Possible Rootkit Problem?

By the_paco007
Feb 22, 2007
Topic Status:
Not open for further replies.
  1. Hello,

    I think i may have a possible rootkit problem that just wont go away. I dl'ed some nasty stuff and thought i got it all out until i tired to google something and google.com or gmail.google.com wouldnt work. It seems to be similar to opucek's problem awhile back. Any other website works just fine.

    Any help would be greatly appreciated!

    Thanks in advance
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Uninstall anything to do with Viewpoint and Wildtangent from add remove programmes in your control panel.

    Download and run the Blacklight programme. Follow all the instructions carefully.

    Download the AVG Antirootkit programme. Disconnect from the net and install the programme, then restart your computer.

    Run the programme and click the click "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path"
    * Select the Rootkit Driver by placing a checkmark against it and click "Remove selected items." Next, agree for the terms and conditions that is displayed by AVG and click "OK" to reboot the PC. Reconnect to the net.


    Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above. Let me know the results of the Blacklight and AVG Antirootkit scans.

    Regards Howard :wave: :wave:

    This thread is for the use of the_paco007 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. the_paco007

    the_paco007 Newcomer, in training Topic Starter

    Sorry I havent gotten back to you sooner. The AVG Anti-Rootkit came up with nothing, as did Blacklight. No dice.

    I also followed the Virus/Spyware/Malware removal instructions.

    Attatched is an updated HJT log.

    Something else of note, Google.com works fine if i find it through a proxy such as www.polysolve.com

    Thanks again for your help. I need my google fix...
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    You didn`t attach an AVG Antispyware log as requested. Please do so in your next reply.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    WildTangent
    Apps
    CDA
    Viewpoint
    Viewpoint Manager

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ViewMgr.exe
    GameDrvr.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace02.geextranet.com/qp2.cab

    O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab

    O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.com/books/_Players/EconPlayer.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\WildTangent<Delete the entire folder.
    C:\Program Files\Viewpoint<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as well as an AVG Antispyware log. Let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of the_paco007 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. the_paco007

    the_paco007 Newcomer, in training Topic Starter

    Hello,

    I followed your most recent instuctions to the letter and still no luck... maybe it's not a rootkit after all. Could a virus have caused damage to the netowrk? I flushed DNS and made sure my firewall wasnt blocking anything it shouldnt.

    I cant post an AVG Rootkit logfile because it didn't generate output. Here is the new HJT though...


    Thanks again for your continued assistance!
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    I asked you to post an AVG Antispyware log, not an AVG Antirootkit log.

    Your HJT log is clean.

    Yes, a virus could quite easily cause damage to the network.

    Run an AVG Antispyware scan as per the instructions in this thread HERE and post the results.

    Regards Howard :)

    This thread is for the use of the_paco007 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. the_paco007

    the_paco007 Newcomer, in training Topic Starter

    I'm terribly sorry, I feel like such an *****.

    Here is the Antispyware log


    Forgive me for my naievete...


    Thanks!
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Delete all files in AVG Antispyware quarantine.

    Locate and delete the following bold files and/or directories(if there).

    C:\localtexmf<Delete the entire folder, it`s infected with a nasty keylogger.

    Reboot into normal mode and rehide your protected OS files.

    Go HERE and follow the instructions for running the Ccleaner programme.

    Then, run a new AVG Antispyware scan as per the instructions in the above thread and post the AVG Antispyware log file.

    Regards Howard :)

    This thread is for the use of the_paco007 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. the_paco007

    the_paco007 Newcomer, in training Topic Starter

    Still no luck. That keylogger came up again in the windows system restore files, so i cleaned it out.

    Any other advice?

    Thanks!!!
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Delete all files in AVG Antispyware quarantine.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of the_paco007 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. the_paco007

    the_paco007 Newcomer, in training Topic Starter

    Thanks very much for all your help. It was truly appreciated.

    The problem ended up being in the HOSTS file. I couldnt believe how simple a fix this was. Almost a month of headaches over a two second fix.

    I cannot thank you enough for all your help! My computer thanks you!


    Regards and Good Luck,
    Paul
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.