Can't Remove Hacktool.Rootkit

Status
Not open for further replies.

gavinbremner

Posts: 11   +0
Hi,

I am new to these forums. I found them while doing a search to remove the hacktool.rootkit virus which I am halfway there with. I could do with some help. Norton first started telling me there was a virus in the following file
C:\Documents and settings\gav\msdirectx.sys

Through looking about on the internet I found out that using a hex editor to edit the .exe in the file stops the virus running correctly so I could gain access to the internet again. I have now downloaded and run hijack this and have pasted the results from the scan below. Could anyone help me please to finish of this nasty little virus as I'm not too sure what to do now and I don't want to go messing about with the registry myself.

Thanks
Gavin Bremner


Log file report:
Removed!
Read: How to post your Hijackthis log-files as an attachment.
 
RealBlackStuff - I'm having the same problem as gavin, but your tutorial (which I have tried to follow, and which has helped me a lot so far) doesn't mention msdirectx.sys. I'm not sure what to do. Also infected by Hacktool.Rootkit, according to Norton, are a batch of Dc1051.sys, Dc1048.sys, Dc1056.sys, etc. files.
 
Here is the attached log file

Hi,

Still having problems with hacktool.rootkit. I followed your instructions, but Norton is still picking up the virus in
C:/Documents and settings/gav/msdirectx.sys

I have attached the hijackthis log file and I would appreciate any help if possible.

I also have spyware doctor which has picked up a sdbot virus. Could do with some help removing this also.

Thanks
Gavin
 
First Read: Use these HJT-instructions when asked
The text underneath goes between the dotted lines of that post.
...................................................................................................
/P/S/ O4 - HKLM\..\Run: [win32 update service] svchostt.exe <<== WATCH SPELLING!
/P/ O4 - HKLM\..\Run: [xwtwj] C:\WINDOWS\xwtwj.exe
/P/ O4 - HKLM\..\Run: [elos] C:\WINDOWS\elos.exe
O4 - HKLM\..\Run: [seli] C:\WINDOWS\elos.exe
O4 - HKLM\..\Run: [:C=e] C:\WINDOWS\elos.exe
O4 - HKLM\..\RunServices: [win32 update service] svchostt.exe
O4 - HKLM\..\RunOnce: [win32 update service] svchostt.exe
O4 - HKCU\..\Run: [win32 update service] svchostt.exe
O4 - HKCU\..\RunOnce: [win32 update service] svchostt.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
Fix ALL your O16 - DPF: entries
Unless these IP-numbers are from your ISP, fix this O17
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA9891CD-2F7E-46EC-97FC-2B2C18EC5DDE}: NameServer = 194.72.0.98 194.74.65.68
...................................................................................................
 
MSTREETER

as I said in that post, HJT does NOT show that msdirectx.sys or any other .sys files.

I have NO solutions, other than the one in that post, sorry.

As an aside, ONLY people who run NAV seem to be hit by this rootkit!
 
I think that's it at last.

Real Black Stuff,

I can't thank you enough for that information. The virus seems to be gone now. Have done a full system scan with Spyware Doctor and Norton and they both came back clean.

Thanks Again

Gavin
 
Status
Not open for further replies.
Back