PDA

View Full Version : The "lovely" Click.Giftload & Spybot.



Just_A_Note
2011-05-02, 22:01
Well, it appears the infamous click.giftload has struck yet again. I've come across many posts referencing its wonderful powers and its ability to stay hidden on a machine and refuse to leave. I'm having that same issue.

I'm running Windows 7 Professional 32-bit. I only have the recovery disc (which hasn't aided me so far), I don't have the installation disc, nor am I able to obtain it (for those who suggest a clean install)

Spybot always finds click.giftload, and "fixes the problem". However, upon reboot..voila! It is still present. This started happening a few days ago. I've run MWAM, CCleaner etc. Nothing comes up in those, only Spybot. I also have two different BSOD's upon Shutdown or Restart (never while booting) with error codes: 0x000000a0 and 0xc00000f // Internal_Power_Error and Irql_not_less_or_equal. Windows fails to update due to error: 80072efe etc and the obvious annoying google/internet tab re-directs. Spybot locates click.giftload here:

HKEY_USERS\DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe
*as I said, it will delete, but reappear upon reboot*

I've asked a friend for aid who semi knows computers and he suggested running combofix so he can take a look at the logs. Well, that failed. Every time I ran it, BSOD popped up with the irql_not_less_or_equal..even in safe mode. I've also tried TDSSKiller...stops at 80% and "encounters a problem". I'm assuming this all leads back to Click.giftload.

Much help needed!! Thanks in advance :)


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by thompson at 14:49:43.42 on Mon 05/02/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_25
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2940.1999 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\thompson\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = hxxp://start.iplay.com/?o=shp
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\thompson\appdata\roaming\mozilla\firefox\profiles\li92v9ka.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\thompson\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: QueryBrowser: {2B52746B-CDBB-49A6-A80D-912BC6636A6C} - c:\program files\mozilla firefox\extensions\{2B52746B-CDBB-49A6-A80D-912BC6636A6C}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-2-3 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-2-3 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-2-3 482432]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2010-2-13 7168]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-1-13 6755840]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-3-4 277536]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nav\1008000.029\symndisv.sys [2010-2-3 48688]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2010-4-5 4608]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-2 1343400]
S4 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-1-16 103744]
.
=============== Created Last 30 ================
.
2011-05-02 01:09:34 -------- d-----w- c:\program files\ESET
2011-05-01 02:04:36 -------- d-----w- C:\perflogs
2011-04-30 23:52:56 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{2abc6bf2-4285-464a-afc1-f163f932b465}\mpengine.dll
2011-04-30 00:04:34 0 ----a-w- c:\users\thompson\appdata\local\Sliyime.bin
2011-04-30 00:04:32 -------- d-----w- c:\users\thompson\appdata\local\{0FF48D41-7733-49DE-844D-1B56C4E255D7}
2011-04-13 10:59:51 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-04-13 10:59:49 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-04-13 10:59:46 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-13 10:59:46 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-04-13 10:59:45 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-13 10:59:44 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-13 10:59:44 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-13 10:59:44 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-13 10:59:44 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-02 21:10:56 -------- d-----w- c:\users\thompson\appdata\local\{15D0C08C-8E15-4C76-909F-6A819A8404C9}
2011-04-02 19:53:53 2983424 ----a-w- c:\windows\system32\UIRibbon.dll
2011-04-02 19:53:53 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-04-02 19:52:43 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-04-02 19:52:42 3181568 ----a-w- c:\windows\system32\mf.dll
2011-04-02 19:52:42 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2011-04-02 19:51:41 94040 ----a-w- c:\program files\common files\windows live\.cache\625f18bb1cbf16f0f\DSETUP.dll
2011-04-02 19:51:41 525656 ----a-w- c:\program files\common files\windows live\.cache\625f18bb1cbf16f0f\DXSETUP.exe
2011-04-02 19:51:41 1691480 ----a-w- c:\program files\common files\windows live\.cache\625f18bb1cbf16f0f\dsetup32.dll
2011-04-02 19:51:39 94040 ----a-w- c:\program files\common files\windows live\.cache\60c7a9e31cbf16f0e\DSETUP.dll
2011-04-02 19:51:39 525656 ----a-w- c:\program files\common files\windows live\.cache\60c7a9e31cbf16f0e\DXSETUP.exe
2011-04-02 19:51:39 1691480 ----a-w- c:\program files\common files\windows live\.cache\60c7a9e31cbf16f0e\dsetup32.dll
2011-04-02 19:50:57 -------- d-----w- c:\users\thompson\appdata\local\Windows Live
2011-04-02 19:50:56 -------- d-----w- c:\program files\common files\Windows Live
.
==================== Find3M ====================
.
2011-04-14 09:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-03 05:29:23 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:27:30 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-02-24 05:32:44 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-24 05:30:16 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-24 04:23:48 386048 ----a-w- c:\windows\system32\html.iec
2011-02-24 03:50:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-19 05:32:08 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-19 03:37:02 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-02-18 05:36:26 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-02-02 22:11:20 222080 ----a-w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 14:51:47.03 ===============

Blade81
2011-05-12, 15:50
Hi,

If help still needed post fresh dds logs, please.

Blade81
2011-05-18, 17:42
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.