PDA

View Full Version : Need help to remove Click.Giftload


MARKII
2011-04-26, 12:45
Hello, I need help removing Click.Giftload

I am running Avira, SpyBotSD and MalwareBytes. Spybot keeps finding it, but it keeps coming back. My PC is next to useless, barely have net connection and very slow. The DDS log is below (don't know how to include the Attach.txt zip file)

Also, earlier scans detected WebPage.Gen and also Win32.FraudLoad.edt, but those haven't been showing up in more recent scans since this all started yesterday.



~~~~ Was not able to post with including the DDS log

Every time I try to include the log, it says Internet Explorer cannot display webpage :confused:

Still around (in dispair)

First part of log:


.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Owner at 23:44:22.06 on 25/04/2011
Internet Explorer: 8.0.6001.19048
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\vds.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\svchost.exe -k netsvcs
.

second part:


============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&s=1&o=vb32&d=1208&m=aspire_m1641
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&s=1&o=vb32&d=1208&m=aspire_m1641
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
mSearch Page = ixquickstartpage.com
uInternet Settings,ProxyServer = http=127.0.0.1:51152
uWinlogon: Shell=explorer.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - h:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - h:\program files\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.415.1646\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll

Third part:


TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] h:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [eRecoveryService]
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [avgnt] "h:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [LTCM Client] c:\program files\ltcm client\ltcmClient.exe /startup
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Define - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Look Up in &Encyclopedia - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM

Fourth part:


IE: Send to &Bluetooth Device... - h:\program files\bluetooth software\btsendto_ie_ctx.htm
IE: {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - h:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - h:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\progra~1\spybot~1\SDHelper.dll

Fifth part:


( will not let me post Trusted Zone's...so I will continue )

Sixth part:


DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)

Seventh part:


============= SERVICES / DRIVERS ===============
.
R? AntiVirSchedulerService;Avira AntiVir Scheduler
R? AntiVirService;Avira AntiVir Guard
R? avgntflt;avgntflt
R? BHDrvx86;Symantec Heuristics Driver
R? ccHP;Symantec Hash Provider
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? FontCache;Windows Font Cache Service
R? GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506
R? IDSVix86;IDSVix86
R? McShield;McAfee Real-time Scanner
R? McSysmon;McAfee SystemGuards
R? N360;Norton 360
R? NVHDA;Service for NVIDIA HDMI Audio Driver
R? Partner Service;Partner Service
R? SBSDWSCService;SBSD Security Center Service
R? SYMNDISV;Symantec Network Filter Driver
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
R? WSVD;WSVD
S? nvoclock;NVIDIA Enthusiasts Platform KDM
S? SymEFA;Symantec Extended File Attributes
.

Eighth part:


=============== Created Last 30 ================
.
2011-04-26 05:07:47 -------- dc-h--w- c:\progra~2\{E8A61B3F-DF97-45EA-A2EE-88E262649179}
2011-04-26 03:05:59 188930 -c--a-w- c:\progra~2\2jFf5J64.exe
2011-04-26 01:24:57 -------- dc----w- c:\users\owner\appdata\roaming\Leader Technologies
2011-04-26 01:24:51 -------- dc----w- c:\program files\LTCM Client
2011-04-25 14:02:52 -------- d-sh--w- C:\found.000
2011-04-24 16:38:40 54016 -c--a-w- c:\windows\system32\drivers\kqkbq.sys
2011-04-22 13:13:59 0 -c--a-w- c:\users\owner\appdata\local\Pzigehihev.bin
2011-04-22 13:13:58 -------- dc----w- c:\users\owner\appdata\local\{3F0D514E-0290-4B00-B608-EAE4CAA079A3}
2011-04-02 14:52:03 -------- dc----w- c:\progra~2\iMg06509cIaJp06509
.

Ninth:


==================== Find3M ====================
.
2011-03-10 17:03:51 1162240 -c--a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 -c--a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 -c--a-w- c:\windows\system32\inetcomm.dll
2011-03-03 13:25:11 2041856 -c--a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 -c--a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13:01 288768 -c--a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 1068544 -c--a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33:09 797696 -c--a-w- c:\windows\system32\FntCache.dll
2011-02-22 06:21:28 916480 -c--a-w- c:\windows\system32\wininet.dll
2011-02-22 06:17:08 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2011-02-22 06:16:53 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 06:16:40 71680 -c--a-w- c:\windows\system32\iesetup.dll
2011-02-22 06:16:40 109056 -c--a-w- c:\windows\system32\iesysprep.dll
2011-02-22 05:20:39 385024 -c--a-w- c:\windows\system32\html.iec
2011-02-22 04:43:54 133632 -c--a-w- c:\windows\system32\ieUnatt.exe
2011-02-22 04:42:38 1638912 -c--a-w- c:\windows\system32\mshtml.tlb

Tenth:

2011-02-17 06:23:50 420864 -c--a-w- c:\windows\system32\vbscript.dll
2011-02-16 16:16:37 34304 -c--a-w- c:\windows\system32\atmlib.dll
2011-02-16 14:02:23 292864 -c--a-w- c:\windows\system32\atmfd.dll

11:


2011-02-03 01:11:20 222080 -c----w- c:\windows\system32\MpSigStub.exe

12:


Now I can't post more than ONE line at a time. (?!)

Can I email the DDS.txt log to someone?

(also I have run TDSSKiller several times, and it has detected nothing)

:sad:
shelf life
2011-04-30, 05:08
hi MARKII,

We will get a download to use. Its called combofix. There is a guide to read first. Read through the guide using another computer if you have to then apply the directions on the computer in question. Please post the combofix log in your reply.
If for some reason you cant run it in "normal mode" then go ahead and run combofix, followed by malwarebytes in safe mode:
to reach safe mode you would tap the f8 key during a computer restart, chose the first option form the list; safe mode, log into to your usual account and once at the safe mode desktop run combofix and malwarebytes.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
MARKII
2011-05-01, 20:02
Hi, thanks for getting back to me (with all the click.giftload trouble happening to people). But I may have it resolved as of yesterday. My PC seems fine. Not that I can be sure though. Main thing I did, was..........I went out and got Norton 360. I Was using Avira, like I have for a few years on and off in the past (the pop ups driving me mad anyways), so decided NOW was a good time to go back to it since it ran out a couple months ago. Now the scans found nothing. But the realtime scanner found maybe half a dozen trojans, "ad.clicker" or something like that. The TDSkiller never found anything. Then by happenstance I tried it again, for the umpteenth time, after I installed the 360, in safe mode. This time it actually found three things...root kit somethings. I didn't write down the names. So I clicked "clean". Now the good thing was, after that, I was finally able to restart my PC WITHOUT that bluescreen of death...which was what was preventing the Norton Power Eraser from doing it's rootkit scan. Which had to be done during a restart. But because of the bluescreen not letting it restart, I had to shut down manually.......after(and no doubt because of) which didn't let the NPE rootkit scanner continue to do it's thing. So after the TDS scans success, I rebooted and yay!....saw the NPE rootkit scan start working after the reboot. And yes you guessed again.......it found some things, three I think. So I erased them. After that, my PC "seems" fine. So I'll keep you posted. If you have any questions, then just ask. But really, I'm very surprised I seemed to have squeaked my way out of this near disaster.....WITH the help of your forum! I just hope it's actually fixed. I'll get back if it isn't. Thanks again!
shelf life
2011-05-01, 22:14
Ok. thanks for all the info. I would check Malwarebytes for updates and do a scan with it. Afterwards you can post a new DDS log also, for a last look.