Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Internet Access due to a virus called hacktool.rootkit


  • Please log in to reply
1 reply to this topic

#1 lenyc

lenyc

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 06 September 2005 - 03:54 PM

Hi, I have a situation here where I can't seem to get internet access. A virus has pop-up under symantec called hacktool.rootkit. I tried deleting the hpdriver.sys file that the virus was supposedly attached, in safe mode. When I rebooted the machine..the virus came back up.

Here is my Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:23:30 PM, on 9/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
e:\allaire\coldfusion\bin\cfserver.exe
e:\allaire\coldfusion\bin\cfexec.exe
e:\allaire\coldfusion\bin\CFRDSService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
e:\HAHTsite\webapps\bin\hsradmin.exe
e:\HAHTsite\webapps\bin\hscontrol.exe
e:\HAHTsite\webapps\bin\hsredir.exe
C:\WINNT\System32\cba\pds.exe
e:\HAHTsite\webapps\bin\hsadmsrv.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\ntfrs.exe
E:\oracle\ora81\bin\dbsnmp.exe
E:\oracle\ora81\BIN\TNSLSNR.exe
e:\oracle\ora81\bin\ORACLE.EXE
e:\oracle\ora81\bin\ORACLE.EXE
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\scmsm32.exe
C:\Program Files\Dell\SysMgt\Array Manager\VxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
E:\Program Files\ORL\VNC\WinVNC.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
e:\HAHTsite\webapps\bin\hsrexec.exe
e:\HAHTsite\webapps\bin\hsserver.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\mmc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.EXE
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\Profiles\Administrator\Desktop\HijackThis.exe

O1 - Hosts: 156.80.190.55 pebbles.ndac.bah.com
O1 - Hosts: 156.80.190.57 ndac.bah.com
O1 - Hosts: 156.80.190.54 skypad.ndac.bah.com
O1 - Hosts: 156.80.190.59 nameserver
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [WinVNC] "E:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O13 - WWW. Prefix: http://
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ndac.bah.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{65ECFA21-31CB-4F4B-9BD1-740D5C5375C5}: NameServer = 156.80.190.55
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ndac.bah.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ndac.bah.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Cold Fusion Application Server - Allaire - e:\allaire\coldfusion\bin\cfserver.exe
O23 - Service: Cold Fusion Executive - Allaire - e:\allaire\coldfusion\bin\cfexec.exe
O23 - Service: Cold Fusion RDS - Allaire Corporation - e:\allaire\coldfusion\bin\CFRDSService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ArcSde Service(esri_sde) (esri_sde) - Unknown owner - E:\ArcGIS\ArcSDE\ora8iexe\bin\giomgr.exe
O23 - Service: HAHTsite 5.0 Background (webapps) - HAHT Software, Inc. - e:\HAHTsite\webapps\bin\hsradmin.exe
O23 - Service: HAHTsite 5.0 Controller (webapps) - HAHT Software, Inc. - e:\HAHTsite\webapps\bin\hscontrol.exe
O23 - Service: HAHTsite 5.0 Foreground (webapps) - HAHT Software, Inc. - e:\HAHTsite\webapps\bin\hsredir.exe
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\System32\cba\pds.exe
O23 - Service: MapXBroker Service (MapXBrokerService) - Unknown owner - e:\Program Files\MapInfo\MapXtreme\program\mapxbroker.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OracleOraHome81Agent - Oracle Corporation - E:\oracle\ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - E:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81PagingServer - Unknown owner - E:\oracle\ora81/bin/pagntsrv.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - E:\oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServicePEBBLES - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleServiceSKYPAD8 - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: SCSMS32 (SCSMS) - Unknown owner - C:\WINNT\scmsm32.exe
O23 - Service: Disk Management Service (vxsvc) - VERITAS Software Corp. - C:\Program Files\Dell\SysMgt\Array Manager\VxSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - E:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:44 PM

Posted 09 September 2005 - 08:33 AM

Download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users