I have ran multiple spyware programs including Spyware Doctor, Trojan Hunter, F-Secure Blacklight, and Rootkit Revealer. Spyware Doctor found a "FU Rootkit". It claimed to automatically fix the problem, but it showed up again when it rescanned after the reboot. The rootkit will not go away. None of the other spyware programs I ran found anything of interest.

Here is a log from HijackThis. I thought that might help. Could someone please tell me how to remove this rootkit from my machine once and for all.

Aimfix : http://www.jayloden.com/AIMFix.exe contains a fix for the FU rootkit . Run aimfix once in regulare mode and then a second time in safemode .

Hi Jaged,

It is true that a variant of FU is can accompany the AIM virus, but I don't know if that is your problem. Here are the symptoms of the aim virus see if they match your symptoms/behavior:
http://www.jayloden.com/symptoms.htm

But Fu is a rootkit which can accompany many threats and it is not clear yet if that is what you have. BlackLight can detect FU and you said that your BlackLight scan came out clean.

1. Download the kproccheck Beta2 and extract it to C:\. It will create a folder called C:\kproccheck. Please download run-kproccheck and unzip it to the C:\kproccheck folder . It is important that run-kproccheck.bat reside in that same folder as the kproccheck executable and driver (kproccheck.exe and kprocchecks.sys). Next close all windows. Open Windows Explorer and navigate to the C:\kproccheck folder. Double-click on run-kproccheck.bat to run it. It will immediately produce a log file called kproccheck.txt, in the same folder. Please copy and paste the contents of kproccheck.txt in your net reply.

2. Please download ewido anti-spyware and perform a scan in safe mode as described. Post the ewido scan report in your next reply. (Clean temp files first)

3. Download and install IceSword

IceSword is in compressed RAR file format so you will need a utility like WinRar or the open source 7-Zip to extract it
Download and extract 7-Zip

The use 7-Zip to exract IceSword to C:\Program Files\IceSword

Once IceSword is extracted, with all browser and Explorer windows closed, run IceSword

Once IceSword is open, click the Win32 Service Function on the left Menu Bar
If any red entries are found, click the blue Log Tab at the top of the screen and save the log to documents folder as service-list.txt.

Now, Click IceSword's Process Function on the left Menu Bar
If any red entries are found, click the blue Log tab at the top of the screen and save the log to documents folder as processlist.txt.

3. Please perform a Kaspersky online antivirus scan and post the scan results back here.

4. Check your Windows Updates history and see if you have installed the windows Updates which were released yesterday. If you haven't done that please do so, because the Malicious Software Removal Tool will run automatically when you install the updates. You can also run a scan here:
http://www.microsoft.com/security/malwareremove/default.mspx#run

Now post back your ewido scan report, kproccheck.txt, AimFix log and the IceSword logs if any red entries were found, and please note them.

Also, post back the Spyware Doctor log that indicates you have FU. If the logs are long, please upload them as text files using the post reply button. I will address your HJT log later.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Here are Spyware Doctor's findings:

Attached are the ewido and kproccheck logs. Icesword was a broken link, Kaspersky is running as I am typing this, and I just installed the recent windows update.

One side question. Once I get this problem fixed and my computer cleaned out, what anti spyware should I leave running in the background? I haven't been running any up until now. I have however been using Firefox and I am behind a router firewall. Keep in mind that I am a gamer and I would like to leave as much of my machine's resources available for fragging as possible while still maintaining a secure machine.

Thanks for your help so far.

Edit: Oops, I just closed the window that was running Kaspersky. Unless you think it is really necessary I am not gonna bother starting it up again. Its painfully slow.

---

kproccheck.txt
Description:	kproccheck Log	Download
Filename:	kproccheck.txt
Filesize:	9.22 KB
Downloaded:	192 Time(s)

---

---

Report-Scan-20060712-232553.txt
Description:	Ewido Log	Download
Filename:	Report-Scan-20060712-232553.txt
Filesize:	333.77 KB
Downloaded:	50 Time(s)

---

Hi Jaged,

Try to click on the link in my reply for Ice Sword. It is going thru fine for me. If you can get Ice Sword to work that would be helpful, as a second check. That is one of the best antirootkit programs out there.

You can hold of on the K. scan for now.

I have to look at the logs you submitted.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

I lied, when I went to bed I started the Kaspersky scan. It came up clean but I figured I would upload the log anyway.

I am beginning to think I don't have a rootkit at all. Spyware Doctor is the only one that seems to think I do. Everything else thinks I am clean.

Edit: I got IceSword to download after a couple of tries.... Its weird that it took multiple tries to get it to download. Anyway, I did not see any red colored entries in either section you told me to look into

Thanks again.

kaspersky.txt
Description:	Kaspersky Log	Download
Filename:	kaspersky.txt
Filesize:	20.23 KB
Downloaded:	164 Time(s)

I looked at your logs and I do not see any thing awry. Dedicated rootkit programs will be better at detecting rootkits than Spyware Doctor, and those may be just strays from an infection that has been removed already.

If you want we can do this:
Download RegSearch and extract it to a folder. Now run RegSearch.exe and type msdirectx in the first line of the search box and click "OK". RegSearch will search the occurrences of that string in Registry. When the search is over, you will get a text file which contains the search results. Please copy and paste the results in your next reply.

Spyware Doctor has real time protection doesn't it? You can turn it on and look at it's consumption in task mgr or Process Explorer, to see if it is a resource hog. The best thing to do is try out a few, and check them out in Process Explorer for resource consumption. If they hook the SSDT they are generally faster and more effective because they employ kernel device drivers that monitor and intercept kernel function calls.

WinPatrol is really light on resources. Also may want to see how Windows Defender is. Both have saved me before. Now AVs provide cross protection so most critical for your security is Windows Updates, Firewall, and a great AV. Then you may also want to use a HIPs program like Process Guard:
http://www.diamondcs.com.au/processguard/
or AntiHook.
http://www.infoprocess.biz/

You can fix this in you HJT file:
R3 - Default URLSearchHook is missing

What did you disable in Autoruns?

Also remove the HotFix in ARP. If you are current on Windows Updates you do not need that. I would get rid of those items in ewido which you did not quarantine. Why did you not set ewido to quarantine those items? The cookies I would delete.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008