Click.Giftload

Use Combofix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks for the quick response. I will get that downloaded and ran as soon as I can. Do I need to post the log?

Yes - post the logs from both RogueKiller and Malwarebytes.
Please don't run ComboFix yet.

For Rootkits I would recommend TDSSKiller, after which you could run HitManPro

TdssKiller
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
or
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Tutorial on TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

or you could also try FixTDSS.exe from Symantec

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

HitManPro

32bit
http://dl.surfright.nl/HitmanPro35.exe
http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html

64bit
http://dl.surfright.nl/HitmanPro35_x64.exe

I hope that would help

Sudeep

Thanks for the responses from everyone. I had something come up and I'm just now getting back to working on this. I'll post logs from RogueKiller and Malewarebytes asap.

Ok, here are the 2 log files.
RKreport-1-.txt
mbam-log-2011-04-09--17-55-28-.txt

OK -
I am going to forward your RKreport for further evaluation, but I think all you are going to have to do is menu item #6 - then re-boot and let me know if the symptoms are gone.

Should I do that now or wait till you hear back on the RKreport?

I heard back - #6 is all you need to do.
Then re-boot and let me know if the symptoms are all gone.

Spybot S&D is still finding the click.giftload registry entry and symptoms are still there.

I have visual studio poping up with a svchost variable undefined. It is using a ton of memory as well. I'm not sure that problem is related to this however. If you want more detail about it I'd be happy to provide that.

Copy/paste all of the following text into a "NOTEPAD" file and save it as:
"Fix.reg".

This is a file that will modify your registry.
If you are not comfortable doing it - please don't.

For further details, it is from an Article written by "Grinler", one of the best anti-malware folks out there.

http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\.exe\shell]

[-HKEY_CLASSES_ROOT\.exe\DefaultIcon]

[HKEY_CLASSES_ROOT\.exe]
@="exefile"

[HKEY_CLASSES_ROOT\exefile]
"Content Type"=-

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
"IsolatedCommand"=-

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
"IsolatedCommand"=-

[HKEY_CLASSES_ROOT\.bat]
@="batfile"

[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[-HKEY_CURRENT_USER\SOFTWARE\Classes\.exe]

[-HKEY_CURRENT_USER\Software\Classes\exefile]

[-HKEY_CLASSES_ROOT\secfile]

[-HKEY_CURRENT_USER\Software\Classes\secfile]

[-HKEY_CLASSES_ROOT\pezfile]

[-HKEY_CURRENT_USER\Software\Classes\pezfile]

[-HKEY_CLASSES_ROOT\sezfile]

[-HKEY_CURRENT_USER\Software\Classes\sezfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
@="firefox.exe"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command]
@="firefox.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="iexplore.exe"

Select allOpen in new window

It's still there.
The registry key is:  "Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe"

 This is the only entry that it ever finds.

I mentioned earlier about svchost. This registry entry has svchost in it, which makes me think that is the reason the JIT debugger keeps poping up.

It just appears to me that the svchost is part of the issue with the infection or the entire issue. I'm currently running a new malewarebytes and if it finds anything I'll post the log. I can also post the log from Spybot S&D if you like.

The machine also has Microsoft's security essentials on it, I don't know how good it really is (reviews of it seem favorable) that I can run if you think it will help.

SpyBot does not fit into the cure at all  and you do not need to run ComboFix.

The fix for this is as I have posted.
I have personally used it to repair this infection in computers in my repair shop and I have helped several EE members solve the same problem.

There are three steps to solving this.
1. Fix the Registry entries.
2. Stop the rogue processes.
3. Run a Full Scan with Malwarebytes.

For further details, it is from an Article written by "Grinler", one of the best anti-malware folks out there.

http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-20

I am very familiar with that article. I read it to help me clean up a different machine in my office earlier in the week. I also re-read it last night after you posted it just incase there was something in there that I missed.

After digging around on the internet using that registry entry as my search string I found the following link.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbckdrrew.htm

I was actually reading through another thread here on EE that you posted on when you were typing out your last response.

http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/Q_26945262.html

The guy who started that seems to know alot more about this svchost issue than me. This is exactly what the computer I'm working with is doing. The machine is using a TON of memory. One of the svchost processes is using 150,000k memory. That is how it is listed in the task manager btw, 150,000k.

I understand that Spybot isn't part of the fix for this. It does however seem to be the only program I have seen that is catching this. Malewarebytes goes right by it. Malewarebytes actually shows no infections on the system right now, but it is still symptomatic. From reading here on EE, around the net at other security sites and my own personal experience, I don't give a PC a clean bill of health until it passes both Spybot and Malewarebytes. As you know, there isn't anyone program that will catch or fix everything.

I'm at home right now, but I will head into work as soon as I get around.

At work now and ready to go when you guys are!

I am now thinking that this infection is "Windows Stability Center" - similiar fix, but slightly different sequence.

RKill/RogueKiller
Registry Fix
MBAM

http://www.bleepingcomputer.com/virus-removal/remove-windows-stability-center

Give it a try and let's see what happens.

Same basic procedure as I describe here:
https://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

I have both roguekiller and RKill on my flash drive, which do you prefer I use? I also have the Regfix from that article you linked earlier by Grinler.

I'm attaching the latest mbam log and spybot log for your reading pleasure as well.

I also have a quick question. Something I noticed regarding the svchost. The machine has it listed in both the i386 folder and the system32 folder. The computers here are a mix of XP SP2 and SP3. This particular machine is an SP3 machine. What I've noticed is that in the SP2 machines svchost is in the i386 folder and SP3 is in the system32 folder. However, none have them in both places. Not sure if this is relevant or not.

Oops, forgot to attach the logs!
mbam-log-2011-04-09--23-52-04-.txt
SpybotSD.Results.txt

Note that this time the Registry Fix is much different:
*****************
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
****************

Also, look at the bottom of the page in the bleepingcomputer link above - there are some specifics for registry entries that will show you what infected entries are specific to this infection.

"Associated Windows Stability Center Windows Registry Information:"

Oops!
I prefer "RogueKiller".

You need to update your MBAM version to "6322".

I haven't used SpyBot for years - too many False Positives and way behind the curve on updating for current threats.

For the RegFix, that is all I need to paste into notepad? Just those 3 lines?

Right - then 'rename it' something with a ".reg" extension.

RKill/RogueKiller
Registry Fix
MBAM

Here is the RogueKiller log.

I also tend to agree about Spybot. In this case, however, it appears to have done something right.
RKreport-1-.txt

I also did the RegFix. Malewarebytes is scanning and in the time you posted the current version was 6322, it is now 6323. I always check for updates before every scan I do regardless of the tool I'm using.

"current version was 6323" - Excellent!

That is also exactly why I am such a big believer in MBAM.
The guys running the show over there are fanatic about making it the best tool on the market.
There could only have been 5-10 minutes between my post and your check - which indicates how solid they are.

RK is clear - so let's hope this MBAM scan does the trick.

I don't know how to read a SpyBot log, but what is it that you think it did/found?

I'm not all that great with Spybot logs either. However, the first few lines of the log have the registry entry it is finding, which is:

HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

Select allOpen in new window

Hit this link and you will see that the link below and then click on more information and you will see that exact registry entry listed as being added.

http://www.sophos.com/security/analyses/viruses-and-spyware/maltdssr.html?_log_from=rss

If you paste that registry entry in your favorite search engine you will get all kinds of links to hit where they talk about it. Sophos, Spybot forums etc. Lots of places.

Hmmm - I did some 'Googling', but the advice seems to be all over the place.

If the current MBAM scan doesn't fix it, read the the details in my post (http:#a35354912) and post your ComboFix Log.

We have a couple of Experts posting here who can read the logs and recommend specific scripts for you to use.

(I'm out of ammo.)

Before I ever posted here I was going to just delete the registry entry by hand, and the svchost in the i386 folder to see if that would do the trick. I just didn't want to do that and totally screw the computer up though. I also think that if Spybot can't get rid of the registry entry after I tell it to, reboot and it scans it again, that something is just writing it back out there. Which if that is happening, that is what I need to find and delete.

On the Spybot forums, one of there admins wrote a script for OTL that got rid if the registry entry, but that guy is still having problems. While our problems are similar, that are not exactly the same. There are also some people that have posted on the malewarebytes forums with svchost.exe issues. I've only skimmed those forums however as I am multitasking atm. I keep hoping that those guys over at malewarebytes will get it figured out and put an update out to fix it.

"I keep hoping that those guys over at malewarebytes will get it figured out and put an update out to fix it."

Good thought.

I am going to contact "Tigzy" again and see if he has a recommendation - either with RogueKiller or something else.
 

Malewarebytes was clean.

ComboFix is telling me to connect to the internet to install the windows recovery console. The machine is connected to the internet though. Thoughts?

Just delete the value of that svchost.exe and spybot will stop flagging it.

You can delete it manually or use ComboFix to delete it using a script.

It's always good to let ComboFix to instlal the recovery console(for safety), but if you don't want to, it will still run.

I wanted to install it, but it was telling me that I needed to connect to the internet. Very strange as it is connected.

ComboFix did run and found a rootkit. Log is attached.
log.txt

Yes, good old CF found and disinfected a bootkit along with other bad files and your Hijackthis.

Have you also deleted the reg entry that Spybot kept flagging? or do you want CF to delete it?

If that registry entry was added due to the infection I'd prefer the whole thing went away. Are there any options there?

Yes, although ComboFix is a rather heavy 'top gun', it seems you often reach a stage where running CF is the best way forward.
Studying CF log file right now to see if a script is necessary ...

jeffr1970,
You can just manually delete that registry entry.

Now the 64 dollar question. The svchost.exe that is in the i386 folder. I've already renamed it to keep JIT debugger from running. I'm guessing it is safe to just delete this? Makes no sense this is the only computer in the building with one in i386 and one in system32. Unless one of these infections installed it.

If you have renamed it with no adverse affects, then I suggest that you "delete" it - but not remove it from your recycle bin.

If it is actually valid...somehow...you can then retrieve it.

"If that registry entry was added due to the infection I'd prefer the whole thing went away."

Yes, that was part of an infection... i.e. alureon , TDSS adds svhost.exe value under that key.
Legit programs can also be added there to have IE render pages.. but in this case is part of an infection.
 


"Are there any options there?"

What options do you mean?

Unable to identify any further infection in the CF log file, so no script is required ...unless of course rpggamergirl has spotted something nasty, in which case i too 'an out of ammo' !

Don't forget to ensure that comboFix is uninstalled later, after completion, when no longer required.

Options to remove that registry entry, not just the value. If I'm understanding you right though, you are saying that the registry entry is legit, but the value isn't? From the research I had done I was under the impression that the key was added to the registry.

Or am I just confused and confusing everyone else....I've been known to do that :)

Without the value, the entry can't do anything - just delete the value.

Deleted the value. I'm in the process of running Spybot and then going to run Malewarebytes again to make sure things are clear.

What do you guys recommend for a program to clean up your registry? I use to use CC cleaner I think it was, but haven't used anything in a long time.

@rpg - excellent!
I've popping off for a nap - glad you figured this one out.
I was feeling like a lost dog in tall weeds.

Ooops....sorry I didn't see your post above, that you've already deleted the value.

"What do you guys recommend for a program to clean up your registry? I use to use CC cleaner I think it was,"

None.......(I used to use JV16, Registry Mechanic and TuneUp Utilities)
Registry cleaners are not necessary, they can do more harm than good... they can be potentially harmful and not worth it IMO. Others will argue with me on this....I'll be happy to join a discussion/debate about it.

I have used CCleaner to clean temp folders many times before but not the registry.
Most tools these days cleans the default temp folders e.g. Combofix...
There's another temp cleaner that cleans all user accounts, it's OTC.exe whereas CCleaner only cleans the login user account.
http://oldtimer.geekstogo.com/TFC.exe


@younghv,
I should go to bed now, I only have 4 hours sleep left.

I'm with younghv on the nap....

I was confused. I thought that you wanted me to delete the value under the svchost.exe which was something like 22b8. I have deleted svchost and I'm rescanning now. I'll post back when the scans are complete.

Since the actual file svchost.exe is renamed and I'm not seeing any ill effects on the computer, I'm just going to leave it renamed. I can't promise the person who uses this computer won't empty the recycle bin.

@ jeffr1970 ...
>I can't promise the person who uses this computer won't empty the recycle bin<

You could create a new folder on the desktop, name it something like "Do not delete" (or equivalent), then drag and drop the renamed file into this new folder.  Now it should be relatively safe from the user, & the user can empty the recycle bin, as required :)

@ younghv ...
  >I was feeling like a lost dog in tall weeds<
Thats a beauty! <grin>

Spybot is done and looks fine. Malewarebytes is running now.

@Jonvee
That's a good idea.

Ok, both were perfectly clean. I do appreciate everyones help.

Funny how the first post was what ended up solving the problem.

rpggamergirl:

The only reason I posted the other link was because the Bleeping computer link I posted was not working at the time. I believe their site may have been down temporarily.