TechSpot

Extremely hard hacktool.rootkit virus to remove! PLEASE help!

By cracka301
Oct 15, 2005
  1. I have a hacktool.rootkit virus on my computer that Norton can detect, but can't remove. I have found what I believe to be part of this virus, and no matter how many times I delete it in safe mode, it still comes back. This leads me to believe that I have only found an extention of the virus. The name of what I have been deleting is MSDIRECTX.SYS, and I found it in all my user's documents and settings folders. I really need help with this one. I am running the trojan removal program right now, but I need someone to tell me if my hijackthis log is clean or not. Please help any way you can! Any response will be greatly appreciated!
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    First Read: Only use these HJT-instructions when asked!
    /P/ Process needs to be stopped
    /S/ Service needs to be stopped
    The text between the dotted lines underneath goes between the dotted lines of that post.
    ...................................................................................................
    /P/S/ C:\Program Files\Common Files\Windows\services32.exe

    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    /P/ O4 - HKLM\..\Run: [Windows UPD] C:\WINDOWS\sys.exe
    /P/ O4 - HKLM\..\Run: [Antivirus Installer] C:\ed.exe
    /P/ O4 - HKLM\..\Run: [stratas] lockx.exe
    /P/ O4 - HKLM\..\Run: [System service76] C:\WINDOWS\\\etb\\pokapoka76.exe
    /S/O4 - HKLM\..\RunServices: [stratas] lockx.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] 1
    O4 - HKCU\..\Run: [stratas] lockx.exe
    /P/S/O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-59-627-0000166.exe
    <<<<<<<< the 00166.exe may change to other numbers, stop/delete them also. >>>>>>>>>
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZC
    O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
    O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    Fix ALL your O16 - DPF: entries
    ...................................................................................................


    For these O10 entries:
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing
    See Broken Internet access with xxx.dll.

    Then post a new log.
     
  3. cracka301

    cracka301 TS Rookie Topic Starter

    is my computer really clean? (attached hijackthis log)

    I just cleaned out my computer using hijackthis, and I need someone to look at my hijackthis log and tell me if my system is clean. I know both the 10's need fixing, such as the missing file and broken internet connection, but i need to get around something to get to the site to download the removal program. Any help would be greatly appreciated! Thanks!
     

    Attached Files:

  4. pkroks

    pkroks TS Rookie Posts: 259

    this message has been deleted by pkroks...
     
  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    We do not like you to open a new thread unnecessarily. Continue with the same thread until the problem is solved, please.

    These still need looking after:
    ...........................
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yoursearchspace.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoursearchspace.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yoursearchspace.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yoursearchspace.com/sp2.php
    /P/ O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing
    /P/S/ O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    /P/S/ O23 - Service: QGGUVKGP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Jared\LOCALS~1\Temp\QGGUVKGP.exe
    .................
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...