Wareout(?) in Server 2003

Welcome to Majorgeeks!

Is the below setting something you configured?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm

Do you know what the below files are for that just showed up on Jan 29th?

Code:

"C:\WINDOWS\system32\drivers\"
ikfile~1.sys  Jan 29 2007       33536  "ikfileflt.sys"
ikfile~2.sys  Jan 29 2007       46592  "ikfilesec.sys"
iksysflt.sys  Jan 29 2007       52736  "iksysflt.sys"
iksyssec.sys  Jan 29 2007       77312  "iksyssec.sys"
kcom.sys      Jan 29 2007       20352  "kcom.sys"

You did not follow the directions in the READ ME for installing Spybot. You are using Spybot - Search & Destroy 1.3 which has not been used in over 2 years!

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
C:\Documents and Settings\mheifner\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software


Now download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{545D74F7-C4EB-4FCA-8A1D-B216B83C0E6E}: NameServer = 85.255.114.23,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7B7D346-2395-440C-850F-01334A0C0DA7}: NameServer = 85.255.114.23,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD318DC7-3B15-458F-B3CC-5E3F319894D3}: NameServer = 85.255.114.23,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFAA9134-E68D-42AD-96D5-976B953B90EB}: NameServer = 85.255.114.23,85.255.112.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.23 85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.23 85.255.112.220

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\PATCH.EXE

Now reboot in normal mode

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp\
C:\Documents and Settings\mheifner\Local Settings\Temp\

Now run Ccleaner.

Now make sure you have all web browsers closed and do the below.

• Go into Control Panel -->Network Connections.
• Right click on your connection
• and click Properties.
• On the Properties page, highlight Internet Protocol(TCP/IP)
• Click Properties. This will bring up another page.
• Select Obtain DNS Server Automatically.
• Click the ok button. The page will close.
• Press ok on the page in front of you.
• Restart the computer.
• Reconnect to the Internet using Internet Explorer.

Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

Make sure you tell me how things are working now!

 

Please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

 

Okay run Blacklight again and this time have it fix this file:

c:\WINDOWS\system32\kdrxk.exe

This is the file that is at the heart of the WareOut infection and once deleted you should see an improvement.

After fixing it, reboot your PC and run a new scan with Blacklight to make sure it truly was fixed and did not return. Then also attach another HJT log and tell me how things are working.

 

You're welcome!

Since you did not know what that R1 line was about, let's fix it too. So run HJT and select the below lines and close all browsers BEFORE clicking Fix checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

Now check a new log for youself. Did the above two lines go away? If yes, continue on to the below.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!