PDA

View Full Version : Click.Giftload and getting BSOD's



Mackymack
2011-04-27, 14:13
Earlier this evening I noticed Firefox running extremely slow and it eventually froze. I did a restart only to come up with a BSOD saying INTERNAL POWER ERROR. After it booted back up my malware senses were tickling so I launched Malwarebits and Spybot. Malwarebits didn't find anything but Spybot did, showing that I was infected with Click.Giftload. Just Like many others here, trying to fix the problem through Spybot does not work at all. I know you guys said not to run ComboFix but I tried it anyways, and my computer ended up BSOD'ing again saying it was some sort of SQRL ERROR. Well that's my story and I hope you guys can help!

DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Owner at 1:01:18.47 on Wed 04/27/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3070.2384 [GMT -10:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uStart Page = hxxp://www.ask.com?o=14196&l=dis
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [Google Update] "c:\users\owner\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRun: [D3DOverrider] "c:\program files\rivatuner v2.24 msi master overclocking arena 2009 edition\tools\d3doverrider\D3DOverriderWrapper.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [GrpConv] grpconv -o
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\setup_~1.lnk - c:\users\owner\desktop\virus removal tool\setup_9.0.0.722_27.04.2011_10-09\startup.exe
uPolicies-explorer: TaskbarNoNotification = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\d7eh0s59.default\
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\owner\appdata\local\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\users\owner\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 09690752;09690752 Boot Guard Driver;c:\windows\system32\drivers\09690752.sys [2011-4-26 37392]
R0 36177062;36177062 Boot Guard Driver;c:\windows\system32\drivers\36177062.sys [2011-4-26 37392]
R0 83437222;83437222 Boot Guard Driver;c:\windows\system32\drivers\83437222.sys [2011-4-26 37392]
R0 96403622;96403622 Boot Guard Driver;c:\windows\system32\drivers\96403622.sys [2011-4-26 37392]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2010-6-15 9728]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
S1 09690751;09690751;c:\windows\system32\drivers\09690751.sys [2011-4-26 128016]
S1 36177061;36177061;c:\windows\system32\drivers\36177061.sys [2011-4-26 128016]
S1 83437221;83437221;c:\windows\system32\drivers\83437221.sys [2011-4-26 128016]
S1 96403621;96403621;c:\windows\system32\drivers\96403621.sys [2011-4-26 128016]
S1 setup_9.0.0.722_27.04.2011_10-09drv;setup_9.0.0.722_27.04.2011_10-09drv;c:\windows\system32\drivers\3617706.sys [2011-4-26 311312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9d40f8101d1be;Google Update Service (gupdate1c9d40f8101d1be);c:\program files\google\update\GoogleUpdate.exe [2009-5-13 133104]
S2 NIHardwareService;NIHardwareService;c:\program files\common files\native instruments\hardware\NIHardwareService.exe [2009-7-17 3576320]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 CYUSB;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [2010-6-15 39936]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2009-4-20 531456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-5-13 133104]
S3 hidusbf;USB Mouse Rate Adjuster Lower Filter by SweetLow;c:\windows\system32\drivers\hidusbf.sys [2009-9-29 4544]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PCD5SRVC{7DB2D2E3-4FE4EEA9-05040000};PCD5SRVC{7DB2D2E3-4FE4EEA9-05040000} - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcd5srvc.pkms [2008-9-9 20640]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-4-6 23064]
S3 utixnda2;AVZ Kernel Driver;c:\windows\system32\drivers\utixnda2.sys [2011-4-26 7168]
S3 vHidDev;Razer Gaming Device;c:\windows\system32\drivers\vHidDev.sys [2010-6-15 5760]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-9 1343400]
.
=============== Created Last 30 ================
.
2011-04-27 09:37:24 37392 ----a-w- c:\windows\system32\drivers\36177062.sys
2011-04-27 09:37:24 311312 ----a-w- c:\windows\system32\drivers\3617706.sys
2011-04-27 09:37:24 128016 ----a-w- c:\windows\system32\drivers\36177061.sys
2011-04-27 09:26:02 7168 ----a-w- c:\windows\system32\drivers\utixnda2.sys
2011-04-27 09:04:04 37392 ----a-w- c:\windows\system32\drivers\96403622.sys
2011-04-27 09:04:04 311312 ----a-w- c:\windows\system32\drivers\9640362.sys
2011-04-27 09:04:04 128016 ----a-w- c:\windows\system32\drivers\96403621.sys
2011-04-27 08:42:07 37392 ----a-w- c:\windows\system32\drivers\09690752.sys
2011-04-27 08:42:07 311312 ----a-w- c:\windows\system32\drivers\0969075.sys
2011-04-27 08:42:07 128016 ----a-w- c:\windows\system32\drivers\09690751.sys
2011-04-27 08:22:16 37392 ----a-w- c:\windows\system32\drivers\83437222.sys
2011-04-27 08:22:16 311312 ----a-w- c:\windows\system32\drivers\8343722.sys
2011-04-27 08:22:16 128016 ----a-w- c:\windows\system32\drivers\83437221.sys
2011-04-27 08:07:11 -------- d-----w- c:\progra~2\Kaspersky Lab Setup Files
2011-04-25 23:59:05 -------- d-----w- c:\users\owner\appdata\roaming\.minecraft
2011-04-24 07:07:18 -------- d-----w- c:\users\owner\appdata\local\PCSX2
2011-04-22 10:17:27 -------- d-----w- c:\users\owner\appdata\roaming\XRay Engine
2011-04-15 00:43:01 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-15 00:43:01 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-15 00:43:01 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-15 00:43:00 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-04-15 00:43:00 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-04-15 00:43:00 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-04-15 00:43:00 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-15 00:43:00 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-14 13:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 13:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-04-14 06:02:28 -------- d-----w- c:\progra~2\nJi06511dBoHn06511
2011-04-10 11:29:42 -------- d-----w- c:\progra~2\iBa06511fFiHl06511
.
==================== Find3M ====================
.
2011-03-12 11:31:58 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-11 05:39:35 1686016 ----a-w- c:\windows\system32\esent.dll
2011-03-11 05:37:34 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 03:31:32 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-02-27 05:02:32 138056 ----a-w- c:\users\owner\appdata\roaming\PnkBstrK.sys
2011-02-26 05:33:07 2614784 ----a-w- c:\windows\explorer.exe
2011-02-24 05:32:52 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-24 05:32:44 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-24 05:30:16 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-24 04:23:48 386048 ----a-w- c:\windows\system32\html.iec
2011-02-24 03:50:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-22 14:52:00 1730112 ----a-w- c:\windows\system32\FMAPO.dll
2011-02-22 10:16:26 2145896 ----a-w- c:\windows\system32\RtkPgExt.dll
2011-02-19 05:33:11 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32:48 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32:35 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-18 09:49:40 3805288 ----a-w- c:\windows\system32\RtkAPO.dll
2011-02-18 05:33:29 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-02-17 13:03:54 485992 ----a-w- c:\windows\system32\RtkApoApi.dll
2011-02-16 12:11:28 69224 ----a-w- c:\windows\system32\RtkCoInst.dll
2011-02-12 05:30:49 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-02-09 14:56:00 1284712 ----a-w- c:\windows\RtlExUpd.dll
2011-01-29 07:01:18 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: ST336032 rev.3.CH -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x85A074F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85a0d7d0]; MOV EAX, [0x85a0d84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82053448] -> \Device\Harddisk0\DR0[0x859E0030]
3 CLASSPNP[0x8A82B59E] -> ntkrnlpa!IofCallDriver[0x82053448] -> [0x85681A38]
5 ACPI[0x8A7463B2] -> ntkrnlpa!IofCallDriver[0x82053448] -> \0000006d[0x856986D0]
\Driver\nvstor32[0x859F2450] -> IRP_MJ_CREATE -> 0x85A074F0
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\0000006d -> \??\SCSI#Disk&Ven_ST336032&Prod_0AS#4&21597100&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 1:03:52.05 ===============

Mackymack
2011-04-27, 22:00
Since no one is helping I guess it's a bad infection? If it helps, When I ran Combo Fix, the computer BSOD'd immediately.

---------------------------------------
Edit
Mackymack,

"Posting additional comments or logs before a volunteer responds can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count, they look for topics with a 0 response."
"BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

This topic was started today, please see The Waiting Room: Post here if waiting for help four days (http://forums.spybot.info/forumdisplay.php?f=37)

" I know you guys said not to run ComboFix but I tried it anyways, and my computer ended up BSOD'ing again"
Can't add much to; Please do NOT run 'FIXES' (ComboFix etc) without being asked (http://forums.spybot.info/showthread.php?t=16806)

;)