Click.Giftload

I've had this piece of maleware on a computer for about 2 days now. Malewarebytes doesn't detect it but Spybot S&D does. Spybot doesn't not get rid of it even though it says it does. After looking around the internet I see that this is a very serious infection. It appears to be a rootkit or keylogger of some sort.

It's been so long since I've had to ask for help when cleaning up a machine, I'm not even sure what logs to post. Last time I did this it was HJT, but I've seen lots of people posting logs from programs I've never heard of before.

Thanks in advance for the help.
jeffr1970Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BCipolloneCommented:
0
younghvCommented:
I wouldn't start with ComboFix - even though it may be needed.

As long as the rogue processes are running, many of the anti-malware tools cannot function.

Read the details in these EE Articles and run "RogueKiller" first, then a fresh (updated) copy of Malwarebytes:

http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

Also -
I am attaching the proper instructions for running ComboFix on Experts-Exchange as a "Code" file.
THE RECOMMENDED "CF" POST (please give attribution to rpggamergirl when using)

Please download ComboFix by sUBs:(and attach the resulting log) http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run, re-download and rename before saving to your desktop  use the Save As
 function) 
 
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and
Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by
 pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix. 
 
Note:
Do not mouse-click ComboFix's window while it is running. That may cause it to stall. 
CF disconnects your machine from the internet. The connection is automatically restored before CF
 completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. 
  
If needed, here's the ComboFix tutorial which includes the installation of the Recovery Console:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When finished with the question, don't forget this:
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field: 

ComboFix /Uninstall

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jeffr1970Author Commented:
Thanks for the quick response. I will get that downloaded and ran as soon as I can. Do I need to post the log?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

younghvCommented:
Yes - post the logs from both RogueKiller and Malwarebytes.
Please don't run ComboFix yet.
0
Sudeep SharmaTechnical DesignerCommented:
0
jeffr1970Author Commented:
Thanks for the responses from everyone. I had something come up and I'm just now getting back to working on this. I'll post logs from RogueKiller and Malewarebytes asap.
0
jeffr1970Author Commented:
Ok, here are the 2 log files.
RKreport-1-.txt
mbam-log-2011-04-09--17-55-28-.txt
0
younghvCommented:
OK -
I am going to forward your RKreport for further evaluation, but I think all you are going to have to do is menu item #6 - then re-boot and let me know if the symptoms are gone.

0
jeffr1970Author Commented:
Should I do that now or wait till you hear back on the RKreport?
0
younghvCommented:
I heard back - #6 is all you need to do.
Then re-boot and let me know if the symptoms are all gone.
0
jeffr1970Author Commented:
Spybot S&D is still finding the click.giftload registry entry and symptoms are still there.

I have visual studio poping up with a svchost variable undefined. It is using a ton of memory as well. I'm not sure that problem is related to this however. If you want more detail about it I'd be happy to provide that.
0
younghvCommented:
Copy/paste all of the following text into a "NOTEPAD" file and save it as:
"Fix.reg".

This is a file that will modify your registry.
If you are not comfortable doing it - please don't.

For further details, it is from an Article written by "Grinler", one of the best anti-malware folks out there.

http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\.exe\shell]

[-HKEY_CLASSES_ROOT\.exe\DefaultIcon]

[HKEY_CLASSES_ROOT\.exe]
@="exefile"

[HKEY_CLASSES_ROOT\exefile]
"Content Type"=-

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
"IsolatedCommand"=-

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
"IsolatedCommand"=-

[HKEY_CLASSES_ROOT\.bat]
@="batfile"

[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[-HKEY_CURRENT_USER\SOFTWARE\Classes\.exe]

[-HKEY_CURRENT_USER\Software\Classes\exefile]

[-HKEY_CLASSES_ROOT\secfile]

[-HKEY_CURRENT_USER\Software\Classes\secfile]

[-HKEY_CLASSES_ROOT\pezfile]

[-HKEY_CURRENT_USER\Software\Classes\pezfile]

[-HKEY_CLASSES_ROOT\sezfile]

[-HKEY_CURRENT_USER\Software\Classes\sezfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
@="firefox.exe"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command]
@="firefox.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="iexplore.exe"

Open in new window

0
jeffr1970Author Commented:
It's still there.
The registry key is:  "Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe"

 This is the only entry that it ever finds.

I mentioned earlier about svchost. This registry entry has svchost in it, which makes me think that is the reason the JIT debugger keeps poping up.
0
jeffr1970Author Commented:
It just appears to me that the svchost is part of the issue with the infection or the entire issue. I'm currently running a new malewarebytes and if it finds anything I'll post the log. I can also post the log from Spybot S&D if you like.

The machine also has Microsoft's security essentials on it, I don't know how good it really is (reviews of it seem favorable) that I can run if you think it will help.
0
JonveeCommented:
By all means run Microsoft Security Essentials after first updating it, its worth trying, though my impression is that its better at "Malware protection" rather than 'disinfecting' a machine.

If no improvement then perhaps its now time to run ComboFix, and we can all take a look at the CF log file.
BCipollone has supplied the tutorial as well as the download link.

ComboFix should be run in normal mode.

Additional information:
http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q__26933025.html
0
younghvCommented:
SpyBot does not fit into the cure at all  and you do not need to run ComboFix.

The fix for this is as I have posted.
I have personally used it to repair this infection in computers in my repair shop and I have helped several EE members solve the same problem.

There are three steps to solving this.
1. Fix the Registry entries.
2. Stop the rogue processes.
3. Run a Full Scan with Malwarebytes.

For further details, it is from an Article written by "Grinler", one of the best anti-malware folks out there.

http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-20
0
jeffr1970Author Commented:
I am very familiar with that article. I read it to help me clean up a different machine in my office earlier in the week. I also re-read it last night after you posted it just incase there was something in there that I missed.

After digging around on the internet using that registry entry as my search string I found the following link.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbckdrrew.htm

I was actually reading through another thread here on EE that you posted on when you were typing out your last response.

http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/Q_26945262.html

The guy who started that seems to know alot more about this svchost issue than me. This is exactly what the computer I'm working with is doing. The machine is using a TON of memory. One of the svchost processes is using 150,000k memory. That is how it is listed in the task manager btw, 150,000k.

I understand that Spybot isn't part of the fix for this. It does however seem to be the only program I have seen that is catching this. Malewarebytes goes right by it. Malewarebytes actually shows no infections on the system right now, but it is still symptomatic. From reading here on EE, around the net at other security sites and my own personal experience, I don't give a PC a clean bill of health until it passes both Spybot and Malewarebytes. As you know, there isn't anyone program that will catch or fix everything.

I'm at home right now, but I will head into work as soon as I get around.
0
jeffr1970Author Commented:
At work now and ready to go when you guys are!
0
younghvCommented:
I am now thinking that this infection is "Windows Stability Center" - similiar fix, but slightly different sequence.

RKill/RogueKiller
Registry Fix
MBAM

http://www.bleepingcomputer.com/virus-removal/remove-windows-stability-center

Give it a try and let's see what happens.

Same basic procedure as I describe here:
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
0
jeffr1970Author Commented:
I have both roguekiller and RKill on my flash drive, which do you prefer I use? I also have the Regfix from that article you linked earlier by Grinler.

I'm attaching the latest mbam log and spybot log for your reading pleasure as well.

I also have a quick question. Something I noticed regarding the svchost. The machine has it listed in both the i386 folder and the system32 folder. The computers here are a mix of XP SP2 and SP3. This particular machine is an SP3 machine. What I've noticed is that in the SP2 machines svchost is in the i386 folder and SP3 is in the system32 folder. However, none have them in both places. Not sure if this is relevant or not.
0
jeffr1970Author Commented:
Oops, forgot to attach the logs!
mbam-log-2011-04-09--23-52-04-.txt
SpybotSD.Results.txt
0
younghvCommented:
Note that this time the Registry Fix is much different:
*****************
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
****************

Also, look at the bottom of the page in the bleepingcomputer link above - there are some specifics for registry entries that will show you what infected entries are specific to this infection.

"Associated Windows Stability Center Windows Registry Information:"
0
younghvCommented:
Oops!
I prefer "RogueKiller".
0
younghvCommented:
You need to update your MBAM version to "6322".

I haven't used SpyBot for years - too many False Positives and way behind the curve on updating for current threats.
0
jeffr1970Author Commented:
For the RegFix, that is all I need to paste into notepad? Just those 3 lines?
0
younghvCommented:
Right - then 'rename it' something with a ".reg" extension.

RKill/RogueKiller
Registry Fix
MBAM

0
jeffr1970Author Commented:
Here is the RogueKiller log.

I also tend to agree about Spybot. In this case, however, it appears to have done something right.
RKreport-1-.txt
0
jeffr1970Author Commented:
I also did the RegFix. Malewarebytes is scanning and in the time you posted the current version was 6322, it is now 6323. I always check for updates before every scan I do regardless of the tool I'm using.
0
younghvCommented:
"current version was 6323" - Excellent!

That is also exactly why I am such a big believer in MBAM.
The guys running the show over there are fanatic about making it the best tool on the market.
There could only have been 5-10 minutes between my post and your check - which indicates how solid they are.

RK is clear - so let's hope this MBAM scan does the trick.

I don't know how to read a SpyBot log, but what is it that you think it did/found?
0
jeffr1970Author Commented:
I'm not all that great with Spybot logs either. However, the first few lines of the log have the registry entry it is finding, which is:
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

Open in new window


Hit this link and you will see that the link below and then click on more information and you will see that exact registry entry listed as being added.

http://www.sophos.com/security/analyses/viruses-and-spyware/maltdssr.html?_log_from=rss

If you paste that registry entry in your favorite search engine you will get all kinds of links to hit where they talk about it. Sophos, Spybot forums etc. Lots of places.

0
younghvCommented:
Hmmm - I did some 'Googling', but the advice seems to be all over the place.

If the current MBAM scan doesn't fix it, read the the details in my post (http:#a35354912) and post your ComboFix Log.

We have a couple of Experts posting here who can read the logs and recommend specific scripts for you to use.

(I'm out of ammo.)
0
jeffr1970Author Commented:
Before I ever posted here I was going to just delete the registry entry by hand, and the svchost in the i386 folder to see if that would do the trick. I just didn't want to do that and totally screw the computer up though. I also think that if Spybot can't get rid of the registry entry after I tell it to, reboot and it scans it again, that something is just writing it back out there. Which if that is happening, that is what I need to find and delete.

On the Spybot forums, one of there admins wrote a script for OTL that got rid if the registry entry, but that guy is still having problems. While our problems are similar, that are not exactly the same. There are also some people that have posted on the malewarebytes forums with svchost.exe issues. I've only skimmed those forums however as I am multitasking atm. I keep hoping that those guys over at malewarebytes will get it figured out and put an update out to fix it.
0
younghvCommented:
"I keep hoping that those guys over at malewarebytes will get it figured out and put an update out to fix it."

Good thought.

I am going to contact "Tigzy" again and see if he has a recommendation - either with RogueKiller or something else.
 
0
jeffr1970Author Commented:
Malewarebytes was clean.
0
jeffr1970Author Commented:
ComboFix is telling me to connect to the internet to install the windows recovery console. The machine is connected to the internet though. Thoughts?
0
rpggamergirlCommented:
Just delete the value of that svchost.exe and spybot will stop flagging it.

You can delete it manually or use ComboFix to delete it using a script.

It's always good to let ComboFix to instlal the recovery console(for safety), but if you don't want to, it will still run.
0
jeffr1970Author Commented:
I wanted to install it, but it was telling me that I needed to connect to the internet. Very strange as it is connected.

ComboFix did run and found a rootkit. Log is attached.
log.txt
0
rpggamergirlCommented:
Yes, good old CF found and disinfected a bootkit along with other bad files and your Hijackthis.

Have you also deleted the reg entry that Spybot kept flagging? or do you want CF to delete it?
0
jeffr1970Author Commented:
If that registry entry was added due to the infection I'd prefer the whole thing went away. Are there any options there?
0
JonveeCommented:
Yes, although ComboFix is a rather heavy 'top gun', it seems you often reach a stage where running CF is the best way forward.
Studying CF log file right now to see if a script is necessary ...
0
younghvCommented:
jeffr1970,
You can just manually delete that registry entry.
0
jeffr1970Author Commented:
Now the 64 dollar question. The svchost.exe that is in the i386 folder. I've already renamed it to keep JIT debugger from running. I'm guessing it is safe to just delete this? Makes no sense this is the only computer in the building with one in i386 and one in system32. Unless one of these infections installed it.
0
younghvCommented:
If you have renamed it with no adverse affects, then I suggest that you "delete" it - but not remove it from your recycle bin.

If it is actually valid...somehow...you can then retrieve it.
0
rpggamergirlCommented:
"If that registry entry was added due to the infection I'd prefer the whole thing went away."

Yes, that was part of an infection... i.e. alureon , TDSS adds svhost.exe value under that key.
Legit programs can also be added there to have IE render pages.. but in this case is part of an infection.
 


"Are there any options there?"

What options do you mean?
0
JonveeCommented:
Unable to identify any further infection in the CF log file, so no script is required ...unless of course rpggamergirl has spotted something nasty, in which case i too 'an out of ammo' !

Don't forget to ensure that comboFix is uninstalled later, after completion, when no longer required.
0
jeffr1970Author Commented:
Options to remove that registry entry, not just the value. If I'm understanding you right though, you are saying that the registry entry is legit, but the value isn't? From the research I had done I was under the impression that the key was added to the registry.

Or am I just confused and confusing everyone else....I've been known to do that :)
0
younghvCommented:
Without the value, the entry can't do anything - just delete the value.
0
jeffr1970Author Commented:
Deleted the value. I'm in the process of running Spybot and then going to run Malewarebytes again to make sure things are clear.

What do you guys recommend for a program to clean up your registry? I use to use CC cleaner I think it was, but haven't used anything in a long time.
0
rpggamergirlCommented:
\FEATURE_BROWSER_EMULATION]

The above key is legit.
So it's really the svchost.exe value under that key that should be deleted.


You can delete the value manually or use ComboFix to delete it using a script.

Run combofix again using this script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
"svchost.exe"=-


------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe(desktop).
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


@ jonvee,
yeah the CF log is clean, :)
0
younghvCommented:
@rpg - excellent!
I've popping off for a nap - glad you figured this one out.
I was feeling like a lost dog in tall weeds.
0
rpggamergirlCommented:
Ooops....sorry I didn't see your post above, that you've already deleted the value.

"What do you guys recommend for a program to clean up your registry? I use to use CC cleaner I think it was,"

None.......(I used to use JV16, Registry Mechanic and TuneUp Utilities)
Registry cleaners are not necessary, they can do more harm than good... they can be potentially harmful and not worth it IMO. Others will argue with me on this....I'll be happy to join a discussion/debate about it.

I have used CCleaner to clean temp folders many times before but not the registry.
Most tools these days cleans the default temp folders e.g. Combofix...
There's another temp cleaner that cleans all user accounts, it's OTC.exe whereas CCleaner only cleans the login user account.
http://oldtimer.geekstogo.com/TFC.exe


@younghv,
I should go to bed now, I only have 4 hours sleep left.
0
jeffr1970Author Commented:
I'm with younghv on the nap....

I was confused. I thought that you wanted me to delete the value under the svchost.exe which was something like 22b8. I have deleted svchost and I'm rescanning now. I'll post back when the scans are complete.

Since the actual file svchost.exe is renamed and I'm not seeing any ill effects on the computer, I'm just going to leave it renamed. I can't promise the person who uses this computer won't empty the recycle bin.
0
JonveeCommented:
@ jeffr1970 ...
>I can't promise the person who uses this computer won't empty the recycle bin<

You could create a new folder on the desktop, name it something like "Do not delete" (or equivalent), then drag and drop the renamed file into this new folder.  Now it should be relatively safe from the user, & the user can empty the recycle bin, as required :)

@ younghv ...
  >I was feeling like a lost dog in tall weeds<
Thats a beauty! <grin>
0
jeffr1970Author Commented:
Spybot is done and looks fine. Malewarebytes is running now.

@Jonvee
That's a good idea.
0
jeffr1970Author Commented:
Ok, both were perfectly clean. I do appreciate everyones help.
0
BCipolloneCommented:
Funny how the first post was what ended up solving the problem.
0
BCipolloneCommented:
rpggamergirl:

The only reason I posted the other link was because the Bleeping computer link I posted was not working at the time. I believe their site may have been down temporarily.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.