Rootkit infection?

Re: Rest of logs

Please run this WareOut Removal and attach the request log.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O17 - HKLM\System\CCS\Services\Tcpip\..\{706524C5-DF95-4EDB-A251-04EA7EC3CB3A}: NameServer = 85.255.113.106,85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FBA1E01-8F03-4A72-B605-8B2D4BF36788}: NameServer = 85.255.113.106,85.255.112.167
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.167

After clicking Fix, exit HJT.

Now reboot in normal mode
Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Also run AVG Anti-rootkit now and see if it still finds any problems.

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I don't need any logs until all steps have been run. Try WareOut fix again but first shutdown the CounterSpy program! If it does not seem to work properly, complete all the steps requested anyway and attach all logs.

 

Yes this is part ot the WareOut infection and normally there are multiple files involved. That is why I wanted use FixWareOut first. Run AVG Anti-Rootkit and see if it can fix this file. Then reboot. And run a new scan to make sure it is fixed.

Uninstall the CounterSpy trial now before continuing. We are finished with it.

Then delete the below folders:
C:\Documents and Settings\Chris\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Also delete the below file:
C:\WINDOWS\unins001.exe

Attach a new log from HJT afterwards.

Also tell me if you are still having problems.

 

Try using AVG Anti-rootkit in safe boot mode. If it does not work or still does not remove the file, try using the below tool and procedure. Make sure you attach the log!!

Using Sophos Anti-Rootkit

 

Okay see if it can fix it! If it says it is fixed, reboot and check again. Let me know the results.

 

Like all malware type programs.... they each can do things that others cannot. Sometimes it is just a matter of catching up in a next version. Other times they just never catch up! I have also had AVG Anti-rootkit fix something that Sophos did not.

I would like to know if you can now actually get the FixWareOut procedure to run. It would be interesting to know if the above was blocking it. If you can, attach the log.

Also attach new logs from ShowNew and HJT!

 

Hmmmm! The log from FixWareOut indicates it was from
Last edited 1/14/2006

Is your date set incorrectly? If not, then the log would indicate that you did not just run FixWarOut today or that no log was produced today. That log may have been from 6 days ago.

Your logs are clean! If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

Okay, my mistake! It looks like FixWareOut is showing the date the program itself was updated rather than showing a version number. It does not show the date the fix was run. So all is good!

 

Not sure what the problem with Outpost was. Did you reboot after installing and before trying to get help?

 

You're welcome. Surf safely!