help with click.giftload please

[rweaver]

I like so many other have gotten infected, however when I try to submit a post with the dds pasted in the post I get a browser reset message and cannot submit a post

[Blottedisk]

Hi rweaver,

Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.

• Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


------------------------------------------------

Maybe it was a temporary problem. Try again to post the log. If you still can't, then please try to attach both dds.txt and attach.txt files to your next post.

[rweaver]

Ok, subscribed to this thread...
still cannot embed... Just as a side note I have to keep a watch on the processes because one of the svchost.exe occasionally starts to go wild and I have to kill it.

Had to zip the dds to get it to attach....started getting the same reset/timeout message

[Blottedisk]

Hi rweaver,


Thanks for the logs. From now on, if you have any problems posting the contents of any of the logs I'm going to request, just attach them to your post.


Unfortunately your machine appears to have been infected by the TDSS rootkit/backdoor infection. These kind of malwares are very dangerous. Backdoor Trojans provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.


If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
  paypal, ebay, etc. You should also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
  credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

Please read the following for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Where to draw the line? When to recommend a format and reinstall?

Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.


Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


Step 1 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror - This version will download a randomly named file (Recommended)
Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Make sure all options are checked except:
  
  • IAT/EAT
  • Drives/Partition other than Systemdrive, which is typically C:\
  • Show All (This is important, so do not miss it.)

Click the image to enlarge it

• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.


Step 2 | Please download TDSSKiller from one of the following mirrors and save it in your desktop:

This is THE Mirror

• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
  
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
  
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
  
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and
  paste the contents of that file here.

[rweaver]

OK, downloaded........in work

[rweaver]

OK ran gmer, which found stuff and tdsskiller which was so fast I hardly caught it but it looked like it said it didn't find anything.....didn't get any of the warnings in your reply except reboot.

Attached are the log files. I didn't tell you that I have had AVG antivirus installed but uninstalled it yesterday because one of it's 10 or 12 processes (yea that bugged me) would start going wild also like the scvhost....so I just eliminated it for now and figured I could reload a antivirus program after this snfu is fixed. I do have a couple of addition questions in attached files. I have eraser installed but there are a couple of files on my local settings folder it cannot erase because they are locked....that bugs me. also there are a couple of files on the root directory that bug me......I have attached screen shots for your amusement....and or comment if you feel so inclined.

PS...thanks for helping me!

[rweaver]

Oh yea, one more thing I didn't tell you (ok calm down) I have a cable modem with a router installed between the computer and the modem.

See that wasn't so bad!

[Blottedisk]

Hi rweaver,


TDDSKiller took care of the rootkit.


That folder in your root directory seems to be part of Combofix. As this is gonna be our next tool to use I need to know: have you run Combofix in this machine?

[rweaver]

No I haven't run combofix.
As a side note, since the TDSSkiller reboot the machine appears to be functioning normally, but I am keeping the network connection unplugged when not communicating here.

[Blottedisk]

The heavy part of the infection has been removed. However, there's still more to do. Please follo these procedure:


Please visit the following and have a look how you can disable your security software.

How to disable your security programs

After disabling your security programs, download Combofix from any of the links below and save it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------

• Double click on Combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you need help, see this link:
http://www.bleepingcomputer.com/comb...o-use-combofix