View Full Version : Click.GiftLoad ... ugh.
battousai
2011-04-30, 21:24
Great site here... kudos to all the volunteers! :bigthumb:
I am also having problems with ths nasty Click.GiftLoad problem.
Everytime I reboot and rerun Spybot, it's always catching it. And
yes, I'm getting web page redirects as well. :sad:
I can't seem to upload or post from my infected computer, so I'm typing this from my work computer (had the email the DDS file to myself) as I'm getting a time out connection error on my infected computer when posting to this site... I also ran TDSSKiller yesterday, but that came up empty as it could not find anything.
I appreciate any assistance that can be provided.
Thanks in advance!
shelf life
2011-05-05, 01:39
hi,
Based on the log you really shouldnt be using the machine. It also should have no connectivity, if your not sure how to stop this you should power it off. Just because your getting a time out dosnt mean there is no connectivity going on.
You have a rootkit on your machine. They hide malicious files and components from traditional antivirus/antimalware software. Rootkits bury themselves deep in the operating system. Special software is needed to detect and remove them. Even if symptoms are gone and logs are clean its still not a 100% guarantee that your machine is clean once a rootkit has been detected and removed. You should consider a complete reformat/reinstall of Windows as an option.
The best source for information on how to do this would be the computer manufacturers website.
To manually clean up the computer with current utilities proceed as follows:
We will get a download to use.Its called combofix. There is a guide to read first, read through the guide on another machine if you have to then apply the directions on your own machine. See if you can actually get to the link to download it directly onto the compromised machine.
1) run combofix and post the log
2) run tdsskiller again and post its log
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
battousai
2011-05-05, 18:40
Thank you very much for responding... I have had the computer disconnected (basically pulled the ethernet cable) the past few days except for downloading potential antivirus scan/tools such as HIjackThis, aswMBR, ATF-Cleaner, OTL, ComboFix, TDSSKiller and the suite of sysinternal apps. The only other time my computer was connected is the few minutes a day to email my logs to my work address so I can log onto this forum here to post from work.
Here is the ComboFix and TDSS logs (TDSS did not find anything). Note, becasue my computer was disconnected when I ran ComboFix, it did not download the Recovery Console, but it did continue on. Also ran MBAM and Spybot afterwards just to see if it could find and viruses... MBAM turned up empty and Spybot again found Click.Giftload.
I also ran DDS to see what it would say and it also still thinks there is a Rootkit.
Thank you.
shelf life
2011-05-06, 00:03
thanks for the info. Please post the DDS log. Also go here. (http://www.bleepingcomputer.com/forums/topic34773.html) See step number 8 on how to get a Gmer log posted.
battousai
2011-05-06, 03:14
Thank you...
An interesting thing about GMER... it wanted to unclick all non-system partitions and drives... is it possible that the problem can hide in a non-system partition or drive? Just wanted to validate that.
I know the ultimate last resort down the line is to format the drive, but I was wondering if it came down to that, would formatting the system partition be enough? Any thoughts?
I will provide the logs tonight when I get home from work...
Thanks again!
battousai
2011-05-06, 03:19
Thank you...
An interesting thing about GMER... it wanted to unclick all non-system partitions and drives... is it possible that the problem can hide in a non-system partition or drive? Just wanted to validate that.
I know the ultimate last resort down the line is to format the drive, but I was wondering if it came down to that, would formatting the system partition be enough? Any thoughts?
I will provide the logs tonight when I get home from work...
Thanks again!
That should read - "An interesting thing about the GMER instructions"....
shelf life
2011-05-06, 04:38
The possible rootkit isnt showing up in the combofix log either, or tdsskiller. The tdss family of rootkits reside in the master boot record. Any partition that is bootable could harbor the rootkit. I dont think that a non system partition is bootable.
battousai
2011-05-06, 07:04
Here are the logs... Thanks again for your time! :bigthumb:
shelf life
2011-05-06, 22:34
Ok, yet another download. Are you getting any re-directs when browsing?
Please also download MBRcheck (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop
Double click MBRCheck.exe to run (Vista and Win 7 right click and select Run as Administrator)
It will show a Black screen with some information that will contain either the below line if no problem is found:
Done! Press ENTER to exit...
Or you will see more information like below if a problem is found:
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
MBRCheck will create a log on your desktop named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
Attach this log to your reply
while your at it:
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) To your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply also.
battousai
2011-05-07, 03:47
Attached are the logs... when I ran the aswMBR and saved the log, my antivirus program picked up virus in a MBR.dat file that was created on my desktop (antivirus program got rid of it). Just an FYI.
Thanks for the help!
shelf life
2011-05-07, 05:13
Go ahead and run combofix again once you have connectivity. This is so you can have it install the recovery console. We will write a new mbr to disk. May as well post its log also.
As a precaution you may want to pull of any content you created like documents, photos, video etc.
battousai
2011-05-07, 08:48
Thank you for the info... you mentioned pulling files. If I understand correctly, I would only need to pull files that are on the partition with the system on it and not the whole drive, is that correct? I tried to keep all my OS, apps and data on separate partitions (even though they are on the same drive).
Could you please verify before I try to peel off any files?
Thank you very much!
BTW, I recall the last time I ran Combofix, just before it asked to install the Recovery Console, my firewall caught some program that started with an "N" which I prevented from going out, something like "Nim-something". Is that expected from Combofix and/or should I be worried about that (ie. should I permit it to get by the firewall?)?
Thanks again.
shelf life
2011-05-07, 15:15
That chatty file was part of combofix. It occasionally will check for and update itself after prompting you,
Both dds logs and aswMBR show a rootkit as well as Gmer. Also your AV didnt like the aswMBR .dat file
The point of pulling off data is just a precaution: if the new MBR fails for whatever reason your machine just wont boot up. This dosnt mean the files are gone, you could slave the hd to another machine or use a linux distro to get the files. Your files should be fine once you get a bootable machine assuming it didnt work for some reason. Especially since they are on a separate partition. Most machines are not set up this way.
I meant to ask you; are you getting redirects when you browse the internet?
We will use the recovery console to write a new mbr to disk.
You may want to print or write this down so you can follow along:
Upon a restart of your computer:
Before Windows boots you will be prompted to choose which Operating System to start. It may flash by quickly and default into Windows. If so restart and try again.
You want to use the arrow keys to select: Microsoft Windows Recovery Console
Enter which Windows installation to log onto. Type in the number that corresponds to your Windows installation, usually its 1: Type in 1 and click Enter.
You may be prompted for a admin password.
At the C:\Windows prompt, type whats in the code box below, and click Enter
You will be given a standard warning and have to type in the letter y first when asked if you really "want to write a new MBR?" Type in the letter y then click enter
It will be over very quickly.
Last, back at the C:\ prompt type in exit then click enter to have the machine reboot, it will default into Windows.
fixmbr
battousai
2011-05-07, 20:36
I'm hoping the fixMBR task fixed things... it's looking good so far. Here is what I did (in order):
-Ran Combofix - Log included
-Ran DDS before fixMBR - Log included (still shows rootkit)
-Ran Spybot - found Click.Giftload, got rid of it again.
-ran fixMBR from Recovery Console
-Ran DDS again - Log included (does not show rootkit anymore :) )
-Did not run Spybot, but checked registry for the entry Spybot was looking for it was no longer there
I was then able to connect to WindowsUpdate which I was not able to do the past week.
Currently running ESET's Online scanner (that will take awhile) and will also check with MBAM and Avira scanners for final virus checks. Will let you know how that goes.
So far so good... again, thanks for you time! Will keep you posted on my scans... Also have HijackThis and OTL I will scan with.
battousai
2011-05-08, 19:02
So far, so good... ran ESET's Online Scanner (found 1 potential entry which I was OK being quarantined), MBAM (no findings), Avira (no findings), and Sophos (found a few in a couple of old games I no longer play, so were deleted, also found a couple in the app folder for SUPER, a video conversion app, I let those go as I believe they are likely legit).
Spybot came up clean as well.
As far as I can tell, no indication of rootkit anymore from DDS or GMER, though you can look at the DDS log in my previous to see if you see something I missed.
Hopefully, my computer is clean again... :)
Thank you for all your time thus far!
shelf life
2011-05-08, 23:02
Looks good. You can remove combofix like this;
start>run nad type in;
combofix /uninstall
click ok or enter
Note the space after the x and before the /
You can delete the tdsskiller, Gmer and aswMBR icons/logs.
You can make a new restore point also. The why and the how:
One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
And last some tips to help your remain malware free:
10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.
No software can think for you. Help yourself. In no special order:
1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes, browser plugins and add-ons. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.
4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).
5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?
7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.
8) Install and understand the *limitations* of a software firewall.
9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing) and do it yourself. How to harden FireFox. (http://threatpost.com/en_us/slideshow/How-to-configure-Mozilla-Firefox-for-secure-surfing?utm_source=Second+Sidebar&utm_medium=Featured+Slideshows&utm_campaign=Configure+Mozilla+Firefox) for safer surfing.
10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?
More info/tips with pictures in links below.
Happy Safe Surfing.
battousai
2011-05-09, 06:42
Thank you for all your help!
Question : does it make sense to keep Combofix, aswMBR, etc, instead of deleting in case there is a need for them in the future?
Once again, thank you very much for your assistance! :bigthumb:
shelf life
2011-05-10, 02:20
Your welcome. In answer to your questions. Its not recommended that one use combofix on there own. aswMBR is a tool just for rootkits and is updated occasionally. It would make more sense to get a copy as needed and I wouldnt use it as a fix without more conformation that you really do have a rootkit.
Best thing to do is be a informed user and avoid behavior that might get you a rootkit (social engineering) Also keep Windows and apps updated.(vulnerabilities)
Those are the two ways one gets malware.
happy safe surfing