PDA

View Full Version : help with click.giftload please



rweaver
2011-04-10, 06:45
I like so many other have gotten infected, however when I try to submit a post with the dds pasted in the post I get a browser reset message and cannot submit a post

Blottedisk
2011-04-10, 18:29
Hi rweaver,

Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


------------------------------------------------

Maybe it was a temporary problem. Try again to post the log. If you still can't, then please try to attach both dds.txt and attach.txt files to your next post.

rweaver
2011-04-10, 20:51
Ok, subscribed to this thread...
still cannot embed... Just as a side note I have to keep a watch on the processes because one of the svchost.exe occasionally starts to go wild and I have to kill it.

Had to zip the dds to get it to attach....started getting the same reset/timeout message

Blottedisk
2011-04-10, 21:11
Hi rweaver,


Thanks for the logs. From now on, if you have any problems posting the contents of any of the logs I'm going to request, just attach them to your post.


Unfortunately your machine appears to have been infected by the TDSS rootkit/backdoor infection. These kind of malwares are very dangerous. Backdoor Trojans provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.


If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps

Please read the following for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451 )
What Should I Do If I've Become A Victim Of Identity Theft? (http://www.usdoj.gov/criminal/fraud/websites/idtheft.html#whatifvictim )
Identity Theft Victims Guide - What to do (http://www.privacyrights.org/fs/fs17a.htm )


Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063 )
Where to draw the line? When to recommend a format and reinstall? (http://miekiemoes.blogspot.com/2008/06/malware-removal-where-to-draw-line.html )

Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.


Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


Step 1 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror (http://gmer.net/download.php ) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip ) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------


Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260 ) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif


GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:

IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)

http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif )
Click the image to enlarge it

Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm ).


Step 2 | Please download TDSSKiller from one of the following mirrors and save it in your desktop:

This is THE Mirror (http://support.kaspersky.com/downloads/utils/tdsskiller.zip )

Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png


If a suspicious file is detected, the default action will be Skip, click on Continue.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious-1.png


It may ask you to reboot the computer to complete the process. Click on Reboot Now.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png


If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and
paste the contents of that file here.

rweaver
2011-04-10, 21:31
OK, downloaded........in work

rweaver
2011-04-10, 22:34
OK ran gmer, which found stuff and tdsskiller which was so fast I hardly caught it but it looked like it said it didn't find anything.....didn't get any of the warnings in your reply except reboot.

Attached are the log files. I didn't tell you that I have had AVG antivirus installed but uninstalled it yesterday because one of it's 10 or 12 processes (yea that bugged me) would start going wild also like the scvhost....so I just eliminated it for now and figured I could reload a antivirus program after this snfu is fixed. I do have a couple of addition questions in attached files. I have eraser installed but there are a couple of files on my local settings folder it cannot erase because they are locked....that bugs me. also there are a couple of files on the root directory that bug me......I have attached screen shots for your amusement....and or comment if you feel so inclined.

PS...thanks for helping me!

rweaver
2011-04-10, 23:03
Oh yea, one more thing I didn't tell you (ok calm down) I have a cable modem with a router installed between the computer and the modem.

See that wasn't so bad!

Blottedisk
2011-04-11, 15:34
Hi rweaver,


TDDSKiller took care of the rootkit.


That folder in your root directory seems to be part of Combofix. As this is gonna be our next tool to use I need to know: have you run Combofix in this machine?

rweaver
2011-04-11, 16:40
No I haven't run combofix.
As a side note, since the TDSSkiller reboot the machine appears to be functioning normally, but I am keeping the network connection unplugged when not communicating here.

Blottedisk
2011-04-11, 17:30
The heavy part of the infection has been removed. However, there's still more to do. Please follo these procedure:


Please visit the following and have a look how you can disable your security software.

How to disable your security programs (http://forums.whatthetech.com/index.php?showtopic=96260 )

After disabling your security programs, download Combofix from any of the links below and save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe )
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe )

--------------------------------------------------------------------

Double click on Combofix.exe & follow the prompts.
When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix )

rweaver
2011-04-11, 18:24
Here is the combo fix log file

Blottedisk
2011-04-13, 04:48
Hi,



I would value your opinion on AVG vs other antivirus,


I have never used AVG myself. I have, however, used Avira Antivir and Avast!, and both are excellent softwares; I would recommend you any of these two antivirus (they are free). If you are looking for a paid product, then go for Eset NOD32 or Kaspersky.


Please go to the following site to scan some files: Virus Total (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.virustotal.com )

Click on Browse, and upload the following files for analysis:

c:\windows\explorer.exe
c:\program files\WLAN\ACU.exe
c:\program files\Home_Designer_Suite_Setup-9.4.1.6.exe

Then click Submit. Allow the files to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

rweaver
2011-04-13, 06:28
Here is the explorer and acu reports
the Home designer setup file is taking a very long time to send, so I will send it separately. I am not sure what that is unless it is the installation file.....probably don't need it any more.

rweaver
2011-04-13, 19:22
I tried to upload the c:\program files\Home_Designer_Suite_Setup-9.4.1.6.exe but it just sat there for well over an hour...the file was 1.14 Gb. I am sure this was an installation file from the zip I downloaded in 2009.....I purchased the SW. This morning I tried again but again nothing seemed to be happening, so I stopped tried to erase it but it was locked (?..same as the other files I asked about in the Documents & settings/User/localsettings/temp folder ) so I elected to have it erased on reboot. They computer was sitting there idling at 98% and there was no network activity, but it was hung up, so I rebooted it. (1st time anything queer has happened since I ran tdsskiller)

I know that is not what you wanted, but I felt positive the file was not needed and was a leftover from the installation.....yea, good SW should not leave it there. I have run spybot a couple of times with nothing found, and immunized files.

rweaver
2011-04-14, 05:07
I downloaded Advast and installed it. I really felt a little naked without any antivirus.

I checked a few folders and it flagged a couple of files in the User (me)/applicationdata/Sun/Cache folder.....moved them to the chest. Enabled a boot scan and it noted the same files and some others (I don't remember where they were....but it said they were locked and could not take any action. I figured there would be a log I could reference but I didn't see one and don't know where it could be. I wipped the Sun/Cache files as I figured they were not needed and if they are then I will deal with that later. Wish I knew how to find the log file.
I noticed on one of your other post you suggested a virtual firewall to catch outgoing attempts......is that a good idea for me?

Where do we go from here?

Blottedisk
2011-04-15, 22:42
Hi rweaver,


Alright. I'll recommend you some virtual firewalls once we finish. Please do the following:


Step 1 | Avast found some threats in your Avast cache.

Please follow these steps to remove older version Java components and update.

Click on the following link to visit java website: Java Runtime Environment (JRE) 6 (http://www.oracle.com/technetwork/java/javase/downloads/index.html )

Scroll down to where it says "JDK 6 Update 24 (JDK or JRE)".
Click the "Download" button to the right column (JRE).
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue. The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the recently downloaded java installer icon to install the newest version.
After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
Applications and AppletsTrace and Log Files
Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.


Step 2 | Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php ) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.


Step 3 | Let's perform an ESET Online Scan

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html ).


Please go here (http://www.eset.com/onlinescan/ ) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif (Selecting Uninstall application on close if you so wish)

rweaver
2011-04-18, 06:27
Ok, did everything you said.......downloaded the updated Java, uninstalled the previous, downloaded the malware, scanned and ran the eset scan.... all in the order you requested.

Here are the two log files

The Eset said if found some threats

Richard

Blottedisk
2011-04-18, 15:29
Hi rweaver,


ESET flagged some files from RegistryBooster. This program is not a virus itself, but it may introduce adware in your machine. It's up to you if you want to uninstall this program or not. Please let me know what you want to do in your next reply.

rweaver
2011-04-19, 04:11
Well since I just re-upped the subscription on this program I think I will keep it.....at least for another year. They do sponsor ads for other products that could potentially introduce unwanted stuff, but I only use the registry tool occasionally when I have removed stuff and think something is amiss.......I notice sometimes Spybot flags registry errors. It bugs me that when you uninstall SW it leaves folders and files laying around instead of cleaning up after itself......makes me wonder what they are really doing.

Do we need to re-run any of the programs we ran previously just to check?
Does the router between my computer and my cable modem provide any advantage?
Will the Malwarebites SW and the Avast antivirus SW and Spybot Teatimer all be compatible?

Blottedisk
2011-04-20, 00:39
Hi rweaver,


Congratulations, we are done :bigthumb:



It bugs me that when you uninstall SW it leaves folders and files laying around instead of cleaning up after itself......makes me wonder what they are really doing.


In my humble opinion, what this infection could have introduced in the machine is a thousand times more dangerous than the leftovers of any of the trusted antispywares out there.



Do we need to re-run any of the programs we ran previously just to check?

No. The infection was removed. If you run Spybot now and it detects Click.Giftload, just delete it. It shouldn't bother you anymore.


Does the router between my computer and my cable modem provide any advantage?


Well, not really. Sometimes redirection issues are caused by a hijacked router, but this is not the case.


Will the Malwarebites SW and the Avast antivirus SW and Spybot Teatimer all be compatible?


Do you own the paid version of Malwarebyte's? If not, then it will not provide you with real time protection. Regarding AVG and Spybot S&D, they are compatible as far as I know.


Please follow this last procedure:


Step 1 | Delete ComboFix and Clean Up

The following will implement some cleanup procedures as well as reset System Restore points. Click Start > Run and copy/paste the following underlined text into the Run box and click OK:

ComboFix /Uninstall

Please advise if this step is missed for any reason as it performs some important actions.


Step 2 | Please download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe ) to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.


Last Step | Now, in order to avoid future infections, please take time to read the following article:

So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279 )

Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed :)

rweaver
2011-04-20, 05:21
Ran combofix /unstall and Avast kept prompting me with suspicious activity....I kept clicking OK but it sure did take a long time with a lot of prompts (probably should have disabled antivirus before runing it)
OCT was cleaner (it asked me to disable Avast)

A couple of questions
1) what about erunt? It is still here with a folder in the windows folder
2)The link you asked me to read (which I had read before) mentioned downloading spywareblaster. Do I need it in addition to Avast?
3) you had mentioned in another post and I notice that it is top rated in the firewall results list 'comodo' firewall.......so I should install it apparently
4) One last question....I noticed when I was uploading files to the virus total site that the file upload rate seemed a lot slower than what my speakeasy test showed.....just sort of wondering what the computer is doing sometimes when I want it to do something and it is just sitting there spinning with no network activity and minimal processes running....but it is in never never land.

BIG THANKS for all the help:thanks: I sincerely appreciate it!

Blottedisk
2011-04-20, 19:47
Hi rweaver,


You are welcome :bigthumb:



1) what about erunt? It is still here with a folder in the windows folder


You can uninstall it.



The link you asked me to read (which I had read before) mentioned downloading spywareblaster. Do I need it in addition to Avast?

Yes, it will provide you with further protection and it will not interfere with Avast.



3) you had mentioned in another post and I notice that it is top rated in the firewall results list 'comodo' firewall.......so I should install it apparently

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access from the outside world. Firewalls protect against hackers and malicious intruders.

If you do not have a firewall installed...
I strongly recommend you download a free (for personal use) firewall NOW that monitors traffic in both directions... from one of these vendors:

Comodo (http://personalfirewall.comodo.com/download_firewall.html ) (Is now bundled with AV software, toolbar and search provider. Opt to install only the firewall software... uncheck the rest)
Online Armor Free (http://www.tallemu.com/downloads.php ) (Free version at bottom of page (XP/Vista/W7 (32bit).) 64bit version not available yet. Some reported conflicts with Avira AntiVir.
ZoneAlarm (http://download.cnet.com/ZoneAlarm/3000-10435_4-10039884.html ) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
Ashampoo (http://www.download.com/Ashampoo-FireWall/3000-10435_4-10575187.html )

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a very basic firewall. This (XP) firewall is NO replacement for a dedicated software solution. Remember to install and have active, only one firewall at the same time. If you install one of these firewalls, remember to turn off Windows' firewall.



4) One last question....I noticed when I was uploading files to the virus total site that the file upload rate seemed a lot slower than what my speakeasy test showed.....just sort of wondering what the computer is doing sometimes when I want it to do something and it is just sitting there spinning with no network activity and minimal processes running....but it is in never never land.


Do you notice your internet connection is slower than before?

rweaver
2011-04-21, 02:50
1) what about erunt?
You can uninstall it....OK I did

2)
downloading spywareblaster. Do I need it in addition to Avast?
Yes, it will provide you with further protection and it will not interfere with Avast......OK I did

3) If you do not have a firewall installed...
I strongly recommend you download a free (for personal use) firewall NOW that monitors traffic in both directions.....I thought the router provided an incoming firewall...NO? (yep I understand the SW in/out FW)

If you are using the built-in Windows XP firewall....OK I went under component services and stopped and disabled it.

rweaver
2011-04-21, 03:07
P.S. I downloaded comodo firewall

I suppose we can close the thread now.

Really be a pleasure to work with you

Blottedisk
2011-04-21, 03:21
I thought the router provided an incoming firewall...NO? (yep I understand the SW in/out FW)


It depends on which router model you have. Some router come with a firewall incorporated; however even in these cases a software firewall is recommended.


I have worked with Comodo, and it's great :bigthumb:

Blottedisk
2011-04-22, 01:11
Since this issue appears to be resolved, this Topic is closed. If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please read the guidelines to request assistance (http://forums.spybot.info/showthread.php?t=288 ) and begin a New Topic.