Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with HackTool.Rootkit Virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 ilya5000

ilya5000

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 14 January 2009 - 12:50 AM

I have recnetly download a keyboard macro program and got a crazy virus called HackTool.Rootkir virus.

Norton detected it then closed all programs and re opened them saying it is blocked and then in 2 seconds closing programs again because there was another attack and during that time I tried to run as many scans and do everything that i read on other forums to fix this but nothing worked.

Things that I did:

Disabled system restore
Scanned with norton and after it found viruses rebooted
Went into safe mode (same thing happening programs closing and opening)
Used the regedit, used the services.msc used task manager to find files relating to the program as were given by instructions and havent found anything.

I just ran hijackthis and havent found anything that was directed to fix.

Please someone help.

HiJackT DDS Log:


DDS (Ver_09-01-07.01) - NTFSx86 NETWORK
Run by Ilya at 5:46:13.92 on Wed 01/14/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.1589 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Ilya\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.2.0.7\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: c:\windows\system32\hgfdge4unjdfdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hgfdge4unjdfdg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "c:\program files\mediafour\macdrive 7\MacDrive.exe"
mRun: [MDGetStarted.exe] "c:\program files\mediafour\macdrive 7\MDGetStarted.exe" /auto
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: cyberspacehq.com\linktrader
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.2.0.7\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\hgfdge4unjdfdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hgfdge4unjdfdg.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ilya\applic~1\mozilla\firefox\profiles\d18kdw3z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [2008-10-13 16512]
R3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2008-10-13 19968]
S0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2007-2-16 273920]
S0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [2007-2-28 19072]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1002000.007\BHDrvx86.sys [2008-12-10 255536]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1002000.007\cchpx86.sys [2008-12-10 362544]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090109.001\IDSxpx86.sys [2009-1-12 274808]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-12 99376]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090113.024\naveng.sys [2009-1-13 89104]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090113.024\navex15.sys [2009-1-13 876112]
S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-9-17 549159]
S4 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2008-2-8 132400]
S4 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2008-2-8 99632]
S4 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2008-2-8 5504]
S4 MacDriveService;MacDriveService;c:\program files\mediafour\macdrive 7\MacDriveService.exe [2007-2-9 143360]
S4 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2008-2-8 6528]
S4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.2.0.7\ccSvcHst.exe [2008-12-10 115560]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-2 24652]

=============== Created Last 30 ================

2009-01-14 05:13 <DIR> --d----- c:\program files\Trend Micro
2009-01-13 21:32 39,936 a------- c:\windows\Mxadusukase.dll
2009-01-13 21:32 2,213 a------- c:\windows\system32\TDSSixgp.dll
2009-01-13 21:32 61,440 a------- c:\windows\system32\TDSSnpur.dll
2009-01-13 21:32 441 a------- c:\windows\system32\TDSSmtpe.dat
2009-01-13 21:31 <DIR> --d----- c:\program files\Microsoft Common
2009-01-13 21:31 44,032 a------- C:\jhwknqbg.exe
2009-01-13 21:31 37,376 a------- c:\windows\9129837.exe
2009-01-13 21:31 705 a------- C:\tyvq.exe
2009-01-13 21:31 2 a------- C:\1144689357
2009-01-13 21:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Macro Mania
2009-01-13 21:30 28,672 a------- c:\windows\system32\Msghoo32.ocx
2009-01-13 21:30 200,704 a------- c:\windows\system32\threed32.ocx
2009-01-13 21:30 <DIR> --d----- c:\program files\Macro Mania
2009-01-13 21:30 15,000 a------- c:\windows\system32\hgfdge4unjdfdg.dll
2009-01-13 21:30 25,600 a------- C:\yeulwvc.exe
2009-01-13 21:26 3,277,322 a------- C:\windows.exe
2009-01-13 10:24 <DIR> --d----- c:\program files\LimeWire
2009-01-12 00:45 <DIR> --d----- c:\program files\InstantBooster
2009-01-12 00:45 <DIR> --d----- c:\program files\HitBooster
2009-01-12 00:45 <DIR> --d----- c:\program files\FeedBlast
2009-01-12 00:44 <DIR> --d----- c:\program files\BlogBlast
2009-01-11 23:29 <DIR> --d----- c:\program files\Forum Poster 3
2009-01-10 14:05 155,648 a------- c:\windows\system32\libssl32.dll
2009-01-10 14:05 <DIR> --d----- C:\OpenSSL
2009-01-09 01:52 <DIR> --d----- c:\docume~1\ilya\applic~1\BitTorrent
2009-01-09 01:51 <DIR> --d----- c:\program files\DNA
2009-01-09 01:51 <DIR> --d----- c:\docume~1\ilya\applic~1\DNA
2009-01-09 01:51 <DIR> --d----- c:\program files\BitTorrent
2009-01-09 01:51 <DIR> --d----- c:\program files\AskSearch
2009-01-08 23:10 <DIR> --d----- c:\program files\WinSCP
2009-01-07 08:50 <DIR> --d----- c:\program files\Bonjour
2009-01-05 14:27 <DIR> --d----- c:\program files\ICQ6Toolbar
2009-01-05 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ICQ
2009-01-05 14:26 <DIR> --d----- c:\program files\ICQ6.5
2009-01-03 00:47 11,614 a------- C:\warioland3.php
2008-12-30 23:39 131,072 a------- C:\SuperMarioBrothers4.gb
2008-12-30 00:28 11,198 a------- C:\mariotennis2.php
2008-12-25 12:24 <DIR> --d----- c:\docume~1\ilya\applic~1\iPhoneRingToneMaker
2008-12-25 12:24 <DIR> --d----- c:\program files\iPhoneRingToneMaker
2008-12-22 21:45 608,448 a------- c:\windows\system32\comctl32.ocx
2008-12-22 21:45 <DIR> --d----- c:\program files\digiXMAS Article Submitter
2008-12-19 23:07 <DIR> --d----- c:\program files\DirectorySubmitter
2008-12-18 11:51 <DIR> --d--r-- c:\docume~1\ilya\applic~1\Brother

==================== Find3M ====================

2008-12-12 22:55 1,700,352 a------- c:\windows\system32\gdiplus.dll
2008-12-12 22:55 1,060,864 a------- c:\windows\system32\mfc71.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-05 05:02 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys
2008-12-04 20:02 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-02 10:13 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-01 21:16 737,280 a------- c:\windows\iun6002.exe
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-31 02:24 499,712 a------- c:\windows\system32\msvcp71.dll
2008-10-31 02:24 348,160 a------- c:\windows\system32\msvcr71.dll
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-26 21:06 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-17 08:16 549,159 a--shr-- c:\program files\Norton2009Reset.exe
2005-02-14 14:09 111 a------- c:\program files\common files\Register.ini
2005-01-17 11:17 4,798,024 a------- c:\program files\common files\NetZeroCosmiSetup.exe
2004-11-08 12:10 1,115,136 a------- c:\program files\common files\Register.exe

============= FINISH: 5:46:17.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 16 January 2009 - 01:01 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 26 January 2009 - 06:39 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users