help with click.giftload please
- Thread starter rweaver
- Start date
- Status
Blottedisk
Emeritus- Malware Team
Hi rweaver,
Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.
------------------------------------------------
Maybe it was a temporary problem. Try again to post the log. If you still can't, then please try to attach both dds.txt and attach.txt files to your next post.
Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.
- Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
- Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.
------------------------------------------------
Maybe it was a temporary problem. Try again to post the log. If you still can't, then please try to attach both dds.txt and attach.txt files to your next post.
Ok, subscribed to this thread...
still cannot embed... Just as a side note I have to keep a watch on the processes because one of the svchost.exe occasionally starts to go wild and I have to kill it.
Had to zip the dds to get it to attach....started getting the same reset/timeout message
still cannot embed... Just as a side note I have to keep a watch on the processes because one of the svchost.exe occasionally starts to go wild and I have to kill it.
Had to zip the dds to get it to attach....started getting the same reset/timeout message
Blottedisk
Emeritus- Malware Team
Hi rweaver,
Thanks for the logs. From now on, if you have any problems posting the contents of any of the logs I'm going to request, just attach them to your post.
Unfortunately your machine appears to have been infected by the TDSS rootkit/backdoor infection. These kind of malwares are very dangerous. Backdoor Trojans provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.
If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
Please read the following for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do
Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
When should I re-format? How should I reinstall?
Where to draw the line? When to recommend a format and reinstall?
Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.
Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:
Step 1 | Please download GMER from one of the following locations and save it to your desktop:
Main Mirror - This version will download a randomly named file (Recommended)
Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
--------------------------------------------------------------------
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
Click the image to enlarge it
Step 2 | Please download TDSSKiller from one of the following mirrors and save it in your desktop:
This is THE Mirror
Thanks for the logs. From now on, if you have any problems posting the contents of any of the logs I'm going to request, just attach them to your post.
Unfortunately your machine appears to have been infected by the TDSS rootkit/backdoor infection. These kind of malwares are very dangerous. Backdoor Trojans provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.
If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
- Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
paypal, ebay, etc. You should also change the passwords for any other site you use. - Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
credit card information may have been stolen and ask what steps to take with regard to your account. - Consider what other private information could possibly have been taken from your computer and take appropriate steps
Please read the following for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do
Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
When should I re-format? How should I reinstall?
Where to draw the line? When to recommend a format and reinstall?
Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.
Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:
Step 1 | Please download GMER from one of the following locations and save it to your desktop:
Main Mirror - This version will download a randomly named file (Recommended)
Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
--------------------------------------------------------------------
- Disconnect from the Internet and close all running programs.
- Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
- Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
- GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
- If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
- Make sure all options are checked except:
- IAT/EAT
- Drives/Partition other than Systemdrive, which is typically C:\
- Show All (This is important, so do not miss it.)
Click the image to enlarge it
- Now click the Scan button. If you see a rootkit warning window, click OK.
- When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
- Click the Copy button and paste the results into your next reply.
- Exit GMER and re-enable all active protection when done.
Step 2 | Please download TDSSKiller from one of the following mirrors and save it in your desktop:
This is THE Mirror
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and
paste the contents of that file here.
OK ran gmer, which found stuff and tdsskiller which was so fast I hardly caught it but it looked like it said it didn't find anything.....didn't get any of the warnings in your reply except reboot.
Attached are the log files. I didn't tell you that I have had AVG antivirus installed but uninstalled it yesterday because one of it's 10 or 12 processes (yea that bugged me) would start going wild also like the scvhost....so I just eliminated it for now and figured I could reload a antivirus program after this snfu is fixed. I do have a couple of addition questions in attached files. I have eraser installed but there are a couple of files on my local settings folder it cannot erase because they are locked....that bugs me. also there are a couple of files on the root directory that bug me......I have attached screen shots for your amusement....and or comment if you feel so inclined.
PS...thanks for helping me!
Attached are the log files. I didn't tell you that I have had AVG antivirus installed but uninstalled it yesterday because one of it's 10 or 12 processes (yea that bugged me) would start going wild also like the scvhost....so I just eliminated it for now and figured I could reload a antivirus program after this snfu is fixed. I do have a couple of addition questions in attached files. I have eraser installed but there are a couple of files on my local settings folder it cannot erase because they are locked....that bugs me. also there are a couple of files on the root directory that bug me......I have attached screen shots for your amusement....and or comment if you feel so inclined.
PS...thanks for helping me!
Blottedisk
Emeritus- Malware Team
Hi rweaver,
TDDSKiller took care of the rootkit.
That folder in your root directory seems to be part of Combofix. As this is gonna be our next tool to use I need to know: have you run Combofix in this machine?
TDDSKiller took care of the rootkit.
That folder in your root directory seems to be part of Combofix. As this is gonna be our next tool to use I need to know: have you run Combofix in this machine?
Blottedisk
Emeritus- Malware Team
The heavy part of the infection has been removed. However, there's still more to do. Please follo these procedure:
Please visit the following and have a look how you can disable your security software.
How to disable your security programs
After disabling your security programs, download Combofix from any of the links below and save it to your desktop.
Link 1
Link 2
--------------------------------------------------------------------
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please visit the following and have a look how you can disable your security software.
How to disable your security programs
After disabling your security programs, download Combofix from any of the links below and save it to your desktop.
Link 1
Link 2
--------------------------------------------------------------------
- Double click on Combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
- Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
- Click on Yes, to continue scanning for malware.
- When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Blottedisk
Emeritus- Malware Team
Hi,
I have never used AVG myself. I have, however, used Avira Antivir and Avast!, and both are excellent softwares; I would recommend you any of these two antivirus (they are free). If you are looking for a paid product, then go for Eset NOD32 or Kaspersky.
Please go to the following site to scan some files: Virus Total
I have never used AVG myself. I have, however, used Avira Antivir and Avast!, and both are excellent softwares; I would recommend you any of these two antivirus (they are free). If you are looking for a paid product, then go for Eset NOD32 or Kaspersky.
Please go to the following site to scan some files: Virus Total
- Click on Browse, and upload the following files for analysis:
- c:\windows\explorer.exe
c:\program files\WLAN\ACU.exe
c:\program files\Home_Designer_Suite_Setup-9.4.1.6.exe
- c:\windows\explorer.exe
- Then click Submit. Allow the files to be scanned, and then please copy and paste the results here for me to see.
- If it says already scanned -- click "reanalyze now"
- Please post the results in your next reply.
Last file check
I tried to upload the c:\program files\Home_Designer_Suite_Setup-9.4.1.6.exe but it just sat there for well over an hour...the file was 1.14 Gb. I am sure this was an installation file from the zip I downloaded in 2009.....I purchased the SW. This morning I tried again but again nothing seemed to be happening, so I stopped tried to erase it but it was locked (?..same as the other files I asked about in the Documents & settings/User/localsettings/temp folder ) so I elected to have it erased on reboot. They computer was sitting there idling at 98% and there was no network activity, but it was hung up, so I rebooted it. (1st time anything queer has happened since I ran tdsskiller)
I know that is not what you wanted, but I felt positive the file was not needed and was a leftover from the installation.....yea, good SW should not leave it there. I have run spybot a couple of times with nothing found, and immunized files.
I tried to upload the c:\program files\Home_Designer_Suite_Setup-9.4.1.6.exe but it just sat there for well over an hour...the file was 1.14 Gb. I am sure this was an installation file from the zip I downloaded in 2009.....I purchased the SW. This morning I tried again but again nothing seemed to be happening, so I stopped tried to erase it but it was locked (?..same as the other files I asked about in the Documents & settings/User/localsettings/temp folder ) so I elected to have it erased on reboot. They computer was sitting there idling at 98% and there was no network activity, but it was hung up, so I rebooted it. (1st time anything queer has happened since I ran tdsskiller)
I know that is not what you wanted, but I felt positive the file was not needed and was a leftover from the installation.....yea, good SW should not leave it there. I have run spybot a couple of times with nothing found, and immunized files.
antivirus
I downloaded Advast and installed it. I really felt a little naked without any antivirus.
I checked a few folders and it flagged a couple of files in the User (me)/applicationdata/Sun/Cache folder.....moved them to the chest. Enabled a boot scan and it noted the same files and some others (I don't remember where they were....but it said they were locked and could not take any action. I figured there would be a log I could reference but I didn't see one and don't know where it could be. I wipped the Sun/Cache files as I figured they were not needed and if they are then I will deal with that later. Wish I knew how to find the log file.
I noticed on one of your other post you suggested a virtual firewall to catch outgoing attempts......is that a good idea for me?
Where do we go from here?
I downloaded Advast and installed it. I really felt a little naked without any antivirus.
I checked a few folders and it flagged a couple of files in the User (me)/applicationdata/Sun/Cache folder.....moved them to the chest. Enabled a boot scan and it noted the same files and some others (I don't remember where they were....but it said they were locked and could not take any action. I figured there would be a log I could reference but I didn't see one and don't know where it could be. I wipped the Sun/Cache files as I figured they were not needed and if they are then I will deal with that later. Wish I knew how to find the log file.
I noticed on one of your other post you suggested a virtual firewall to catch outgoing attempts......is that a good idea for me?
Where do we go from here?
Blottedisk
Emeritus- Malware Team
Hi rweaver,
Alright. I'll recommend you some virtual firewalls once we finish. Please do the following:
Step 1 | Avast found some threats in your Avast cache.
Please follow these steps to remove older version Java components and update.
Step 2 | Please download Malwarebytes' Anti-Malware to your desktop.
Step 3 | Let's perform an ESET Online Scan
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
Alright. I'll recommend you some virtual firewalls once we finish. Please do the following:
Step 1 | Avast found some threats in your Avast cache.
Please follow these steps to remove older version Java components and update.
- Click on the following link to visit java website: Java Runtime Environment (JRE) 6
- Scroll down to where it says "JDK 6 Update 24 (JDK or JRE)".
- Click the "Download" button to the right column (JRE).
- Select the Windows platform from the dropdown menu.
- Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue. The page will refresh.
- Click on the link to download Windows Offline Installation and save the file to your desktop.
- Close any programs you may have running - especially your web browser.
- Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
- Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java version.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on the recently downloaded java installer icon to install the newest version.
- After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and AppletsTrace and Log Files
- Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.
Step 2 | Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Step 3 | Let's perform an ESET Online Scan
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
- Please go here then click on:
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. - Select the option YES, I accept the Terms of Use then click on:
- When prompted allow the Add-On/Active X to install.
- Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
- Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Now click on:
- The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically.
- Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
- When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic.
- Now click on: (Selecting Uninstall application on close if you so wish)
Blottedisk
Emeritus- Malware Team
Hi rweaver,
ESET flagged some files from RegistryBooster. This program is not a virus itself, but it may introduce adware in your machine. It's up to you if you want to uninstall this program or not. Please let me know what you want to do in your next reply.
ESET flagged some files from RegistryBooster. This program is not a virus itself, but it may introduce adware in your machine. It's up to you if you want to uninstall this program or not. Please let me know what you want to do in your next reply.
Uniblue Registery Booster
Well since I just re-upped the subscription on this program I think I will keep it.....at least for another year. They do sponsor ads for other products that could potentially introduce unwanted stuff, but I only use the registry tool occasionally when I have removed stuff and think something is amiss.......I notice sometimes Spybot flags registry errors. It bugs me that when you uninstall SW it leaves folders and files laying around instead of cleaning up after itself......makes me wonder what they are really doing.
Do we need to re-run any of the programs we ran previously just to check?
Does the router between my computer and my cable modem provide any advantage?
Will the Malwarebites SW and the Avast antivirus SW and Spybot Teatimer all be compatible?
Well since I just re-upped the subscription on this program I think I will keep it.....at least for another year. They do sponsor ads for other products that could potentially introduce unwanted stuff, but I only use the registry tool occasionally when I have removed stuff and think something is amiss.......I notice sometimes Spybot flags registry errors. It bugs me that when you uninstall SW it leaves folders and files laying around instead of cleaning up after itself......makes me wonder what they are really doing.
Do we need to re-run any of the programs we ran previously just to check?
Does the router between my computer and my cable modem provide any advantage?
Will the Malwarebites SW and the Avast antivirus SW and Spybot Teatimer all be compatible?
Blottedisk
Emeritus- Malware Team
Hi rweaver,
Congratulations, we are done :bigthumb:
In my humble opinion, what this infection could have introduced in the machine is a thousand times more dangerous than the leftovers of any of the trusted antispywares out there.
No. The infection was removed. If you run Spybot now and it detects Click.Giftload, just delete it. It shouldn't bother you anymore.
Well, not really. Sometimes redirection issues are caused by a hijacked router, but this is not the case.
Do you own the paid version of Malwarebyte's? If not, then it will not provide you with real time protection. Regarding AVG and Spybot S&D, they are compatible as far as I know.
Please follow this last procedure:
Step 1 | Delete ComboFix and Clean Up
The following will implement some cleanup procedures as well as reset System Restore points. Click Start > Run and copy/paste the following underlined text into the Run box and click OK:
ComboFix /Uninstall
Please advise if this step is missed for any reason as it performs some important actions.
Step 2 | Please download OTC by OldTimer to your desktop and run it
Last Step | Now, in order to avoid future infections, please take time to read the following article:
So how did I get infected in the first place?
Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed
Congratulations, we are done :bigthumb:
In my humble opinion, what this infection could have introduced in the machine is a thousand times more dangerous than the leftovers of any of the trusted antispywares out there.
No. The infection was removed. If you run Spybot now and it detects Click.Giftload, just delete it. It shouldn't bother you anymore.
Well, not really. Sometimes redirection issues are caused by a hijacked router, but this is not the case.
Do you own the paid version of Malwarebyte's? If not, then it will not provide you with real time protection. Regarding AVG and Spybot S&D, they are compatible as far as I know.
Please follow this last procedure:
Step 1 | Delete ComboFix and Clean Up
The following will implement some cleanup procedures as well as reset System Restore points. Click Start > Run and copy/paste the following underlined text into the Run box and click OK:
ComboFix /Uninstall
Please advise if this step is missed for any reason as it performs some important actions.
Step 2 | Please download OTC by OldTimer to your desktop and run it
- Click Yes to beginning the Cleanup process and remove these components, including this application.
- You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
Last Step | Now, in order to avoid future infections, please take time to read the following article:
So how did I get infected in the first place?
Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed
- Status