Hacktool.Rootkit and Infostealer.Gampass on my company Dell Laptop

By nihongobrit
Jan 13, 2007
  1. Hi, first time poster..Howard seems to be a born carer, you are and Angel, but can you help me too...

    I have Symantec Antivirus running constantly, but today I got a note that a virus had been detected: Hacktool.Rootkit, located in: C:\Doc&Settings\bmcqueen\Local Settings\Temp file, with the filename: s9domd9.dll. Worried, I performed a manually scan, to find two other files infected with Infostealer.Gampass, with locations as follows:

    Filename: dlyy.dll located: C:\WINDOWS\system 32\ and the other...
    Filename: rundl132.exe located in: C:\WINDOWS\...

    I tried to clean, quarantine and delete these numerous times, but access is denied. I downloaded and ran Hijackthis and include the file: naturally worried about how to remove these, and why i got them in the first place if symantec is constantly running.

    I saw the rundl.exe in the log. Why didnt the other come up? Lastly, and this is perhaps most frightening, I checked the Symantec File System Relatime Scan Statistics, and it tells me since 1/9/07 285077 files had been scanned and 6648 are infected, and both numbers rise each time i look.

    Gulp! Help???!!
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Hello nihongobrit and welcome to TechSpot.

    You need to read this thread: If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

    Depending on what you use your computer for, you may want to reformat instead of cleaning it.

    Now, only do the following, if you have read the above thread and decided to clean your system.

    You are apparently infected with the W32/Looked-A virus. I see no sign of anything else, but a rootkit might hide some stuff. I see from your log that you are running HijackThis from a temporary folder and that you have not renamed HijackThis. First of all, go into C:\Program Files, and make a new folder named HijackThis. Take the HijackThis file, cut it from its current location, and paste it into C:\Program Files\HijackThis (the folder you just created). Then rename the HijackThis.exe file to HijackThis1991.exe. That's because some malware can hide from hijackthis.exe.

    Now, have HJT fix the following entry (if there):

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\Windows Media Player\svchost.exe,C:\WINDOWS\rundl132.exe

    Go into the Windows Task Manager, go to the "Processes" tab, and end the process for (if there):

    rundl132.exe<--not to be confused with the legitimate Windows process rundll32.exe

    Search your computer for the following file(s) and delete all instances of them:

    rundl132.exe<--copy and paste this filename into the search text box so as not to spell it wrongly.

    Now post a fresh HJT log, after following my first instructions on moving and renaming HJT.

    Cheers :)

    This thread is for the use of nihongobrit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Do not fix anything with HJT yet. This is because you`re running HJT from the wrong location. and also because we need to have you do some other stuff first.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Download and run the Blacklight programme. follow all the instructions carefully.

    Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of nihongobrit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  4. nihongobrit

    nihongobrit TS Rookie Topic Starter

    Hey guys,

    Thanks for your help. I followed the instructions, renamed the file, ran it, looked at the log, FIXed the file, then searched for the rundl file again, didnt find anything.

    Ran the HJT again and the log is included, how am I doing now?

    Interestingly, overnight I closed down my Laptop, and when I woke up the morning in sunny Tokyo, the Symantec now had Quarantined the rundl132.exe file and the DLYY.DLL file (strangely this time written in CAPS). Is this important.

    Looking forward to a clen PC bill of health!

    Thanks, nihongobrit
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Very important Please rename and place HJT in it`s proper location as per the instructions HERE.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Windows Media Player<This is not the genuine WMP.

    Close control panel.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Windows Media Player<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as well as an AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of nihongobrit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...