TechSpot

Can't Remove Hacktool.Rootkit

By gavinbremner
Oct 11, 2005
  1. Hi,

    I am new to these forums. I found them while doing a search to remove the hacktool.rootkit virus which I am halfway there with. I could do with some help. Norton first started telling me there was a virus in the following file
    C:\Documents and settings\gav\msdirectx.sys

    Through looking about on the internet I found out that using a hex editor to edit the .exe in the file stops the virus running correctly so I could gain access to the internet again. I have now downloaded and run hijack this and have pasted the results from the scan below. Could anyone help me please to finish of this nasty little virus as I'm not too sure what to do now and I don't want to go messing about with the registry myself.

    Thanks
    Gavin Bremner


    Log file report:
    Removed!
    Read: How to post your Hijackthis log-files as an attachment.
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

  3. mstreeter

    mstreeter TS Rookie

    RealBlackStuff - I'm having the same problem as gavin, but your tutorial (which I have tried to follow, and which has helped me a lot so far) doesn't mention msdirectx.sys. I'm not sure what to do. Also infected by Hacktool.Rootkit, according to Norton, are a batch of Dc1051.sys, Dc1048.sys, Dc1056.sys, etc. files.
     
  4. gavinbremner

    gavinbremner TS Rookie Topic Starter

    Here is the attached log file

    Hi,

    Still having problems with hacktool.rootkit. I followed your instructions, but Norton is still picking up the virus in
    C:/Documents and settings/gav/msdirectx.sys

    I have attached the hijackthis log file and I would appreciate any help if possible.

    I also have spyware doctor which has picked up a sdbot virus. Could do with some help removing this also.

    Thanks
    Gavin
     
  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    First Read: Use these HJT-instructions when asked
    The text underneath goes between the dotted lines of that post.
    ...................................................................................................
    /P/S/ O4 - HKLM\..\Run: [win32 update service] svchostt.exe <<== WATCH SPELLING!
    /P/ O4 - HKLM\..\Run: [xwtwj] C:\WINDOWS\xwtwj.exe
    /P/ O4 - HKLM\..\Run: [elos] C:\WINDOWS\elos.exe
    O4 - HKLM\..\Run: [seli] C:\WINDOWS\elos.exe
    O4 - HKLM\..\Run: [:C=e] C:\WINDOWS\elos.exe
    O4 - HKLM\..\RunServices: [win32 update service] svchostt.exe
    O4 - HKLM\..\RunOnce: [win32 update service] svchostt.exe
    O4 - HKCU\..\Run: [win32 update service] svchostt.exe
    O4 - HKCU\..\RunOnce: [win32 update service] svchostt.exe
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    Fix ALL your O16 - DPF: entries
    Unless these IP-numbers are from your ISP, fix this O17
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CA9891CD-2F7E-46EC-97FC-2B2C18EC5DDE}: NameServer = 194.72.0.98 194.74.65.68
    ...................................................................................................
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    MSTREETER

    as I said in that post, HJT does NOT show that msdirectx.sys or any other .sys files.

    I have NO solutions, other than the one in that post, sorry.

    As an aside, ONLY people who run NAV seem to be hit by this rootkit!
     
  7. gavinbremner

    gavinbremner TS Rookie Topic Starter

    I think that's it at last.

    Real Black Stuff,

    I can't thank you enough for that information. The virus seems to be gone now. Have done a full system scan with Spyware Doctor and Norton and they both came back clean.

    Thanks Again

    Gavin
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.