11 replies to this topic

[IndiGenus]

Hello san01 and welcome to the forums here at Tom Coyote.

You appear to have a Wareout infection.

I recommend you print out these instructions for reference, since you will have to restart your computer during the fix.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O17 - HKLM\System\CCS\Services\Tcpip\..\{0DFAD8A3-B147-4CF6-98C9-F8872322A951}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{15B1749C-2B06-432E-8070-2D91F581FF79}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{649C7725-FD9B-4497-9A0D-C09E31FE8A69}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{98CBDCA4-7EEB-4E2F-B63F-57BE0CE33767}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3F9EE0D-2177-4240-A6B0-75684AA03398}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = europa.rbsgrp.net,asia.rbsgrp.net,americas.rbsgrp.net,rbsres01.net,rbs01.rbsgretail.net,nwb01.rbsgretail.net,nwb02.rbsgretail.net,nwb03.rbsgretail.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.101 85.255.112.184
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DFAD8A3-B147-4CF6-98C9-F8872322A951}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = europa.rbsgrp.net,asia.rbsgrp.net,americas.rbsgrp.net,rbsres01.net,rbs01.rbsgretail.net,nwb01.rbsgretail.net,nwb02.rbsgretail.net,nwb03.rbsgretail.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.101 85.255.112.184

Then close all windows except this one and press Fix checked.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new HijackThis log.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Regards,
Dave

[IndiGenus]

I recommend some clean up and an online virus scan at this point.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main select the following:
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

-------------------------------------------------------------------------------------------------

Using Internet Explorer, click on Kaspersky Online Scanner * You will be prompted to install an ActiveX component from Kaspersky, Click 'Yes'.
* The program will launch and then start to download the latest definition files.
* Once the scanner is installed and the definitions downloaded, click 'Next'.
* Now click on 'Scan Settings'
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
* Click 'OK'
* Now under 'Select a target to scan' select 'My Computer'
* The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
* Now click on the 'Save as Text' button:
* Save the file to your desktop.
Please post the Kaspersky report and a new HijackThis log.

Regards,
Dave

[IndiGenus]

Hi san01, Yes, sorry I should have mentioned that you may need a couple of posts to fit the whole log. I would like to see it please. Thanks, Dave

[IndiGenus]

Ah it appears you downloaded and ran the Smitfraud tool at an earlier point. That's what Kaspersky is finding. Not a problem. You can delete the tool at this point as you should not need it (and if you did you would want to download the latest version anyway).

Everything else looks good. How is it running?

If all is well I recommend you clear out your restore points.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which may be infected anyway).

Click Start>Help and Support>Undo changes to your computer with System Restore
Select Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

Regards,
Dave

[IndiGenus]

That's great san01

In addition to updating and running your current protection you may want to consider adding the following:

Install Spybot - Search and Destroy - Spybot: Search And Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Install Ad-Aware - Ad-Aware SE You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Install SpywareGuard - SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
A tutorial on installing & using this product can be found here:
Using SpywareGuard to protect your computer from Spyware and Malware

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Here is a great link to a post here on securing your PC after an attack.
http://forums.tomcoy...mp;#entry257163

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

Dave

[little eagle]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php