Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Hacktool" driving me nuts.


  • This topic is locked This topic is locked
2 replies to this topic

#1 Luna M

Luna M

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 12 January 2009 - 06:27 AM

A few days ago, a bad virus hit my company's network, and many of our computers were compromised. My computer was turned off at teh time, so I seem to have escaped the worst of it, but I still have a few nasty bugs crawling around and I can't seem to nuke them.

My company used TrendMicro for an antivirus, which wasn't very good, and the network admin who installed it has since quit, so without his password there's no way to uninstall it.

I was able to install Symantec Corporate AV over it and luckily, the two don't seem to fight. However, the Symantec real-time AV is constantly popping up (every 5 seconds or so, totally aggravating) saying it's deleted infected a tmp file infected with "Hacktool." The file names are strings of random numbers and letters that appear to be generated by some process, as soon as the old one is deleted a new one appears, and the AV just keeps deleting them. Meanwhile my computer runs slow as molasses.

I have run full system scans using both TM and Symantec, both say my computer is clean (clearly not!). I have run up-to-date full scans of AdAware, Spybot S&D and Windows Defender I've run them again in Safe Mode (except AdAware which doesn't appear to work in safe mode). Nothing has found whatever nasty is creating these .tmp files. So I ran HiJackThis as a last resort in hopes someone here can recognize the problem. Any ideas?

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:10:16 AM, on 1/12/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Sling Media\SlingAgent\SlingAgentService.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Xerox\WorkCentre C2424\xc24bgts.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\system32\xnetsrvc.exeC:\Program Files\prairieFyre Software Inc\CCM\Services\UpdaterService\UpdaterService.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\RealVNC\VNC4\WinVNC4.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\Program Files\Windows Defender\MSASCui.exeC:\WINDOWS\system32\taskmgr.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080408R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="https://www.iemployee.com/DotNet/System/(jqoy4v45kmuaqzqeb1uase55)/Login.aspx?Target=iClock"]https://www.iemployee.com/DotNet/System/(jq...x?Target=iClock[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="https://www.iemployee.com/DotNet/System/(jqoy4v45kmuaqzqeb1uase55)/Login.aspx?Target=iClock"]https://www.iemployee.com/DotNet/System/(jq...x?Target=iClock[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.dell.com"]http://www.dell.com[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080408O1 - Hosts: 172.16.0.32 ahO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [Xerox_WorkCenter_C2424] C:\Program Files\Xerox\WorkCentre C2424\xc24bgts.exe 1O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKUS\S-1-5-21-1283497423-689956262-3865509604-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')O4 - HKUS\S-1-5-21-1283497423-689956262-3865509604-1005\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User '?')O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=https://www.iemployee.com/DotNet/System/(jqoy4v45kmuaqzqeb1uase55)/Login.aspx?Target=iClockO16 - DPF: {06D59DC6-5304-432D-A1CE-67E531410F9F} (CHListFactory Object) - [url="https://hrconnect.cnxntech.com/BusinessPortal/UI/ResultViewer/Scripts/MBFWebBehaviors.cab"]https://hrconnect.cnxntech.com/BusinessPort...ebBehaviors.cab[/url]O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - [url="https://play.istaria.com/controls/launcher.ocx"]https://play.istaria.com/controls/launcher.ocx[/url]O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231387651098"]http://update.microsoft.com/microsoftupdat...b?1231387651098[/url]O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231387646317"]http://update.microsoft.com/microsoftupdat...b?1231387646317[/url]O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dssitech.dssitech.comO17 - HKLM\Software\..\Telephony: DomainName = dssitech.dssitech.comO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dssitech.dssitech.comO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeO23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeO23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exeO23 - Service: prairieFyre Updater Service (UpdaterService) - prairieFyre Software Inc. - C:\Program Files\prairieFyre Software Inc\CCM\Services\UpdaterService\UpdaterService.exeO23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe--End of file - 8936 bytes

If it helps, the VNC installation is expected, and there is a (disabled) VPN network adapter on this machine. These are used in my work for various tasks.

BC AdBot (Login to Remove)

 


#2 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:09:55 PM

Posted 27 January 2009 - 05:51 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma. I appologize for the delay in getting you help.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Before we go on with trying to fix your computer, is this your personal computer or does it belong to the corporation?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#3 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:09:55 PM

Posted 05 February 2009 - 01:04 PM

This thread is closed due to inactivity.
If you need this topic reopened, please send me or another moderator a PM. This applies to the thread originator only, all others start a new thread.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users