Re-appearing Click.GiftLoad HijackersC (Feature_Browser_Emulation) svchost.exe

[ken545]

Hi,

Correct me if I'm wrong but is this a government or corporate computer ?

You logs look fine and I dont see anything that Combofix removed that would remove your sound or other issues that you may have.


There are infections going around classified as Rootkits, there are also ones that infect your master boot record, you got the double whammy , a rootkit infected your MBR, its known as a bootkit and its gone so you should be ok now.


How are things running for you now?

To check for leftovers lets run a free online virus scanner.

Please run this free online virus scanner from ESET

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

[corbleu]

Hi, well I purchased the computer 'new' from ebay a few years ago as a personal computer, but judging by the model and the number of units the vendor had for sale I suppose it was probably originally meant to be a corporate computer.

After a reboot the sound was restored and the computer now recognises usb drives etc.

I ran Spybot again before the last reboot and it found the Click.GiftLoad trojan again, but was not suffering the debugging or re-directing though the computer did seem slow and laboured. I used Spybot to remove it, then rebooted in Safe Mode and scanned again, and the removal appears to have worked now as no issues were found.

Ran another Spybot scan in normal mode whilst connected to the internet and all still clear.

I've tried the link to the ESET scan both on Internet Explorer and FireFox, but a 404 error appears on both, I had a look on the downloads on the home page, but they requested I uninstall all current virus protection and virus scanning software, so I'll hold on for further instruction from you.

I think it seems like the problem has been fixed but I'll wait for your confirmation.

Thankyou very much for all your help so far, I really appreciate it.

[ken545]

Hi,

That link works for me. You can try this one instead of ESET, you just need to disable current AV , not uninstall them

Glad things are better, running this scan is just a double check

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply .

[corbleu]

Hi,

Just a quick update-

I had problems trying to run the Kaspersky Scan, so googled a link for the ESET scan and have started a scan with that. The scan is currently at 69% completion after over 4 hours, does that time frame seem normal?

Regards.

[ken545]

Depends on your system, I have seen it take less than an hour and sometimes longer than what you posted.

Here are some others if this one fails

Panda Active Scan
Trendmicro Housecall
BitDefender Online Scanner
Sygate Free Online Scan
Mcafee Online Scan
Computer Associates
Kaspersky Online Virus Scanner

[corbleu]

Hi, the scan is now complete, here's the log, it found a trojan -

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17095 (vista_gdr.101217-1830)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=4326b736e3f0e948b2bb5469e4ed1d2e
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-17 12:54:14
# local_time=2011-03-17 12:54:14 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16777189 100 75 288775 17489477 0 0
# compatibility_mode=8192 67108863 100 0 3750 3750 0 0
# scanned=23734
# found=0
# cleaned=0
# scan_time=3416
# version=7
# iexplore.exe=7.00.6000.17095 (vista_gdr.101217-1830)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=4326b736e3f0e948b2bb5469e4ed1d2e
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-17 04:26:54
# local_time=2011-03-17 04:26:54 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16777173 100 75 336444 17537146 0 0
# compatibility_mode=8192 67108863 100 0 51419 51419 0 0
# scanned=106236
# found=1
# cleaned=1
# scan_time=11710
C:\WINDOWS\Temp\nqmi\setup.exe a variant of Win32/TrojanProxy.Agent.NHB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


Thanks.

[ken545]

Great, just a leftover

Run ATF Cleaner again

Then go here

C:\WINDOWS\Temp<-- Open the folder and delete anything inside, it should be empty, but dont delete the Temp Folder, just its contents

How are things running now ?

[corbleu]

Hi,

I ran ATF cleaner and there are two files left in the Temp folder which I can't delete (Will not allow me to). >>

'Perflib_Perfdata_424' and 'Perflib_Perfdata_838'

Things seem to be running well, no script errors or re-directed web searches, so thats good.

Thanks again for the help.

[ken545]

Those two files are fine, they will be removed when you shut down your system and will be rebuilt the next time you start it. There normal.

Why dont you use your system for a few days and then post back and let me know how your doing ?

[corbleu]

Hi,

So I've been using the computer for a few days and as far as the problems I was experiencing are concerned, they seem to have stopped completely, no redirected web searches or script errors and no trojans/ viruses being picked up by spybot or malwarebytes. Looks like you've fixed that for me.

As far as the system as a whole, generally ok, does seem to be sluggish occaisionally but perhaps it was like this before.

One thing you might be able to advise me on may be the performance of FireFox, It frustrates me on an ever increasing basis, I seem to get regular, as in 4-5 minute intervals when the internet stops working for perhaps 20-30 seconds, pages seem to time out but re-load fine after a refresh, it's especially apparant when streaming on YouTube, it's streams quickly and then suddendly stops streaming at all for 20-30 seconds then starts again. It also completely crashes every few days aswell.

This of course could be the internet providers issue but this isn't something I remember suffering from a few months ago.

But hey thats just knit picking, I can live with it.

Thank you so much for all the help, I really appreciate it.

Regards,

James