PDA

View Full Version : Click.Giftload on WinXP pro sp3



Macka
2011-05-06, 23:46
Hi. Spybot S&D detected Click.Giftload:

HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

It comes back after each boot. Boot and logoff/shutdown times are longer, and some applications take a long time to load or they hang up.

I'm having serious trouble posting long messages, ie. copy/pasting the sdd.txt log onto the message. I get "Remote server closed connection". It happens with both Opera and Firefox. What's worse, I get the same error when trying to upload the sdd.txt as an attachment. Even trying to use pastebin fails! I have used pastebin succesfully before with long blocks of text. I wonder if this is some browser bug or even malware symptom. Should I just put all logs as .zipped attachments, since that doesn't produce the error? Any help will be appreciated.

ken545
2011-05-11, 02:42
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.



Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.

If you saved the file correctly it should look like this http://i24.photobucket.com/albums/c30/ken545/reg.jpg




REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
"svchost.exe"=-








Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

Macka
2011-05-11, 17:37
Hi again!

I got some advice from a local mexican lucha libre. (so I didn't have to bother other spyware forums) I took my chances, having made backups of my important files, I set to work. After some checking and fixing, my computer seems to be clean now. But for reference, I'll share. And yeah... even if I did get private help from Big Lars, I have to say that you guys are doing a fantastic job. The following was done to my computer:

tdsskiller removed a piece of rootkit. It didn't specifically recognize it as click.giftload, but I don't know if it just categorizes malware programs by type rather than name. After a hard reset, it was gone. Spybot S&D no longer spotted it either - it had been that telltale registry setting.

Running dds had a curious entry in last created list:
c:\windows\system32\mtkuhevc.dll

Looking at file properties of this file revealed that it had previously been ygnsoc.exe. Searching for the dll in regedit listed it in ..\SECURITYPROVIDERS keys. I manually removed any mention of mtkuhevc.dll and renamed the file. I ran Malwarebytes (full scan) and it recognized this file as Spyware.Passwords.XGen and removed it.

After another hard reset and all of the aforementioned scans again plus with Avira Antivirus, with ethernet adapter yanked out, there's not one mention of an infection.

Even copypasting long messages works now!

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Omistaja at 17:09:26,45 on ke 11.05.2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
Microsoft Windows XP Professional 5.1.2600.3.1252.358.1033.18.3327.2637 [GMT 3:00]
.
AV: Malware Defense *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Opera\Spybot\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Omistaja\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\opera\spybot\SDHelper.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program

files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program

files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [SpybotSD TeaTimer] c:\opera\spybot\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\documents and settings\omistaja\start menu\programs\startup\OneNote 2007 -näyttöleikkeet ja Launcher.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tl-wn3~1.lnk - c:\program files\tp-link\tl-wn321g wireless

utility\installer\winxp\TWCU.exe
IE: V&ie Microsoft Exceliin - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\opera\spybot\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247142081046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\omistaja\applic~1\mozilla\firefox\profiles\wkkqlggh.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: c:\ohjelmat\divx\divx web player\npdivx32.dll
FF - plugin: c:\opera\program\plugins\npdsplay.dll
FF - plugin: c:\opera\program\plugins\NPOFF12.DLL
FF - plugin: c:\opera\program\plugins\NPSWF32.dll
FF - plugin: c:\opera\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-7-22 151592]
R1 atitray;atitray;c:\ohjelmat\atitools\atitray.sys [2007-5-22 18088]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-10 11608]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-5-7 532224]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-10 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-10 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-10 61960]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-2-15 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-2-15 488952]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 SaiH0D60;SaiH0D60;c:\windows\system32\drivers\SaiH0D60.sys [2008-11-24 137600]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\omistaja\locals~1\temp\ief163.tmp --> c:\docume~1\omistaja\locals~1\temp\IEF163.tmp [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\ohjelmat\garena\safedrv.sys --> c:\ohjelmat\garena\safedrv.sys [?]
S3 UsbFltr;Razer Copperhead Driver;c:\windows\system32\drivers\copperhd.sys [2010-9-9 11596]
S4 AMService;AMService;c:\windows\temp\yvjs\setup.exe run --> c:\windows\temp\yvjs\setup.exe run [?]
S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2009-7-15 155136]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2009-7-15 5248]
.
=============== Created Last 30 ================
.
2011-05-07 19:55:46 -------- d-----w- c:\documents and settings\omistaja\.thumbnails
2011-05-07 19:55:11 -------- d-----w- c:\documents and settings\omistaja\.gimp-2.6
2011-05-07 19:54:18 -------- d-----w- c:\program files\GIMP-2.0
2011-05-07 18:27:24 -------- d-----w- c:\docume~1\omistaja\applic~1\CheckPoint
2011-05-07 18:26:37 -------- d-----w- c:\program files\Conduit
2011-05-07 18:26:35 -------- d-----w- c:\program files\ZoneAlarm_Security
2011-05-07 18:26:35 -------- d-----w- c:\docume~1\omistaja\locals~1\applic~1\ZoneAlarm_Security
2011-05-07 18:26:35 -------- d-----w- c:\docume~1\omistaja\locals~1\applic~1\Temp
2011-05-07 18:26:35 -------- d-----w- c:\docume~1\omistaja\locals~1\applic~1\Conduit
2011-05-07 18:24:20 -------- d-----w- c:\program files\CheckPoint
2011-05-07 18:24:10 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-05-07 18:24:10 -------- d-----w- c:\windows\system32\ZoneLabs
2011-05-07 18:24:08 -------- d-----w- c:\program files\Zone Labs
2011-05-07 18:22:15 -------- d-----w- c:\windows\Internet Logs
2011-05-07 15:04:02 -------- d-----w- c:\program files\Safer Networking
2011-05-07 14:16:50 7750 ----a-w- C:\shitter2.reg
2011-05-07 14:14:30 7750 ----a-w- C:\shitter.reg
2011-05-06 17:39:03 0 ----a-w- c:\windows\system32\tmp.tmp
2011-05-06 15:35:29 -------- d-----w- C:\ERUNT
2011-05-01 13:01:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-01 13:01:51 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-05-01 12:50:47 887072 ----a-w- C:\jre-6u25-windows-i586-iftw.exe
2011-04-26 20:12:13 709456 ----a-w- c:\windows\is-5TPV6.exe
2011-04-26 19:45:57 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-26 19:45:56 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-26 19:45:56 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-26 19:45:56 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-04-26 19:45:56 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-26 19:45:56 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-26 19:45:56 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-26 19:45:56 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-04-26 19:45:56 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-26 19:45:56 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-26 18:13:09 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-26 18:13:09 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-26 18:03:58 -------- d-----w- C:\g
2011-04-14 00:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-04-13 23:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 17:09:49,39 ===============

ken545
2011-05-11, 19:27
Looks good, how are things running now ?