TechSpot

Hacktool and Hacktool.Rootkit (8 Steps Completed)

By phoenix115
Feb 28, 2009
  1. Hi everyone,

    My computer has been infected with the "Hacktool" virus as well as the "Hacktool.Rootkit" virus. I have been doing some research online about the removals of the two viruses and came across this site. Experts, I need your help! These 2 viruses are driving me crazy. Here is my description of the situation:

    I use Norton Antivirus. The results of the Norton scan indicates:

    Hacktool
    Affected Area:
    2 Files
    2 Services
    1 Browser Cache

    Hacktool.Rootkit
    Affected Area:
    1 File
    1 Service
    1 Browser Cache

    Every single time I restart my computer and run a Norton scan, the 2 viruses are detected again. Norton prompts me to restart my computer and says that the 2 viruses are "fully removed" yet the next time I restart my computer, they come back again. Upon looking at the security log for Norton, the Details section indicates:

    Hacktool
    c:\windows\system32\drivers\qh3s.sys
    c:\windows\system32\drivers\jsdpp32.sys

    Hacktool.Rootkit
    c:\windows\system32\drivers\oxauau96.sys

    Does this mean that these are the locations of the viruses? If Norton "removed" them, why do they come back after I restart my computer?

    (Also, I currently have System Restore turned off; I read on some websites that this should be done to prevent the virus from coming back. I hope I didn't make the wrong decision. > <")

    I came across TechSpot yesterday and saw someone else with the similar virus problem. I followed the instructions in that thread and completed the 8 steps. I repeated each step twice. The newest Malware log indicates that no malware is found. The SuperAntiSpyware indicates no infections as well. I have attached both logs as well as the HijackThis log.

    Sorry for the long post. Please help me remove these 2 viruses for good. Thank you for your time and expertise. Your help is greatly appreciated.
     
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    OK Boot to Safe Mode with Networking and do the below.

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
    del /f /q /s tdss*.*
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del /f /q "%UserProfile%\Desktop\Antivirus 2009.lnk"
    del /f /q  "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    del /f /q "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    del /f /q "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    
    del /f /q c:\WINDOWS\system32\ieupdates.exe
    del /f /q c:\WINDOWS\system32\scui.cpl
    del /f /q c:\WINDOWS\system32\winsrc.dll
    
    attrib -h -s -r c:\program files\xwdxqu.txt
    attrib -h -s -r c:\windows\x
    attrib -h -s -r c:\windows\SxsCaPendDel
    
    del /f /q c:\program files\xwdxqu.txt
    del /f /q c:\windows\x
    del /f /q c:\windows\SxsCaPendDel
    
    attrib -h -s -r c:\windows\system32\drivers\qh3s.sys
    attrib -h -s -r c:\windows\system32\drivers\jsdpp32.sys
    attrib -h -s -r c:\windows\system32\drivers\oxauau96.sys
    
    del /f /q c:\windows\system32\drivers\qh3s.sys 
    del /f /q c:\windows\system32\drivers\jsdpp32.sys
    del /f /q c:\windows\system32\drivers\oxauau96.sys
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    :: rootkit gaopdxserv
    attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
    attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop gaopdxserv.sys.sys
    sc delete gaopdxserv.sys.sys
    
    del /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    del /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
    del /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop WinSvchostManager
    sc delete WinSvchostManager
    
    sc stop ntndis
    sc delete ntndis
    
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    del /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
    del /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    sc stop u_lehj
    sc delete u_lehj
    
    attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
    del /f /q "c:\program files\Common Files\System\u_lehj32.dll"
    
    attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
    attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"
    
    del /f /q "C:\WINDOWS\system32\svcprs32.exe"
    del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    del /f /q "C:\WINDOWS\system32\mdmcls32.exe"
    
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    This should run and exit!

    It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

    Then Run MBAM Quick Scan
    then SAS Quick Scan
    Attach logs!

    Then still in Safe Mode do the below.

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.
    =========================================
    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: SDFix will reboot to Normal you may run ComboFix from there!
    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
     
  3. phoenix115

    phoenix115 TS Rookie Topic Starter Posts: 17

    Hi Mike~

    Thank you for your detailed response.
    I am not very good with computers so I was wondering if you can further explain these instructions for me. Thank you for your patience in advance. ^_^

    >>Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Do you mean to select all of what's in the box and copy it?

    >>Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    What is an open command prompt? Where on the computer do I go for this?...sorry

    >>This should run and exit!
    After pasting the text, everything will automatically "run and exit"?


    Thanks again for your help!

    Oh, and can I download SDFix now? or do I have to do it in Safe Mode?

    And does it matter what account I log into when I'm restarting to get to Safe Mode?

    Thanks again!


    Sorry...one more question...
    Do you need the new logs done with the computer in Safe Mode or Normal?
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    That is exactly what I meant highlight and copy all in the box!

    Start Run
    type
    cmd click OK

    Command prompt opens

    Left click once anywhere inside the black screen to make it active, then rt click and paste. It will run and close!

    Go to next step.

    You do know how to enter Safe Mode, right?

    Mike
     
  5. phoenix115

    phoenix115 TS Rookie Topic Starter Posts: 17

    Yes sir~
    I do know how to get to Safe Mode. ^^

    Thank you for your quick reply. Be back with logs as soon as I finish.

    Hi!
    I am currently running in Safe Mode with Networking.
    I just pasted the code in the command window but it didn't close.

    It says

    sc stop TDSSserv.sys
    DOS/32A -- Protected Mode Run-time Version 7.2
    Copyright Supernar Systems Ltd, 1996-2002

    at the bottom of the window. Did something go wrong? Or do I close the window and proceed with the next steps?

    The following message just popped up:

    C:\windows\system32\cmd.exe-sc stop tdssserv.sys
    NTVDM has encountered a system error
    The service did not respond to the start or control request in a timely fashion.
    Choose 'Close' to terminate the application.

    Any idea what went wrong? I will try the command again. > <
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    Nope don't try again! Abort out and continue with the other steps.

    Something really has its claws in!

    Start here: This should run and exit!

    Mike
     
  7. phoenix115

    phoenix115 TS Rookie Topic Starter Posts: 17

    Sorry for the messages...I just wanted to report whatever I see.

    After the message above popped up and "Close" was clicked, the bottom of the command window says the following:

    OCAL_MACHINE\SOFTWARE\tdss"/f
    The system cannot find the path specified.
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.*/s


    Edit:

    Hi Mike, Thank you for your quick response. I didn't see your post before posting the message. I will continue from the step you instructed. Thank you again!
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Cancel close command prompt and continue with the next steps.

    Mike
     
  9. phoenix115

    phoenix115 TS Rookie Topic Starter Posts: 17

    Hi Mike~

    I followed your instructions; here are my logs.

    The SDFix Report was too big to upload so I split the report into two separate files -SD1 and SD2 and will post them in the next reply because I reached the upload limit.


    [Thanks again!

    Here are the SD Logs.

    Thanks!
     
  10. Squiggly1

    Squiggly1 TS Rookie Posts: 44

    What do you mean by "come back"? Do you mean that when you run a virus scan, Norton finds it again? Or do you get an error window at start up, such as a missing file error? Sometimes these anti-virus programs don't remove all of the registry files (AKA orphan registry files), but otherwise the computer runs fine. Just making sure.

    You might try typing in the name of the virus on Google and stumble upon a manual removal method.

    Also just curious how you caught this virus? Do you know? LimeWire?
     
  11. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  12. mflynn

    mflynn TS Rookie Posts: 2,655

    Good morning Phoenix

    Four steps below all to be done in Safe mode networking.

    Step 1
    ---------------------------------------------------------------------------------------------------------------------------------------------------
    Run HJT Scan only and select and Fix all lines listed below
    Any line that has (file missing) at the END of the line ONLY at the end and...

    Step 2
    --------------------------------------------------------------------------------------------------------------------------------------------------------
    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "During cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    ----------------------------------------------------------------------------------------------------------------------------------------------------
    Step 3

    Another run indicated!
    OK there were found/removed items in ComboFix and SDFix so we need to run again as the first run likely exposed things that were not even seen the first time.

    Run the below in order given below

    ComboFix
    SDFix

    Attach logs first then do the below!

    Step 4
    ----------------------------------------------------------------------------------------------------------------------------------
    Go here Download DrWeb http://www.techspot.com/vb/post724044-3.html

    Boot to Safe Mode only! Not with Networking.

    DrWeb will fisrt do and Express Scan on its own when it completes then do a full scan.

    The first Virus it finds select Cure and do the same for all the rest.

    This will take hours but is your best chance at this point!

    Mike
     
  13. phoenix115

    phoenix115 TS Rookie Topic Starter Posts: 17

    Good morning Mike! Again, thank you for your help. I will start with your instructions right away.


    @Squiggly:

    Yes, every single time I restart my computer and run a Norton scan, the scan detects and "fully removes" the 2 viruses again.

    Hi Mike,

    I have some questions:

    The ATF Cleaner doesn't have a Registry option. I just clicked "Select All" (the options were mainly temporary files). Is this ok?

    And I tried to create a System Restore point in Safe Mode with Networking mode but it said that there was not enough free space and at least 200 MB was needed. However, I have 16GB of free space. Initially, I thought that this had to do with how I turned off System Restore earlier. I checked under System-System Restore and it said C drive was suspended. I rebooted my computer and am now in Normal mode. I checked System Restore and C drive says Monitoring. Do you know what happened? How can I create a restore point as you instructed in the Safe Mode With Networking mode?

    Since I am in normal mode again, do I have to repeat the steps I've already done earlier in Safe Mode with Networking mode again?

    Thank you again!
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    No you do not have to repeat.

    Create SR point in Normal mode.

    No it is CCleaner that has the registry clean option.

    But run all else in Safe mode!

    Mike
     
  15. phoenix115

    phoenix115 TS Rookie Topic Starter Posts: 17

    Hi Mike

    Here are my logs. Again, the SD logs are split into 2.

    Also, before seeing your post, I was trying the steps again. When I was in Safe Mode with Networking Mode, I did not receive the same message about System Restore as before. However, when I opened the System Restore Wizard, the option of creating a restore point was not available. I created a Restore Point in Normal mode after the computer rebooted from the SDFix scan finish.

    I am working on your last step right now. Please let me know what to do next.
    Thanks so much!
     
  16. mflynn

    mflynn TS Rookie Posts: 2,655

    The DrWeb scan has now become critical!

    Will check in in morning.

    Goodnight,
    Mike
     
  17. phoenix115

    phoenix115 TS Rookie Topic Starter Posts: 17

    Hi Mike~

    I ran Dr. Web 3 times since last night and the results indicate that my system is clean. I am going to restart my computer now and run in Normal mode. I will then run a Norton scan to see if it picks up the 2 viruses again. Will let you know what happens asap.
     
  18. mflynn

    mflynn TS Rookie Posts: 2,655

    You mean the results were clean on each run??

    Get me the log..

    DrWeb Log
    Paste the following line to the run command
    Code:
    %USERPROFILE%\DoctorWeb\CureIt.log
    Post it!

    And no need yet to run it in Normal mode!

    Mike
     
  19. phoenix115

    phoenix115 TS Rookie Topic Starter Posts: 17

    hi mike, I interrupted my last DrWEB scan so I am running a scan in safe mode now. I will attach a log as soon as the scan finishes. The first scan picked up on 7 or 8 things including SD Fix and ComboFIX (archive includes infected objects). I was prompted to move some things. Also, at the end of the scan , I moved the incurables. (Was I supposed to delete them? ><) The scan apparently "moved" Combo Fix as it is no longer on my desktop and the folder under Program Files is empty. The 2nd and 3rd scans did not find anything. Btw, I ran Norton under Normal mode(didnt see your post in time) and the 2 viruses were detected, "fully removed" n comp was prompted to restart again. T.T I am on my phone right now; apologize 4 my typing. will keep checking back 4 ur instructions) Thanks!
     
  20. mflynn

    mflynn TS Rookie Posts: 2,655

    OK the SDFix and ComboFix are false positives only look like Malware to DrWeb.

    Move is good you can always put moved items back if they are in fact good.

    Good on the "fully removed".

    Mike
     
  21. phoenix115

    phoenix115 TS Rookie Topic Starter Posts: 17

    Huh? No Mike, it's not good. That means the problem has not been resolved;it is the same as before... Norton Auto-detects Hacktool and Hacktool.Rootkit and automatically scans. The results of the scans are what I indicated in my fist post. Norton claims that the viruses has been "fully removed" and prompts me to restart computer. Yet, the same process REPEATS after computer restarts. This is the problem that needs to be fixed; I need the 2 viruses to be removed permanently and not come back once I restart the computer. DrWEB scan is almost over. will post log asap
     
  22. mflynn

    mflynn TS Rookie Posts: 2,655

    No what said was if moved then that was a safe option "good".

    Depends on where they are I need to see the log. If they are in a Quarantine folder or System Volume Information then they are isolated and we can clean them. Or they are being found in the Moved files by DrWeb (which is a quarantine folder)..

    If they are attached only to an application like say "Wordpad.exe" then we can handle it but if in the Windows system then we have more work to do.

    This is why I need all logs. get me the Norton.

    Mike
     
  23. phoenix115

    phoenix115 TS Rookie Topic Starter Posts: 17

    hi Mike Sorry I misunderstood. what part of the CureIT log do you need? the entire log is around 16 MB , it is way too big to upload

    I realized why the log file is so big; it is the log of all the scans.
    I have saved the log file onto my desktop and deleted it in the DrWeb location.
    I am going to run a scan again in Safe Mode. Hopefully the log file will only document the newest scan.
     
  24. phoenix115

    phoenix115 TS Rookie Topic Starter Posts: 17

    Mike...the new log is about 14 MB...still too big.

    What should I do? What part of the log do you need to look at?
     
  25. mflynn

    mflynn TS Rookie Posts: 2,655

    OK describe briefly what it did.

    Mostly Cured Moved ?

    Then run MBAM SAS quick scan and post logs.

    Followed by a ComboFix log.

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...