Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Virus Named Hacktool


  • Please log in to reply
10 replies to this topic

#1 vplehtinen

vplehtinen

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 11 November 2005 - 08:51 AM

Hi.

Before I had detected the virus itself, Windows had warned me that my system is infected.
It automatically installed SpyAxe antispyware software. I thought it was free because it was already installed, but it just shows me what malicious files I have on my computer, and when I try to fix them, it shows me the payment options.
Not fair, but anyhow, it classified the hacktool as "favorites hijacker". Well, I uninstalled SpyAxe because I already have Norton and antispyware tools. And windows keeps warning me with an annoying yellow "Your computer is infected!" box in the lower right corner of the screen, that I can't get rid of. And If I restart windows, it installs SpyAxe again.

Then I ran a Norton full system scan, and it detected some 31 other small viruses of which 30 it deleted and 1 trojan went to quarantine. But windows still kept warning me that my system is infected. That's how I realised that I should update my Norton and it's virus definitions so it can detect the virus. So I updated it.

I scanned the system again, and it found a virus named "Hacktool" (not "Hacktool.Rootkit" or any other variation, just Hacktool, according to Norton). And the file it had infected was "csrss.exe" and it was located in here:
c:\Windows\system\driver\

So I guess it isn't the original, important windows csrss file that's located in system32, but just a virus with the same filename. Anyway I can't delete it manually and Norton could do nothing to it, even up to date.

What should I do?

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:06:06 PM

Posted 11 November 2005 - 09:22 AM

:thumbsup: vplehtinen.
I recommend you follow the steps below:

1.) Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

2.) Run a couple of on-line scans.

Trend Micro's online virus scanner
Panda ActiveScan

3.) Please download/install/update/configure and perform a scan with Spybot Search & Destroy and AdAware.

Follow all the instructions in the following tutorials:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

You could also run the Ad-aware and Spybot scans within safe mode. Additional instructions on how to do this can be found here: How to start Windows in Safe mode.

If none of the above helped...

You could post a HiJackthis log in our HijackThis Logs and Analysis forum.
Before you do, please read the instructions in the Preparation Guide for use before posting a HijackThis Log

Please be patient while a member of the HJT team has a chance to look at your log.

It may take several attempts until your log is clean.

Good-luck.

:flowers:
JC

#3 stidyup

stidyup

  • Members
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 11 November 2005 - 09:33 AM

Here are some other tools to consider:

Try running the following from safe mode (Getting to safe-mode) Sysclean you'll also need the virus template file from here lpt***.zip remember to extract the contents of the zip file into the same folder as Sysclean.com

or

DrWeb CureIT

or

KASFX which is powered by the Kaspersky AV engine, you will need internet access to update it. If you haven't got net access in safe mode, update it before you use it.

If your good with the command line also try Sophos Command Line scanner this command will scan all of your hdd's SAV32CLI.EXE -F -di -remove -dn -mbr -all -zip -p=avscanlog.txt and give you a log file to review afterwards.

Also try installing and running A2 Free and Ewido

#4 vplehtinen

vplehtinen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 11 November 2005 - 10:13 AM

:thumbsup: vplehtinen.
I recommend you follow the steps below:

1.) Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

2.) Run a couple of on-line scans.

Trend Micro's online virus scanner
Panda ActiveScan

3.) Please download/install/update/configure and perform a scan with Spybot Search & Destroy and AdAware.

Follow all the instructions in the following tutorials:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

You could also run the Ad-aware and Spybot scans within safe mode. Additional instructions on how to do this can be found here: How to start Windows in Safe mode.


1)What does the above have to do with getting rid of the Hacktool I have in my computer? I know where it's located, the only thing I have to do is delete that csrss.exe.
2) I already have Ad-Aware and Spybot S&D and I've ran them. They didn't detect that Hacktool, Norton did, so it's probably more of a virus and not spyware.

Do you have a program or method I can use to actually delete the file?

#5 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:06:06 PM

Posted 11 November 2005 - 04:05 PM

You mentioned above that you found 30 viruses- and they were deleted, and had 1 trojan that went to quarantine. You ran the scan again(after doing a manual update) and found Hacktool.

That was the reason I suggested that you run the automated virus and spyware scans. I always throw in the Spyware scans in there since you can't be sure what else might be on a computer. Plus, you mentioned SpyAxe. This product is on the Rogue/Suspect Anti-Spyware Products & Web Sites.

If you try the scanners in #2 above, you may be able to remove it, and whatever else you may have on your computer automatically. You could also try running a full scan with your anti-virus from within safe mode. Symantec also recommends the same thing as quoted below:

Symantec Security Response suggests that if your Symantec antivirus product detects Hacktool (or variations such as Hacktool.Spammer or Hacktool.Flooder) that you just delete it. If you see a message that it cannot be deleted, it may be running in memory. In this case, restart the computer in Safe mode, run a full system scan, and delete the threat when it is detected. All Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document How to start the computer in Safe Mode.


Personally, I don't like getting into anything beyond the automated fixes outside of the HijackThis Logs and Analysis forum. Like I mentioned, if nothing mentioned above works, you can always post a log in the HijackThis Logs and Analysis forum. Just make sure you follow the steps in the preparation link provided above.

Good-luck,

Edited by Joshuacat, 11 November 2005 - 04:06 PM.

JC

#6 vplehtinen

vplehtinen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 11 November 2005 - 05:08 PM

Thank you. I'll do what u told me to do.

I just discovered myself that I was stupid to think it was Windows that warned me of the infection - it was most probably the infection (hacktool) itself that warned me of itself, as a part of SpyAxe advertising. And about the payment options, they thought they'd make good money for doing nothing but harm.

EDIT: Just a minute ago an exclamation mark with a yellow triangle on the back popped up to the lower right corner of the toolbar, saying something like: "System has detected 3 or more spyware on your computer".
I clicked on it and it took me to www.spytrooper.com. Is that another one of those rogue/suspect anti-spyware tools?

Edited by vplehtinen, 11 November 2005 - 05:13 PM.


#7 vplehtinen

vplehtinen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 11 November 2005 - 05:35 PM

Oh god. Not good at all.

I'm doing that panda scan - it's about 10% done, and already 12 viruses (all disinfected), 4 spyware, 1 hacking tool and 1 suspicious file. When the beeep I wonder they came to this computer?? I've had my firewall on at all times. Good riddance then.

I'm going to sleep now. Yeah I'm from Finland.

#8 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:06:06 PM

Posted 11 November 2005 - 06:16 PM

Yes, there appears to be a lot more going on here.
I would post a log within the HijackThis Logs and Analysis forum in the morning after you read this.

As you can imagine, our volunteer team is extremely busy fighting malware, so please be patient.

Please make reference to this to topic in your post. I will watch for your post.

Take care,

Edit: Make sure that you mention the SpyAxe issue. It appears that this has become an issue in the last 3 days.

Edited by Joshuacat, 11 November 2005 - 07:36 PM.

JC

#9 vplehtinen

vplehtinen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 12 November 2005 - 02:01 AM

Okay, that panda has done it's scan. disinfected: 120 of 123 viruses. not disinfected: 7 spyware, 1 hacking tools 1 dialer, 4 suspicious files.

They say that before posting a log, I should do all possible scans and then post a log of those malware that I just can't get rid of. Right?

If so, I should do BitDefender online scan, then safemode scans with ad-aware and spybot s&d, and norton too.

Edited by vplehtinen, 12 November 2005 - 02:07 AM.


#10 Rimmer

Rimmer

  • Members
  • 2,159 posts
  • OFFLINE
  •  
  • Location:near Sydney, Australia
  • Local time:08:06 AM

Posted 12 November 2005 - 03:06 AM

Anything you scan and remove will be one more thing our team of expert volunteers (such as Joshuacat) don't have to instruct you to remove. It makes the whole process more efficient if you remove as much as you can before posting. :thumbsup:

Soltek QBIC, Pentium 4 3.0GHz, 512MB RAM, 200GB SATA HDD, ATI Radeon 9600XT 256MB, Netgear 54Mb/s WAP, ridiculously expensive Satellite Broadband
Windows XP Home SP2, Trend Micro Internet Security, Firefox, Thunderbird, AdAwareSE, Spybot S&D, SpywareBlaster, A-squared Free, Ewido Security Suite.

#11 vplehtinen

vplehtinen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 12 November 2005 - 03:13 AM

Anything you scan and remove will be one more thing our team of expert volunteers (such as Joshuacat) don't have to instruct you to remove. It makes the whole process more efficient if you remove as much as you can before posting. :thumbsup:


Yeah. Now I'm done with ad-aware, spybot and norton. Norton found that hacktool virus and deleted it - but it didn't remove the SpyAxe issue. I'll do that log thing now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users