Click.GiftLoad issue, and possible other issues (including AdWare?)

[Devilfire]

Alright, GIMP has been uninstalled. I was not aware this program was illegal; but I have fully removed it. No issues with redirecting either, and no disturbances by the rootkit as far as I can tell. Here is a new result of ckscanner:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----

[ken545]

Good Morning,

Gimp itself is not illegal but the scanner was showing a cracked version. Thanks for understanding.

Open OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  Code:

  :processes
  killallprocesses
  
  :OTL
  O3 - HKU\S-1-5-21-507921405-1592454029-725345543-1003\..\Toolbar\ShellBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
  
  
  :Services
  
  :Reg
  
  :Files
  ipconfig /release /c
  ipconfig /renew /c
  ipconfig /flushdns /c
  
  
  
  
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top. <--Not run Scan
• Let the program run unhindered, reboot when it is done
• Then post the results of the log it produces.
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Then do a free online virus scanner to check for leftovers


ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Make sure that the option "Remove found threats" is Unchecked
9. Push the Start button.
10. ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
11. When the scan completes, push
12. Push , and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
13. Push the button.
14. Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

[Devilfire]

Morning Ken, here is the result of the OTL, and the ESET Scan:

ESET:
C:\Documents and Settings\Owner\Application Data\2607E910350D64C4EE0251A0CC2E2AF9\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Documents and Settings\Owner\Application Data\2607E910350D64C4EE0251A0CC2E2AF9\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application



OTL:
All processes killed
========== PROCESSES ==========
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-507921405-1592454029-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /release /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\Owner\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\My Documents\Downloads\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : gateway.2wire.net
IP Address. . . . . . . . . . . . : 192.168.100.104
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.254
C:\Documents and Settings\Owner\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\My Documents\Downloads\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Owner\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 3459671 bytes
->Flash cache emptied: 56504 bytes

User: Administrator.OWNER-773CC470D
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56504 bytes

User: Administrator.OWNER-773CC470D.000
->Temp folder emptied: 98320 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 7322169 bytes
->Flash cache emptied: 56504 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56504 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 4098 bytes

User: Owner
->Temp folder emptied: 84326 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 13823119 bytes
->FireFox cache emptied: 46499848 bytes
->Flash cache emptied: 2033827 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 3481105 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 55645 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 24284084436 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 23,235.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04192011_084828

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[ken545]

See if you can delete this, if you cant then we will need to run OTL again
C:\Documents and Settings\Owner\Application Data\2607E910350D64C4EE0251A0CC2E2AF9

How are things running now ?

[Devilfire]

I've deleted the folder, but nothing really happened, but it's gone now.

Also, the ESET scan didn't remove the detected Win32/Adware.AntimalwareDoctor.AE.Gen file.. Is that normal?

[Devilfire]

Oh, my bad. I just realized the folder I deleted was the Antimalware Doctor.

So far the PC is running great, no issues.

[ken545]

Some of the online scanners will remove items and some will not. I prefer to see what it found prior to removal in case a false positive was picked up.

Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups

• How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Safe Surfn
Ken

[Devilfire]

Thanks Ken! This topic can be closed now, and I'll be sure to make a clean system restore point.

[ken545]

Your welcome,

Take care