PDA

View Full Version : Click.GiftLoad Attack-Please help!



6czr407
2011-04-30, 09:51
My laptop is running on Windows Vista Business and I started experiencing problems with the browser. It started redirecting me to unwanted pages. I downloaded SpybotS&D and I found that I have a Hijaker called Click.GiftLoad.

Unfortunately, every time I remove it using SpybotS&D, it comes back. It has caused malfunction of my laptop as it now won't shut down and keeps restarting at all times and is giving me a Blue Screen. The last time Spybot refused to remove it because I don't have Administrator level and I am signed in as Administrator!

Below are the DDS and SpybotS&D reports.

I would greatly appreciate your help in solving this problem.


DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 22:55:30.74 on Fri 04/29/2011
Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_19
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2037.830 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-

1B136EB04637}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-

206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Windows\system32\rundll32.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Apoint\Apoint.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\prevhost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Pablo Pinedo\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.sony.com/b2bvaio/
mDefault_Page_URL = hxxp://www.sony.com/b2bvaio/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!

\companion\installs\cpn0\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!

\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1

\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!

\common\yiesrvc.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common

files\mcafee\systemcore\ScriptSn.20110114105431.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

files\google\googletoolbar2.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1

\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!

\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!

\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1

\mcafee\sitead~1\mcieplg.dll
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [20090604] c:\program files\broderbund\mavis beacon deluxe - 25th anniversary

edition\regapp\encore_reg.exe /r "c:\program files\broderbund\mavis beacon deluxe - 25th anniversary

edition\regapp\encore_reg.rpd"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: prdsforms.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -

hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-

9ac6be844f99/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19

-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1

\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1

\McIEPlg.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program

files\mimectl.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\program files\protector suite ql\psqlpwd.dll
Notify: VESWinlogon - VESWinlogon.dll
LSA: Notification Packages = scecli psqlpwd c:\program files\protector suite ql\psqlpwd.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\pablop~1\appdata\roaming\mozilla\firefox\profiles\8hvlz4ix.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-8 64160]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-17 386840]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-8-17 64304]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-1-14 164840]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-17 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-17 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-17 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-17 313288]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32

Bit;c:\windows\system32\drivers\NETw5v32.sys [2010-7-29 4232704]
R3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [2009-7-24 9472]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-17 84264]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys

[2006-11-7 92160]
S4 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-17 84072]
.
=============== Created Last 30 ================
.
2011-04-29 19:29:27 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition

updates\{4222e1f5-8dea-4a90-bc26-ca657ca44e1d}\mpengine.dll
2011-04-29 05:47:19 -------- d-----w- c:\users\pablop~1\appdata\local\Microsoft Corporation
2011-04-29 05:43:36 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2011-04-29 01:53:51 -------- d-----w- c:\windows\LMIB8A5.tmp
2011-04-26 22:58:47 -------- d-----w- c:\program files\Trend Micro
2011-04-25 17:19:18 -------- d-----w- c:\users\pablop~1\appdata\local\Sunbelt Software
2011-04-25 17:15:24 -------- dc-h--w- c:\progra~2\{E8A61B3F-DF97-45EA-A2EE-88E262649179}
2011-04-13 18:22:54 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-13 18:22:51 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-13 18:22:48 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-04-13 18:22:44 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
.
==================== Find3M ====================
.
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 06:21:28 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 06:17:08 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 06:16:53 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 06:16:40 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-02-22 06:16:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-02-22 05:20:39 385024 ----a-w- c:\windows\system32\html.iec
2011-02-22 04:43:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-02-22 04:42:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-16 16:16:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 14:02:23 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-02-03 01:11:20 222080 ----a-w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 23:03:24.40 ===============

ken545
2011-05-04, 11:34
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Is this a company computer ? Read Post #5 in Before you post