SMhelp
2011-04-05, 22:06
Hi,
I got hit with the giftload I believe and have been following Ken545 help with another member. I’ve been running the programs he suggested and here is my journey. This is my first post so sorry if it’s not done correctly.
Windows XP, Dell Inspiron Slim
Initially I went to a site and got a Java file which went to my toolbar(didn’t click on). Then Adware started auto running scan and found Trojan. I rebooted in safe mode to run SPybot. Spybot found the creature giftload and when I tried to fix, shut down BSOD. Repaired Windows XP and I can’t download updates, system restore didn’t work, and I’m redirected in Explorer 6 and can’t go to any other sites than my home page.
I’m listing program ran, result, & log.
aswMBR.exe
Scan #1 - Found ROOTKIT and FIXED.
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-04 16:55:09
-----------------------------
16:55:09.859 OS Version: Windows 5.1.2600 Service Pack 3
16:55:09.859 Number of processors: 2 586 0x170A
16:55:09.859 ComputerName: SCOTT-213F49CC3 UserName: Scott
16:55:10.703 Initialize success
16:55:15.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
16:55:15.546 Disk 0 Vendor: ST3500620AS DE13 Size: 476940MB BusType: 3
16:55:15.546 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3500620AS_____________________________DE13____#5&163e592b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
16:55:15.546 Device \Driver\atapi -> DriverStartIo 8b19e27f
16:55:17.546 Disk 0 MBR read successfully
16:55:17.546 Disk 0 MBR scan
16:55:17.546 Disk 0 TDL4@MBR code has been found
16:55:17.546 Disk 0 MBR hidden
16:55:17.546 Disk 0 MBR [TDL4] **ROOTKIT**
16:55:17.546 Disk 0 trace - called modules:
16:55:17.546 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8b19e439]<<
16:55:17.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b205ab8]
16:55:17.546 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000074[0x8b2431a8]
16:55:17.546 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8b1ba940]
16:55:17.562 \Driver\atapi[0x8b207a08] -> IRP_MJ_CREATE -> 0x8b19e439
16:55:17.562 Scan finished successfully
Scan #2 – Clean, Successful
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-04 16:56:29
-----------------------------
16:56:29.265 OS Version: Windows 5.1.2600 Service Pack 3
16:56:29.265 Number of processors: 2 586 0x170A
16:56:29.265 ComputerName: SCOTT-213F49CC3 UserName: Scott
16:56:29.843 Initialize success
16:56:32.718 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
16:56:32.718 Disk 0 Vendor: ST3500620AS DE13 Size: 476940MB BusType: 3
16:56:32.718 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3500620AS_____________________________DE13____#5&163e592b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
16:56:32.718 Device \Driver\atapi -> DriverStartIo 8b19e27f
16:56:34.734 Disk 0 MBR read successfully
16:56:34.734 Disk 0 MBR scan
16:56:36.734 Disk 0 scanning sectors +976752000
16:56:36.765 Disk 0 scanning C:\WINDOWS\system32\drivers
16:56:48.453 Service scanning
16:56:50.062 Disk 0 trace - called modules:
16:56:50.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8b19e439]<<
16:56:50.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b205ab8]
16:56:50.062 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000074[0x8b2431a8]
16:56:50.062 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8b1ba940]
16:56:50.062 \Driver\atapi[0x8b207a08] -> IRP_MJ_CREATE -> 0x8b19e439
16:56:50.062 Scan finished successfully
ATF Cleaner
Ran twice no report ??? emptied all and followed directions from Ken545.
Malwarebytes
Quick Scan,Found 8-10 Trojans & cleaned.
Last Scan
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6266
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
4/4/2011 9:10:16 PM
mbam-log-2011-04-04 (21-10-16).txt
Scan type: Quick scan
Objects scanned: 163978
Time elapsed: 2 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
OTL (I may have done something wrong here????)Didn’t back up directory or do any copy and pasting
Followed directions from noperfecttime & ken545 “Another click giftload problem”
First Log
Computer Name: SCOTT-213F49CC3 | User Name: Scott | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Scott\Desktop\OTL.exe (OldTimer Tools)
PRC - c:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - c:\Program Files\McAfee\MSC\mcupdmgr.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\VBTUCopy\VBTUCopy.exe (VIA Technologies, Inc.)
PRC - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)
EXTRAS ???
OTL Extras logfile created on: 4/4/2011 5:36:48 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Scott\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 71.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 4.64 Gb Free Space | 1.00% Space Free | Partition Type: NTFS
Drive E: | 702.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Computer Name: SCOTT-213F49CC3 | User Name: Scott | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
After all of this I’ve ran Spybot, Malawarebytes, Adaware, & supper Spyware only to continue to get the below message.
Microsoft feeds synchonation encountered a problem and must close
Along with not being able to continue my updates from XP Repair, still same Internet problem, and can’t open Mcafee or get updates for Security software.
I’ve kept this system off line due to the security problems so as I write this I plugged it into the net and my downloads started coming in and now I’ve ran the below programs and they are coming up clean. Please let me know if there is anything I’ve missed I would like to avoid a clean install.
Spybot, Malawarebytes, SuperMalware
Thanks
I got hit with the giftload I believe and have been following Ken545 help with another member. I’ve been running the programs he suggested and here is my journey. This is my first post so sorry if it’s not done correctly.
Windows XP, Dell Inspiron Slim
Initially I went to a site and got a Java file which went to my toolbar(didn’t click on). Then Adware started auto running scan and found Trojan. I rebooted in safe mode to run SPybot. Spybot found the creature giftload and when I tried to fix, shut down BSOD. Repaired Windows XP and I can’t download updates, system restore didn’t work, and I’m redirected in Explorer 6 and can’t go to any other sites than my home page.
I’m listing program ran, result, & log.
aswMBR.exe
Scan #1 - Found ROOTKIT and FIXED.
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-04 16:55:09
-----------------------------
16:55:09.859 OS Version: Windows 5.1.2600 Service Pack 3
16:55:09.859 Number of processors: 2 586 0x170A
16:55:09.859 ComputerName: SCOTT-213F49CC3 UserName: Scott
16:55:10.703 Initialize success
16:55:15.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
16:55:15.546 Disk 0 Vendor: ST3500620AS DE13 Size: 476940MB BusType: 3
16:55:15.546 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3500620AS_____________________________DE13____#5&163e592b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
16:55:15.546 Device \Driver\atapi -> DriverStartIo 8b19e27f
16:55:17.546 Disk 0 MBR read successfully
16:55:17.546 Disk 0 MBR scan
16:55:17.546 Disk 0 TDL4@MBR code has been found
16:55:17.546 Disk 0 MBR hidden
16:55:17.546 Disk 0 MBR [TDL4] **ROOTKIT**
16:55:17.546 Disk 0 trace - called modules:
16:55:17.546 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8b19e439]<<
16:55:17.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b205ab8]
16:55:17.546 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000074[0x8b2431a8]
16:55:17.546 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8b1ba940]
16:55:17.562 \Driver\atapi[0x8b207a08] -> IRP_MJ_CREATE -> 0x8b19e439
16:55:17.562 Scan finished successfully
Scan #2 – Clean, Successful
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-04 16:56:29
-----------------------------
16:56:29.265 OS Version: Windows 5.1.2600 Service Pack 3
16:56:29.265 Number of processors: 2 586 0x170A
16:56:29.265 ComputerName: SCOTT-213F49CC3 UserName: Scott
16:56:29.843 Initialize success
16:56:32.718 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
16:56:32.718 Disk 0 Vendor: ST3500620AS DE13 Size: 476940MB BusType: 3
16:56:32.718 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3500620AS_____________________________DE13____#5&163e592b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
16:56:32.718 Device \Driver\atapi -> DriverStartIo 8b19e27f
16:56:34.734 Disk 0 MBR read successfully
16:56:34.734 Disk 0 MBR scan
16:56:36.734 Disk 0 scanning sectors +976752000
16:56:36.765 Disk 0 scanning C:\WINDOWS\system32\drivers
16:56:48.453 Service scanning
16:56:50.062 Disk 0 trace - called modules:
16:56:50.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8b19e439]<<
16:56:50.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b205ab8]
16:56:50.062 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000074[0x8b2431a8]
16:56:50.062 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8b1ba940]
16:56:50.062 \Driver\atapi[0x8b207a08] -> IRP_MJ_CREATE -> 0x8b19e439
16:56:50.062 Scan finished successfully
ATF Cleaner
Ran twice no report ??? emptied all and followed directions from Ken545.
Malwarebytes
Quick Scan,Found 8-10 Trojans & cleaned.
Last Scan
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6266
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
4/4/2011 9:10:16 PM
mbam-log-2011-04-04 (21-10-16).txt
Scan type: Quick scan
Objects scanned: 163978
Time elapsed: 2 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
OTL (I may have done something wrong here????)Didn’t back up directory or do any copy and pasting
Followed directions from noperfecttime & ken545 “Another click giftload problem”
First Log
Computer Name: SCOTT-213F49CC3 | User Name: Scott | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Scott\Desktop\OTL.exe (OldTimer Tools)
PRC - c:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - c:\Program Files\McAfee\MSC\mcupdmgr.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\VBTUCopy\VBTUCopy.exe (VIA Technologies, Inc.)
PRC - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)
EXTRAS ???
OTL Extras logfile created on: 4/4/2011 5:36:48 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Scott\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 71.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 4.64 Gb Free Space | 1.00% Space Free | Partition Type: NTFS
Drive E: | 702.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Computer Name: SCOTT-213F49CC3 | User Name: Scott | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
After all of this I’ve ran Spybot, Malawarebytes, Adaware, & supper Spyware only to continue to get the below message.
Microsoft feeds synchonation encountered a problem and must close
Along with not being able to continue my updates from XP Repair, still same Internet problem, and can’t open Mcafee or get updates for Security software.
I’ve kept this system off line due to the security problems so as I write this I plugged it into the net and my downloads started coming in and now I’ve ran the below programs and they are coming up clean. Please let me know if there is anything I’ve missed I would like to avoid a clean install.
Spybot, Malawarebytes, SuperMalware
Thanks