Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Another Click.Giftload reappearing, MBR infected?

  1. #11
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Alright, please do the following:


    ComboFix - CFScript

    WARNING !
    This script is for THIS user and computer ONLY!
    Using this tool incorrectly could damage your Operating System... preventing it from starting again!


    You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

    Please open Notepad and copy/paste all the text below... into the window:

    Code:
    DDS::
    uInternet Settings,ProxyServer = 127.0.0.1:80
    uInternet Settings,ProxyOverride = <local>
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    "FirewallOverride"=dword:00000000
    1. Save it to your desktop as CFScript.txt
    2. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    3. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:



      This will cause ComboFix to run again.
      Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
      Do Not touch your computer when ComboFix is running!

      When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
    4. Please copy/paste the contents of log.txt... in your next reply.


    ** Enable your Antivirus and Firewall, before connecting to the Internet again! **
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  2. #12
    Junior Member
    Join Date
    Apr 2011
    Posts
    24

    Default

    Attached is the log.

    And just a question, but does Windows reconize Spybot as an antivirus?

  3. #13
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi there,


    No, it doesn't. Why do you ask?



    How's the machine running?
    Please do the following:


    Step 1 | Please download CCleaner (freeware)

    • Run the installer.
    • Once installed, run CCleaner click the Windows [tab]
    • The following should be selected by default, if not, please select:

    • Next: click Options (in the left panel) and click the Advanced button.
    • Uncheck: "Only delete files in Windows Temp folders older than 24 hours."
    • Go back to Cleaner (in the left panel) and click the Run Cleaner button (bottom right). Then exit CCleaner.



    Step 2 | Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  4. #14
    Junior Member
    Join Date
    Apr 2011
    Posts
    24

    Default

    CCleaner finished, and there were no infections for MBAM. I'm in the middle of a Spybot scan right now.

    And I was wondering if Spybot was automatically counted as an AV becuase you had me enable automatic AV checking

  5. #15
    Junior Member
    Join Date
    Apr 2011
    Posts
    24

    Default

    And just found a Click.giftload (stupid no edit button)

  6. #16
    Junior Member
    Join Date
    Apr 2011
    Posts
    24

    Default

    Spybot finished, the Click.Giftload was just a registry key. Now I am going to run that one online scanner you guys always say to run

  7. #17
    Junior Member
    Join Date
    Apr 2011
    Posts
    24

    Default

    ESET scan finished; besides quaritines, these are the only things that came up:
    C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\58\c72e3fa-358c052b a variant of Java/TrojanDownloader.OpenConnection.AC trojan
    I:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP582\A0111737.exe Win32/PowerReg application
    (I am not sure what the latter is from. Drive I: is an external USB hard drive, and that restore point could be from any of a number of computers)

    And here is a new, up-to-date DDS log:

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Chris at 16:17:59.07 on Thu 05/05/2011
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ClamWin\bin\ClamTray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Saitek\Software\SaiMfd.exe
    C:\Program Files\Saitek\Software\ProfilerU.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\SysInternals\Process Explorer\procexp.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.bin
    C:\Program Files\ClamWin\bin\clamscan.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\trashVir\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    BHO: AutorunsDisabled - No File
    BHO: JQSIEStartDetectorImpl - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz0.dll
    uRun: [Alcohol.bin Autorun] c:\program files\alcohol soft\alcohol 120\Alcohol.bin /startup
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [SaiMfd] c:\program files\saitek\software\SaiMfd.exe
    mRun: [Profiler] c:\program files\saitek\software\ProfilerU.exe
    mPolicies-explorer: NoStrCmpLogical = 1 (0x1)
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301092235348
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    TCP: {0D4A2D8C-656A-4DD5-952D-B00B7108E1DE} = 209.18.47.61,8.8.8.8,76.85.229.110
    TCP: {9F1F2845-F134-4581-9544-EDF6B8FCE59D} = 8.8.8.8
    TCP: {F3AFB128-E668-4305-8A2D-4EF371CB4C14} = 209.18.47.61,209.18.47.62,8.8.8.8
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    IFEO: taskmgr.exe - "c:\program files\sysinternals\process explorer\PROCEXP.EXE"
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\9az0l1dr.default\
    FF - plugin: c:\documents and settings\chris\application data\mozilla\firefox\profiles\9az0l1dr.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R? AsUsbDrvXP;AsUsbDrvXP
    R? BTCOM;Bluetooth Serial port driver
    R? BTCOMBUS;Bluetooth Serial Port Bus Service
    R? btnetBUs;Bluetooth PAN Bus Service
    R? dsiarhwprog;dsiarhwprog
    R? IvtBtBUs;IVT Bluetooth Bus Service
    R? mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit
    R? SaiH075C;SaiH075C
    S? BtHidBus;Bluetooth HID Bus Service
    S? PPJoyBus;Parallel Port Joystick Bus device driver
    S? PPortJoystick;Parallel Port Joystick device driver
    S? RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver
    S? vcdrom;Virtual CD-ROM Device Driver
    .
    =============== Created Last 30 ================
    .
    2011-05-05 02:38:36 -------- d-----w- c:\program files\ESET
    2011-05-04 15:23:57 -------- d-----w- c:\program files\CCleaner
    2011-04-29 16:34:04 -------- d-----w- C:\trashVir
    2011-04-19 04:17:26 -------- d-----w- c:\program files\Windows Imaging
    2011-04-19 04:05:45 -------- d-----w- c:\program files\Windows AIK
    2011-04-19 03:19:14 -------- d-----w- C:\SpybotBootCD
    2011-04-19 01:44:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-04-19 01:44:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2011-04-19 01:27:49 -------- d-----w- c:\docume~1\chris\applic~1\Safer Networking
    2011-04-19 01:24:36 -------- d-----w- c:\program files\Safer Networking
    2011-04-19 00:02:56 -------- d-----w- c:\docume~1\chris\applic~1\Abine
    2011-04-18 22:50:45 -------- d-sha-r- C:\cmdcons
    2011-04-18 20:41:14 47272 ----a-w- c:\windows\system32\drivers\btwusb.sys
    2011-04-18 20:41:14 106557 ----a-w- c:\windows\system32\btw_ci.dll
    2011-04-18 20:41:13 57384 ----a-w- c:\windows\system32\drivers\btwhid.sys
    2011-04-18 20:41:13 156816 ----a-w- c:\windows\system32\drivers\btwdndis.sys
    2011-04-18 20:41:12 991136 ----a-w- c:\windows\system32\drivers\btkrnl.sys
    2011-04-18 20:41:12 37160 ----a-w- c:\windows\system32\drivers\btport.sys
    2011-04-18 20:41:11 534312 ----a-w- c:\windows\system32\drivers\btaudio.sys
    2011-04-18 20:40:26 -------- d-----w- c:\program files\WIDCOMM
    2011-04-18 19:54:27 98816 ----a-w- c:\windows\sed.exe
    2011-04-18 19:54:27 89088 ----a-w- c:\windows\MBR.exe
    2011-04-18 19:54:27 256512 ----a-w- c:\windows\PEV.exe
    2011-04-18 19:54:27 161792 ----a-w- c:\windows\SWREG.exe
    2011-04-18 19:34:42 -------- d-----w- C:\found.000
    2011-04-17 21:33:48 91176 ----a-w- c:\windows\system32\drivers\btwsecfl.sys
    2011-04-17 07:55:06 -------- d-----w- c:\program files\IVT Corporation
    2011-04-17 06:53:24 86016 ----a-w- c:\windows\unvise32.exe
    2011-04-17 06:51:44 -------- d-----w- c:\program files\Parallel Port Joystick
    2011-04-17 06:25:32 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
    2011-04-17 06:25:30 -------- d-----w- c:\program files\Nokia
    2011-04-17 06:25:17 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    2011-04-17 06:24:28 -------- d-----w- c:\program files\PC Connectivity Solution
    2011-04-17 05:47:50 -------- d-----w- c:\documents and settings\chris\Bluetooth Software
    2011-04-17 05:44:53 237568 ----a-w- c:\windows\system32\BtwRSupport.dll
    2011-04-17 05:03:16 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2011-04-17 05:03:16 21504 ----a-w- c:\windows\system32\hidserv.dll
    2011-04-17 02:04:28 291600 ----a-w- c:\windows\system\WININET.DLL
    2011-04-17 02:04:27 -------- d-----w- C:\SIERRA
    2011-04-17 01:25:13 -------- d-----w- c:\docume~1\chris\applic~1\Windows Search
    2011-04-09 20:08:57 -------- d-----w- c:\documents and settings\chris\.dia
    2011-04-09 20:08:22 -------- d-----w- c:\program files\Dia
    .
    ==================== Find3M ====================
    .
    2011-03-26 04:23:01 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2011-03-26 04:23:01 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2011-03-26 04:22:47 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
    .
    ============= FINISH: 16:24:04.92 ===============

  8. #18
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi,


    Sorry for the delay. The ESET log shows a threat in your Java's cache. Please follow these steps to remove older version Java components and update.

    • Click on the following link to visit java website: Java Runtime Environment (JRE) 6
    • Scroll down to where it says "JDK 6 Update 24 (JDK or JRE)".
    • Click the "Download" button to the right column (JRE).
    • Select the Windows platform from the dropdown menu.
    • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue. The page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the recently downloaded java installer icon to install the newest version.
    • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
      • On the General tab, under Temporary Internet Files, click the Settings button.
      • Next, click on the Delete Files button
      • There are two options in the window to clear the cache - Leave BOTH Checked
        • Applications and AppletsTrace and Log Files
      • Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel.
    • When finished, please rerun DDS and post both dds.txt and attach.txt
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  9. #19
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    Date of archive.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •