Help Resolve Rootkit infection

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

You need to download ComboFix from our link and then rerun it. It appears that you are using a very outdated version or there is still some kind of error.

Also the scans that are part of MGtools did not work properly. Did you fix the error: c:\progra~1\\Symantec\s32evnt1.dll. Before or after running MGtools. You don't need to rerun the MGtools.exe anymore once it is installed the first time. You can just run the C:\MGtools\GetLogs.bat file to run all the scans. You need to run this and again watch for error messages like those mentioned on the Using MGtools download page.

 

Also you said you could not install Spybot, but I see Spybot's Teatimer in your HijjackThis log.

 

I'm going to give you starting cleaning steps to see if we can make things a little better. They may or may not work properly since we do not have all of the required info from logs yet. Let's try anyway.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Free Radio] C:\Program Files\Free Radio\radio.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\User\Application Data\m\flec006.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O20 - Winlogon Notify: msldr32 - msldr32.dll (file missing)

After clicking Fix, exit HJT.

If you cannot boot in safe mode to do the below steps, just reboot your PC back into normal mode and then try to do the below steps in normal boot mode.

Now reboot into safe mode and delete the below files. Keep track of what you find and don't find and what gets deleted. Report back later.
C:\Program Files\Free Radio\radio.exe
C:\Documents and Settings\User\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\msldr32.dll

Now while in safe mode, delete the below folders
C:\Program Files\Free Radio
C:\Documents and Settings\User\Application Data\m

Now reboot in normal mode

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.

Make sure you tell me how things are working now!

 

Did you do my last steps yet? If does not look like it. Give them a run.

 

The scans from MGtools are still not running properly. You need to telll me if you are seeing any error messages.

 

Your logs are clean. You never answered my questions about the list of things I gave you to delete so I assume you found and removed all of them with no problems.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
10. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
11. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
12. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!