TechSpot

8 Steps completed-hacktool.rootkit!inf virus - clean logs?

By haygod
Jul 10, 2009
  1. Hi,
    I had Koobface.B and my Symantec could not get rid of it so I used Malwarebytes and it seemed to get rid of it, but then it would detect a "hacktool.rootkit!inf". It has been a couple of days now since I have seen the warning. I have gone through the 8 steps and I am no longer getting the warning. So maybe your guide cleared things up. One other warning I got after the hacktool virus was for a Backdoor Trojan, but the symantec said it took care of that one. I have cleared several problems before using forum help, but I have never posted logs, so go easy on me. Here are the logs. Let me know if you need any more info.

    Thanks,

    Glenn View attachment mbam-log-2009-07-08 (02-35-08).txt

    View attachment 50478

    View attachment 50479
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You have a DNS Changer infections- among other things.

    You will need to reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

    Please do that now.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Attach new Mbam log and Comcofix report to next reply.
    I would also like to see log from full system scan with the AV program.
     
  3. haygod

    haygod TS Rookie Topic Starter

    Well I don't mind the time I spend working on my computer, but I hate working on my router. When I first got it I spent days trying to get it to work and while waiting outside an AT&T store I went in with little expectation of resolving my problem, but the guy filling in that day was an it guy. He showed me how to wire my Linksys wrong by not using the internet port and plugging in the wires in slots 1 & 2 and bam it worked-until my house lost power and I had to reset everything again. Now several months later and I could not remember right away how to set it up, so after a couple of days I would get it working again. Then several months later I would lose power and I would go through the frustrating process again. Finally I went back determined to set it up like Linksys said. After about a week I got it and it stays running now even after a power loss. So my question is this-I set up my router to port forward so my son could play Rome Total War on the desktop. Could this have anything to do with it? I believe you may be onto something, because I cannot access my modem at 192.168.1.254. All seems well currently with both the desktop and my laptop. I thought my dsl company used a random dns? I don't fully understand that whole process. I just want to make sure before I go through this headache again. I have the Linksys WRT54GS router and the Westell C90-610030-06 modem/router.

    Thanks,

    Glenn
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    When you get the DNS Changer malware, it changes the IP of the router. You have to reset it. I outlined the steps for you. While they might seem excessive, they are not and you should be able to follow each step.

    You cannot access 192.168.1.254. because you're being sent to a site in the Ukraine. Until that is resolved, the system isn't going to work.

    Can you believe I found a youtube video on resetting the router?!
    http://www.youtube.com/watch?v=tzDbbEWXVEk


    That should make you more confident.

    And for the future make note of the information found in these sites. No need to let a router scare you off!
    From Broadband Reports:
    Information about Port Forwarding vs Port Triggering: HERE

    Using Port Forwarding> Configuring the two together HERE:

    I would discontinuing the Port Forwarding for now. And you are resetting the router, not doing the initial configuring as the first time you connected to it. I had both Linksys and D-Link routers. Each of them had a Quick Setup sheet which made it very easy to do the initial setup.

    Occasionally, you will need to power cycle the router. This clears the memory. Just disconnect the power from both the router and the modem, wait about 10-20 seconds, reconnect.

    It's too bad you got off to a bad start due to someone's inexperience.

    The information and screen shots here should help you to overcome that 'dread' should you have to configure the Westell again:
    http://www.broadbandreports.com/forum/r18725730-Modem-Cant-set-bridge-mode-Westell-C9061003006
     
  5. haygod

    haygod TS Rookie Topic Starter

    Ok I reset the router and the modem about 100 times today and I could not access the internet until I pulled out a file I printed out on how to configure my Westell modem and Linksys WRT54GS Router and now I am back online. Now I think I can restore my computers quickly the next time I have a problem. Now,my question is this-My orginal problem orginated on my laptop and I have been sending you logs on it. Last night before I started fixing things I thought which computer is infected to cause the problems on my dns problem. So I updated my desktop MBAM and ran it and it came up with 3 registry problems and it cleaned them. What log do you need? One from my laptop or my desktop? And where do I need to run Combofix?

    Thanks,

    Glenn
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    IT is so confusing when someone tries to have multiple computers handled in the same thread!

    This thread is for your laptop in Post #1. I want the Combofix report and a new HijackThis log from the same computer.IF the router has been set, run Combofix and new HJT.

    IF you want the desktop checked, please start a separate thread. Run the initial three programs on it and attach logs to THAT thread.

    You can reference this thread: http://www.techspot.com/vb/topic130822.html#post773494
    that will be a reminder that the router has been reset.

    I tried doing two systems on the same thread and we all ended up getting confused!
     
  7. haygod

    haygod TS Rookie Topic Starter

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Trusted Zone: fedex.com\*.scd-vip.fw
    Trusted Zone: fedex.com\omni

    Please reopen HijackThis to 'do system scan only'
    Check each of the following if present:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

    Close all Windows except Hijack This and click on 'Fix Checked.'

    Please UPDATE and run Malwarebytes again. Attach new log.

    There are two entries showing in the Combofix log. Are you using one or both of these:
    c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
    and
    c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl


    You have ports open in the firewall to allow both of these. IF using, leave. If not, uninstall.
    earthlink totalaccess

    Rerun HijackThis after Malwarebytes and attach new log with Mbam log.

    Are you having any system problems? What?
    Have the original problems been resolved?
     
  9. haygod

    haygod TS Rookie Topic Starter

    Ok I deleted the AOL loader and the earthlink totalaccess. Ran HJT,MBAM, and HJT again. MBAM found a worm. Koobface. I deleted it,restarted and here are the logs.
    View attachment 50699

    View attachment 50700
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Not gone yet. There is an excellent- but lengthy- removal post here on TechSpot. I'd like you to print it out and follow it. Note the comment that "interesting that only those with Norton are getting this"!

    Obviously something is still going on as most of the HJ entries are gone! Where is the rest of the Hijack This log?

    Everything between the two following entries is missing:
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    ??????????????
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe


    The size difference between the two logs is:
    1. First log: End of file - 6905 bytes
    2. Current log: End of file - 989 bytes


    So go for this: How to remove Hacktool.Rootkithttp://www.techspot.com/vb/topic34006.html

    When you have finished, attach any available logs for review. Hopefully that will; get it all.
     
  11. haygod

    haygod TS Rookie Topic Starter

    I have done above.

    I ran Sysclean and it reset alot of stuff. My desktop changed the wallpaper and now I have two desktop.ini files on my desktop. I guess this was my old wallpaper and screen saver? I ran Rootkit Revealer and it found some problems and I did not know how to deal with them, so I closed it. I can not find any logs for it. I ran Apropos Fix, but it did not support Vista. I ran Gromozon, but it did not run. I ran HJT and no programs were running that it said to remove. So here is the latest HJT file and the Sysclean file. One thing to ponder. After the Sysclean run my Outlook would not work, so we called Bellsouth/AT&T and reset password. Laptop worked fine until I ran HJT and tried getting to techspot.com. It would connect to Yahoo, but not my mail or techspot. That was with IE. I tried Mozilla and it came up with a downloaded application page. It said the app was already downloaded and gave a button to accept or uninstall, but neither worked. I closed the window and I am now on Mozilla posting this. Now IE will go to techspot. Problem?

    Glenn

    View attachment 50845

    View attachment 50846

    View attachment 50847
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm going to get someone to help you go through a program for the Rootkit. The Avenger is a superb program, but it is also a powerful one. I haven't had enough experience to take you through it.

    Since nothing was done by way of cleaning with the programs you ran, please do a System Restore ONLY to date right before you ran :
    Sysclean
    Rootkit Revealer
    Apropos Fix
    Gromozon

    Hang in there, okay?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...