Infected with HackTool.Rootkit Virus

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Infected with HackTool.Rootkit Virus, Tried Everything.. nothing works..

Options

ilya5000 View Member Profile	Jan 14 2009, 12:50 AM Post #1
New Member Group: Members Posts: 2 Joined: 14-January 09 Member No.: 282,370	I have recnetly download a keyboard macro program and got a crazy virus called HackTool.Rootkir virus. Norton detected it then closed all programs and re opened them saying it is blocked and then in 2 seconds closing programs again because there was another attack and during that time I tried to run as many scans and do everything that i read on other forums to fix this but nothing worked. Things that I did: Disabled system restore Scanned with norton and after it found viruses rebooted Went into safe mode (same thing happening programs closing and opening) Used the regedit, used the services.msc used task manager to find files relating to the program as were given by instructions and havent found anything. I just ran hijackthis and havent found anything that was directed to fix. Please someone help. HiJackT DDS Log: DDS (Ver_09-01-07.01) - NTFSx86 NETWORK Run by Ilya at 5:46:13.92 on Wed 01/14/2009 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.1589 [GMT -5:00] AV: Norton Internet Security On-access scanning enabled (Updated) FW: Norton Internet Security enabled ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\taskmgr.exe C:\Documents and Settings\Ilya\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uInternet Settings,ProxyOverride = .local uURLSearchHooks: H - No File uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.2.0.7\IPSBHO.DLL BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: c:\windows\system32\hgfdge4unjdfdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hgfdge4unjdfdg.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "c:\program files\mediafour\macdrive 7\MacDrive.exe" mRun: [MDGetStarted.exe] "c:\program files\mediafour\macdrive 7\MDGetStarted.exe" /auto IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL Trusted Zone: cyberspacehq.com\linktrader Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.2.0.7\CoIEPlg.dll Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll STS: c:\windows\system32\hgfdge4unjdfdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hgfdge4unjdfdg.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll LSA: Authentication Packages = msv1_0 nwprovau ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\ilya\applic~1\mozilla\firefox\profiles\d18kdw3z.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Ask FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q= FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll ---- FIREFOX POLICIES ---- ============= SERVICES / DRIVERS =============== R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?] R3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [2008-10-13 16512] R3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2008-10-13 19968] S0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2007-2-16 273920] S0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [2007-2-28 19072] S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1002000.007\BHDrvx86.sys [2008-12-10 255536] S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1002000.007\cchpx86.sys [2008-12-10 362544] S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090109.001\IDSxpx86.sys [2009-1-12 274808] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-12 99376] S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090113.024\naveng.sys [2009-1-13 89104] S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090113.024\navex15.sys [2009-1-13 876112] S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-9-17 549159] S4 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2008-2-8 132400] S4 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2008-2-8 99632] S4 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2008-2-8 5504] S4 MacDriveService;MacDriveService;c:\program files\mediafour\macdrive 7\MacDriveService.exe [2007-2-9 143360] S4 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2008-2-8 6528] S4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.2.0.7\ccSvcHst.exe [2008-12-10 115560] S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-2 24652] =============== Created Last 30 ================ 2009-01-14 05:13 <DIR> --d----- c:\program files\Trend Micro 2009-01-13 21:32 39,936 a------- c:\windows\Mxadusukase.dll 2009-01-13 21:32 2,213 a------- c:\windows\system32\TDSSixgp.dll 2009-01-13 21:32 61,440 a------- c:\windows\system32\TDSSnpur.dll 2009-01-13 21:32 441 a------- c:\windows\system32\TDSSmtpe.dat 2009-01-13 21:31 <DIR> --d----- c:\program files\Microsoft Common 2009-01-13 21:31 44,032 a------- C:\jhwknqbg.exe 2009-01-13 21:31 37,376 a------- c:\windows\9129837.exe 2009-01-13 21:31 705 a------- C:\tyvq.exe 2009-01-13 21:31 2 a------- C:\1144689357 2009-01-13 21:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Macro Mania 2009-01-13 21:30 28,672 a------- c:\windows\system32\Msghoo32.ocx 2009-01-13 21:30 200,704 a------- c:\windows\system32\threed32.ocx 2009-01-13 21:30 <DIR> --d----- c:\program files\Macro Mania 2009-01-13 21:30 15,000 a------- c:\windows\system32\hgfdge4unjdfdg.dll 2009-01-13 21:30 25,600 a------- C:\yeulwvc.exe 2009-01-13 21:26 3,277,322 a------- C:\windows.exe 2009-01-13 10:24 <DIR> --d----- c:\program files\LimeWire 2009-01-12 00:45 <DIR> --d----- c:\program files\InstantBooster 2009-01-12 00:45 <DIR> --d----- c:\program files\HitBooster 2009-01-12 00:45 <DIR> --d----- c:\program files\FeedBlast 2009-01-12 00:44 <DIR> --d----- c:\program files\BlogBlast 2009-01-11 23:29 <DIR> --d----- c:\program files\Forum Poster 3 2009-01-10 14:05 155,648 a------- c:\windows\system32\libssl32.dll 2009-01-10 14:05 <DIR> --d----- C:\OpenSSL 2009-01-09 01:52 <DIR> --d----- c:\docume~1\ilya\applic~1\BitTorrent 2009-01-09 01:51 <DIR> --d----- c:\program files\DNA 2009-01-09 01:51 <DIR> --d----- c:\docume~1\ilya\applic~1\DNA 2009-01-09 01:51 <DIR> --d----- c:\program files\BitTorrent 2009-01-09 01:51 <DIR> --d----- c:\program files\AskSearch 2009-01-08 23:10 <DIR> --d----- c:\program files\WinSCP 2009-01-07 08:50 <DIR> --d----- c:\program files\Bonjour 2009-01-05 14:27 <DIR> --d----- c:\program files\ICQ6Toolbar 2009-01-05 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ICQ 2009-01-05 14:26 <DIR> --d----- c:\program files\ICQ6.5 2009-01-03 00:47 11,614 a------- C:\warioland3.php 2008-12-30 23:39 131,072 a------- C:\SuperMarioBrothers4.gb 2008-12-30 00:28 11,198 a------- C:\mariotennis2.php 2008-12-25 12:24 <DIR> --d----- c:\docume~1\ilya\applic~1\iPhoneRingToneMaker 2008-12-25 12:24 <DIR> --d----- c:\program files\iPhoneRingToneMaker 2008-12-22 21:45 608,448 a------- c:\windows\system32\comctl32.ocx 2008-12-22 21:45 <DIR> --d----- c:\program files\digiXMAS Article Submitter 2008-12-19 23:07 <DIR> --d----- c:\program files\DirectorySubmitter 2008-12-18 11:51 <DIR> --d--r-- c:\docume~1\ilya\applic~1\Brother ==================== Find3M ==================== 2008-12-12 22:55 1,700,352 a------- c:\windows\system32\gdiplus.dll 2008-12-12 22:55 1,060,864 a------- c:\windows\system32\mfc71.dll 2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe 2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll 2008-12-05 05:02 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys 2008-12-04 20:02 107,888 a------- c:\windows\system32\CmdLineExt.dll 2008-12-02 10:13 453,152 a------- c:\windows\system32\NVUNINST.EXE 2008-12-01 21:16 737,280 a------- c:\windows\iun6002.exe 2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll 2008-10-31 02:24 499,712 a------- c:\windows\system32\msvcp71.dll 2008-10-31 02:24 348,160 a------- c:\windows\system32\msvcr71.dll 2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll 2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll 2008-10-26 21:06 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll 2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll 2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll 2008-09-17 08:16 549,159 a--shr-- c:\program files\Norton2009Reset.exe 2005-02-14 14:09 111 a------- c:\program files\common files\Register.ini 2005-01-17 11:17 4,798,024 a------- c:\program files\common files\NetZeroCosmiSetup.exe 2004-11-08 12:10 1,115,136 a------- c:\program files\common files\Register.exe ============= FINISH: 5:46:17.75 =============== Attached File(s)* Attach.txt ( 13.16k ) Number of downloads: 0

fenzodahl512 View Member Profile	Jan 16 2009, 01:01 PM Post #2
Forum Addict Group: HJT Team Posts: 5,949 Joined: 4-December 07 Member No.: 174,482	Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given.. Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop. Link 1 Link 2 Link 3 Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed. If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest.. When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply.. Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job.. -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive Away for three months (22 August - 1 December 2009)

fenzodahl512 View Member Profile	Jan 26 2009, 06:39 PM Post #3
Forum Addict Group: HJT Team Posts: 5,949 Joined: 4-December 07 Member No.: 174,482	Due to the lack of feedback this Topic is closed. If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive Away for three months (22 August - 1 December 2009)

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 24th November 2009 - 04:34 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides