com/support/topics/global.aspx/support/dsn/detectos?type=force&lx=179256&lv=339949&l7=362048

Thank you!

Blottedisk
2011-04-05, 03:29
Hi Sisa722,


That doesn't seem to be a guide to reformat, but to perform an operative system reinstall. A reinstall will not remove the infection, we need to solve this issue from the root.


I am not a tech savy, so I've asked my colleagues for advice regarding the reformat on your Dell Inspiron 1525 machine; because of this there will be a couple of extra eyes on this topic. I'll come back with a reply as soon as possible.

Sisa722
2011-04-05, 21:24
Thank you very much for your time, help, & patience!!
I will be travelling at the end of this week, for a week, but I will keep looking out for your reply until I leave and when I return.

Blottedisk
2011-04-06, 02:43
Hi Sisa722,


Although I have never worked with the Dell Support Forums, I sent you there because I thought you would receive propper guidance regarding this matter.


Now I will recommend you WhattheTech (WTT), a help forum I know very well. We work hand and hand with WhattheTech. Like SaferNetworking it's free, but you will need to register first:


http://forums.whatthetech.com/index.php?showforum=119


PS: Enjoy your journey :bigthumb:

Blottedisk
2011-04-25, 04:26
Since this issue appears to be resolved, this Topic is closed. If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please read the guidelines to request assistance (http://forums.spybot.info/showthread.php?t=288) and begin a New Topic.