Results 1 to 2 of 2

Thread: giftload.. been following ken545, Plz Revw

  1. #1
    Junior Member
    Join Date
    Apr 2011
    Posts
    1

    Default giftload.. been following ken545, Plz Revw

    Hi,

    I got hit with the giftload I believe and have been following Ken545 help with another member. I’ve been running the programs he suggested and here is my journey. This is my first post so sorry if it’s not done correctly.


    Windows XP, Dell Inspiron Slim
    Initially I went to a site and got a Java file which went to my toolbar(didn’t click on). Then Adware started auto running scan and found Trojan. I rebooted in safe mode to run SPybot. Spybot found the creature giftload and when I tried to fix, shut down BSOD. Repaired Windows XP and I can’t download updates, system restore didn’t work, and I’m redirected in Explorer 6 and can’t go to any other sites than my home page.

    I’m listing program ran, result, & log.

    aswMBR.exe

    Scan #1 - Found ROOTKIT and FIXED.
    aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
    Run date: 2011-04-04 16:55:09
    -----------------------------
    16:55:09.859 OS Version: Windows 5.1.2600 Service Pack 3
    16:55:09.859 Number of processors: 2 586 0x170A
    16:55:09.859 ComputerName: SCOTT-213F49CC3 UserName: Scott
    16:55:10.703 Initialize success
    16:55:15.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
    16:55:15.546 Disk 0 Vendor: ST3500620AS DE13 Size: 476940MB BusType: 3
    16:55:15.546 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3500620AS_____________________________DE13____#5&163e592b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
    16:55:15.546 Device \Driver\atapi -> DriverStartIo 8b19e27f
    16:55:17.546 Disk 0 MBR read successfully
    16:55:17.546 Disk 0 MBR scan
    16:55:17.546 Disk 0 TDL4@MBR code has been found
    16:55:17.546 Disk 0 MBR hidden
    16:55:17.546 Disk 0 MBR [TDL4] **ROOTKIT**
    16:55:17.546 Disk 0 trace - called modules:
    16:55:17.546 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8b19e439]<<
    16:55:17.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b205ab8]
    16:55:17.546 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000074[0x8b2431a8]
    16:55:17.546 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8b1ba940]
    16:55:17.562 \Driver\atapi[0x8b207a08] -> IRP_MJ_CREATE -> 0x8b19e439
    16:55:17.562 Scan finished successfully

    Scan #2 – Clean, Successful

    aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
    Run date: 2011-04-04 16:56:29
    -----------------------------
    16:56:29.265 OS Version: Windows 5.1.2600 Service Pack 3
    16:56:29.265 Number of processors: 2 586 0x170A
    16:56:29.265 ComputerName: SCOTT-213F49CC3 UserName: Scott
    16:56:29.843 Initialize success
    16:56:32.718 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
    16:56:32.718 Disk 0 Vendor: ST3500620AS DE13 Size: 476940MB BusType: 3
    16:56:32.718 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3500620AS_____________________________DE13____#5&163e592b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
    16:56:32.718 Device \Driver\atapi -> DriverStartIo 8b19e27f
    16:56:34.734 Disk 0 MBR read successfully
    16:56:34.734 Disk 0 MBR scan
    16:56:36.734 Disk 0 scanning sectors +976752000
    16:56:36.765 Disk 0 scanning C:\WINDOWS\system32\drivers
    16:56:48.453 Service scanning
    16:56:50.062 Disk 0 trace - called modules:
    16:56:50.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8b19e439]<<
    16:56:50.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b205ab8]
    16:56:50.062 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000074[0x8b2431a8]
    16:56:50.062 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8b1ba940]
    16:56:50.062 \Driver\atapi[0x8b207a08] -> IRP_MJ_CREATE -> 0x8b19e439
    16:56:50.062 Scan finished successfully

    ATF Cleaner

    Ran twice no report ??? emptied all and followed directions from Ken545.

    Malwarebytes

    Quick Scan,Found 8-10 Trojans & cleaned.

    Last Scan

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6266

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    4/4/2011 9:10:16 PM
    mbam-log-2011-04-04 (21-10-16).txt

    Scan type: Quick scan
    Objects scanned: 163978
    Time elapsed: 2 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:

    OTL (I may have done something wrong here????)Didn’t back up directory or do any copy and pasting

    Followed directions from noperfecttime & ken545 “Another click giftload problem”
    First Log

    Computer Name: SCOTT-213F49CC3 | User Name: Scott | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - C:\Documents and Settings\Scott\Desktop\OTL.exe (OldTimer Tools)
    PRC - c:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
    PRC - c:\Program Files\McAfee\MSC\mcupdmgr.exe (McAfee, Inc.)
    PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
    PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    PRC - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
    PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
    PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
    PRC - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
    PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
    PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
    PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
    PRC - C:\Program Files\VBTUCopy\VBTUCopy.exe (VIA Technologies, Inc.)
    PRC - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)




    EXTRAS ???
    OTL Extras logfile created on: 4/4/2011 5:36:48 PM - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Scott\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.5512)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 71.00% Memory free
    5.00 Gb Paging File | 4.00 Gb Available in Paging File | 81.00% Paging File free
    Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 465.75 Gb Total Space | 4.64 Gb Free Space | 1.00% Space Free | Partition Type: NTFS
    Drive E: | 702.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

    Computer Name: SCOTT-213F49CC3 | User Name: Scott | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0


    After all of this I’ve ran Spybot, Malawarebytes, Adaware, & supper Spyware only to continue to get the below message.

    Microsoft feeds synchonation encountered a problem and must close

    Along with not being able to continue my updates from XP Repair, still same Internet problem, and can’t open Mcafee or get updates for Security software.


    I’ve kept this system off line due to the security problems so as I write this I plugged it into the net and my downloads started coming in and now I’ve ran the below programs and they are coming up clean. Please let me know if there is anything I’ve missed I would like to avoid a clean install.

    Spybot, Malawarebytes, SuperMalware

    Thanks

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,961

    Default

    Hello SMhelp,
    Quote Originally Posted by SMhelp View Post
    Hi

    I got hit with the giftload I believe and have been following Ken545 help with another member. I’ve been running the programs he suggested and here is my journey.
    Please don't take advice given to another member and apply them to your own computer. Instructions are customized for that member's personal computer only and the tools used may cause damage if run on a machine with different specs/infections.

    So that everyone is on the same track please see the forum FAQ which also includes instructions for posting preliminary DDS logs for analysis in post #2.
    "BEFORE You POST"(Please read this Procedure Before Requesting Assistance)

    Then start a new topic providing the DDS logs as shown in that sticky and a link back to this thread. A volunteer analyst will advise you when available.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •