CLick.Giftloader Re-appearing and possible rootkit infection.

Well, to see what this virus does, look through the Combofix report and look at all the legit windows files that where infected and replaced. Looking at the ESET log, there are many more files infected including entire programs.

Exactly what this virus stole if anything is hard to say but change all your passwords.

This is a file infector virus, it will infect files as quick as we clean them and I am sure there are 100s of more that are infected that we cant see.

Upgrading to Win 7 would be a good option but I am not sure if your computer is a candidate. It would have to be a compete format and reinstall , an upgrade would not work or you would just be installing the new operating system right on top of the infected one.

You may want to contact Dell for Recovery Disks to restore your computer to factory defaults.

Post here and let them know where your at and see what they suggest, all us forums work together so you can link them to this thread so they can see what we have done.
http://forums.whatthetech.com/index.php?showforum=119

alright Thanks.
i Posted the topic. there http://forums.whatthetech.com/index.php?showtopic=118321


Is that okay?

Would any windows Xp recovery Disk work? I think one of my friends has one, would i be able to use theirs?

I dont believe so because it needs to bring your computer back to factory defaults and someone elses would be for a different system

I posted at WTT in your thread

Saw your post. So All i will really backup that i need are the Microsoft programs and Symantec. i will read the guide on re-formatting/re-installing, and get more info on the discs. Sites saying they offer the recovery disks are mallicous correct?
:cowboy:

Some are legit , some are not , its a crapshoot so stay away from them

Another place to post is at the Dell Forums. Ask if you can download the recovery disk to set your computer back to factory. When you got your Dell, I believe it had and option to do that ???

http://en.community.dell.com/support-forums/default.aspx

it was used, i actually didnt pay anything for the system. Will this affect my ability to procure the required items?

Not sure, that between you and Dell.

Another option would be to get a Win XP disk on eBay, there selling for around $25 or so than you can go to the dell site and download the drivers you need for the video , sound and lan.

The WTT forum can help you with the format and reinstall and getting the correct drivers

that sounds reasonable ill look into that.
Wont that go against the whole using someone elses Xp recov. disk?


You told me NO windows update to 7. While reading through the reformatting etc. i also took a peek at the Windows 7 way.

Would doing a custom install, not update, be worht a try? Then from the "old windows folder" move the program files to a Flash drive, or perhaps the new windows, if its possible. Then after the first install, re-install windows 7 to re-format it using the Windows 7 disk?

Im not trying to be difficult i just have these crazy ideas, i just thought id pitch it out there.

:thanks:

What I am trying to say is that I could be wrong but it sounds like your system may not be a candidate for Win7, it may not have the requirements.

You can try this tool
http://windows.microsoft.com/upgradeadvisor

On eBay, you can buy an the actual Windows XP CD legally, with the newer operating systems out now , Vista and Win7, the XP CDs are going for a song, this is not the recovery disk I am talking about, its the full windows CD that is brand new still in the box.

Remember, most of your programs are infected, not a good idea to back them up and reinstall them

just read your WTT post. DO NOT backup programs.:bigthumb:

That means i dont rally have anything i need to make a back up. Ill try to order the disc from an un-comprimised computer. Thanks Again:thanks:

ken545 said:

What I am trying to say is that I could be wrong but it sounds like your system may not be a candidate for Win7, it may not have the requirements.

You can try this tool
http://windows.microsoft.com/upgradeadvisor

On eBay, you can buy an the actual Windows XP CD legally, with the newer operating systems out now , Vista and Win7, the XP CDs are going for a song, this is not the recovery disk I am talking about, its the full windows CD that is brand new still in the box.

Remember, most of your programs are infected, not a good idea to back them up and reinstall them

Click to expand...

Yeah the disk came with that compatinilty feature. I ran it everything seemed okay. I was just mentionin it. I will go search for the new windows Xp package then, hopefully i can find myself a good deal.

i just wann amek sure i have your blessings before i do anything :angel:

Look for OEM for XP, it will still be shrinkwraped

So problem solved? Get the disk pop it in reformat and wallah!?
Thread closed?
Thanks once again for all your help truly appreciated and i realize, as i hope everyone else does too, that you guys use your own time to do this and do it out of the kindness of your hearts. Thanks.
:thanks:

Just outta curiosity, lets say i where to upgrade to windows 7, and download Spybot, Malware Bytes and the complementary Microsoft security essentials, then run a scan on files from "old windows" and if they appeared to be "clean" while some show up as infected. Could the "un-infected" programs be brought up, and have the rest of the "old windows" files deleted? The new Windows 7 Os being clean inn itself finding threats only in the old.windows, file. :

Just hypothetically speaking, i don't wanna take up anymore of your time :thanks::rockon:


Xp disk, install from disk, reformat partitions and drive C.
Or use the Dell re-boot disk option, ill talk to them and see what they say the guys at WTT wanted some info. on that so i will post it there when i get it.

I dont know if I am understanding what your trying to do with old windows, outside of your data like word documents and pictures , I would just bite the bullet on the rest and do clean downloads and installs on the programs that you want to install.

Have you tried the Win 7 upgrade adviser to see if you system will accept win7 ?

If you get the Recovery Disks from Dell, that will bring your computer back to factory defaults, you should be ok and then again a format and reinstall is a good option also, you can do either or..

Which ever path you take, when your up and running you need to re evaluate your surfing habits, look at all the trouble your having with letting your guard down like you have. Stay away from any illegal software, stay away from any File Sharing like the Torrents or sites like Limewire, get an email from someone you dont know, dont even open it, send it right to the trash

Good luck with you new endeavor

Ken

It was "Leapyear" the movie
1st amd last time?
Decent movie.
Im against torentting and P2P and anything not legal.:bigthumb:

If your curious, ...read the following:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Computer at 20:42:36.35 on Fri 04/29/2011
Internet Explorer: 9.0.8112.16421
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2046.1263 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\SoftwareDistribution\Download\Install\dotNetFx40_Client_x86.exe
C:\Users\Computer\Desktop\dds.com
C:\Windows\system32\conhost.exe
C:\7b08b4b8f5958fb7ad47bd9d\Setup.exe
.
============== Pseudo HJT Report ===============
.
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\computer\appdata\roaming\mozilla\firefox\profiles\rpd3zuol.default\
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKslbee3a9ea;MpKslbee3a9ea;c:\programdata\microsoft\microsoft antimalware\definition updates\{486670b3-9f08-4774-b4fa-9d274c9444ef}\MpKslbee3a9ea.sys [2011-4-29 28752]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2009-7-13 8192]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-4-29 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-29 52224]
.
=============== Created Last 30 ================
.
2011-04-30 03:42:24 -------- d-----w- C:\7b08b4b8f5958fb7ad47bd9d
2011-04-30 03:26:52 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{486670b3-9f08-4774-b4fa-9d274c9444ef}\MpKslbee3a9ea.sys
2011-04-30 02:43:33 -------- d-----w- c:\windows\system32\SPReview
2011-04-30 02:43:05 -------- d-----w- c:\windows\system32\EventProviders
2011-04-30 02:42:26 -------- d-----w- c:\users\computer\appdata\roaming\Malwarebytes
2011-04-30 02:42:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-30 02:42:19 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-30 02:42:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-30 02:42:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-30 02:12:21 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-04-30 02:12:21 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-04-30 02:12:21 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-04-30 02:12:14 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2011-04-30 01:40:14 469256 ----a-w- c:\program files\common files\windows live\.cache\8b83b94e1cc06d743\InstallManager_WLE_WLE.exe
2011-04-30 01:35:25 15712 ----a-w- c:\program files\common files\windows live\.cache\e0de49a01cc06d637\MeshBetaRemover.exe
2011-04-30 01:28:45 525656 ----a-w- c:\program files\common files\windows live\.cache\f1bb40431cc06d529\DXSETUP.exe
2011-04-30 01:28:45 1691480 ----a-w- c:\program files\common files\windows live\.cache\f1bb40431cc06d529\dsetup32.dll
2011-04-30 01:28:44 94040 ----a-w- c:\program files\common files\windows live\.cache\f1bb40431cc06d529\DSETUP.dll
2011-04-30 01:28:33 94040 ----a-w- c:\program files\common files\windows live\.cache\ea0250601cc06d528\DSETUP.dll
2011-04-30 01:28:33 525656 ----a-w- c:\program files\common files\windows live\.cache\ea0250601cc06d528\DXSETUP.exe
2011-04-30 01:28:33 1691480 ----a-w- c:\program files\common files\windows live\.cache\ea0250601cc06d528\dsetup32.dll
2011-04-30 01:14:37 6260088 ----a-w- c:\program files\common files\windows live\.cache\f7b427bb1cc06d315\Silverlight.4.0.exe
2011-04-30 01:03:32 -------- d-----w- c:\users\computer\appdata\local\Windows Live
2011-04-30 01:03:29 -------- d-----w- c:\program files\common files\Windows Live
2011-04-30 01:02:05 -------- d-----w- c:\windows\system32\Wat
2011-04-30 00:54:59 584192 ----a-w- c:\windows\system32\gpprefcl.dll
2011-04-30 00:53:59 828928 ----a-w- c:\windows\system32\fontext.dll
2011-04-30 00:52:59 82944 ----a-w- c:\windows\system32\iccvid.dll
2011-04-30 00:51:45 697344 ----a-w- c:\windows\system32\SmiEngine.dll
2011-04-30 00:51:35 209920 ----a-w- c:\windows\system32\PkgMgr.exe
2011-04-30 00:51:35 189952 ----a-w- c:\windows\system32\wdscore.dll
2011-04-30 00:50:43 323072 ----a-w- c:\windows\system32\drvstore.dll
2011-04-30 00:50:43 257024 ----a-w- c:\windows\system32\dpx.dll
2011-04-30 00:01:05 219136 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-04-30 00:01:05 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-04-30 00:01:02 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-04-30 00:01:01 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-04-30 00:01:00 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-04-29 23:31:50 -------- d-----w- c:\users\computer\appdata\local\Mozilla
2011-04-29 23:31:08 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{a93ae193-f615-4b67-abaa-ccc98faaaacd}\gapaengine.dll
2011-04-29 23:29:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-29 23:29:34 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-04-29 23:29:33 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{486670b3-9f08-4774-b4fa-9d274c9444ef}\mpengine.dll
2011-04-29 09:07:15 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-04-29 09:07:11 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{dee5f568-3c2e-45e4-8293-f0010a9ee07c}\mpengine.dll
2011-04-29 05:02:29 -------- d-sh--w- c:\windows\Installer
2011-04-29 05:02:29 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-29 04:52:53 -------- d-----w- c:\windows\Panther
2011-04-29 04:46:13 -------- d-----w- C:\Windows.old
2011-04-29 04:37:06 1699328 ----a-w- c:\windows\system32\esent.dll
2011-04-29 04:37:06 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-04-29 04:37:06 1211264 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-04-29 04:37:05 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-04-29 04:37:05 148864 ----a-w- c:\windows\system32\drivers\storport.sys
2011-04-29 04:37:05 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-04-29 04:37:04 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-04-29 04:37:04 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-04-29 04:37:04 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-04-29 04:36:51 870912 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-29 04:36:48 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-04-29 04:36:09 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-04-29 04:34:56 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-29 04:34:56 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-29 04:34:11 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 04:31:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-29 04:27:42 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-04-29 04:27:42 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-04-29 04:27:42 107520 ----a-w- c:\windows\system32\cdd.dll
2011-04-29 04:27:41 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-04-29 04:27:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-29 04:25:23 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-29 04:25:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-29 04:25:23 223232 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-29 04:25:23 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-29 04:06:28 -------- d-----w- c:\windows\system32\wbem\Performance
2011-04-29 02:59:28 -------- d-sh--w- C:\Recovery
.
==================== Find3M ====================
.
2011-04-30 03:15:43 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-03-03 03:42:34 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-02-25 05:30:54 2616320 ----a-w- c:\windows\explorer.exe
2011-02-19 06:30:46 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-19 04:34:54 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-02-12 05:35:31 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
.
============= FINISH: 20:45:25.13 ===============


Would it be safe to acces my bank account? It provides a free 1 yr subscription of McAfee. and rapport. You have an opinion on McAfee? Thanks

Until your totally clean after the reinstall of windows I would do banking from another clean computer

So im not clean? I did a clean install. I booted from the CD/DVD and deleted the partitions. THe current "old.windows" you see is due to an accidental twice installed Windows 7, after the Clean Install. :snorkle:

I linked you to the windows forum for help in reinstalling windows, at this point I have no idea what your doing on your own. After you format your drive and do a clean install of windows post back and we can go from there,

well basically what i did was deleted all the old partition in the HDD, then just installed Windows 7. I deleted the Partitions from the Old Windows Xp, along wiht all the other partitions, before i installed this one, so I thought deleting the partitions would be = to re-formatting. Basically my system is Windows 7 now it doesn't have any programs from my old OS, .If i need to reformat then Ill do it.