TechSpot

Hacktool.rootkit!inf

By jthomas
Jun 28, 2009
  1. Hi,

    I have been having trouble with the virus Hacktool.rootkit!inf. My AV is Symantec Endpoint Protection. Every time I startup my computer the AV detects this virus but unfortunately cannot take any action. As suggested by one of your threads, I have run Aproposfix and HJT softwares. I will have the logs attached for both these checks. Please suggest if there is anything I can do to completely remove these malwares without hurting my system.

    Thanks,
    Jthomas
     
  2. ChrisDown

    ChrisDown TS Rookie Posts: 125

    Hi, please complete the 8 steps so that we may continue.

    From your HJT log, I see some issues with your hosts file. Please do the following:

    Download HostsXpert from the link in my signature.

    1. Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
    2. Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
    3. Click “Make Hosts Writable?” in the upper right corner (If available).
    4. Click Restore Microsoft’s Hosts file and then click OK.
    5. Click the X to exit the program.
    Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

    Aside from that, your HJT log looks clean to me. If you suspect that you have a rootkit, I would download GMER (from the link in my signature), do a scan (you have to actually click scan, ignore the first results it brings up) and then save a log, and upload it like you did with the hijackthis one.

    Thanks. :)
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    An alternate path based on the HijackThis log only-so far:
    As was suggested, it would be best if you used the Steps in the Virus and Malware Removal thread here: http://www.techspot.com/vb/menu6.html

    Before you do the scans, you will need to temporarily disable the Real Time Protection as follows:
    SYMANTEC ENDPOINT PROTECTION
    Right click on the icon in the taskbar notification area & select "Disable Symantec EndPoint Protection".
    [​IMG]

    When you have finished, attach the three logs. We will review all of them and see if additional programs are needed.

    The Host files are for Internet Data-Center IDC in the Ukraine. This is a rogue site that infects the system with the DNS Changer.

    You will need to reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
    Update Java:

    Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 14 ): http://java.com/en/download/manual.jsp
    Please install it and then reboot your computer.

    Remove the older versions of Java:
    1. Click Start, Control Panel, Add/Remove Programs.
    2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 14

    Please do a full system scan with your antivirus program, save the log and attach it to next reply.
     
  4. jthomas

    jthomas TS Rookie Topic Starter

    Feedback

    Hi ChrisDown:

    Thanks very much for the help. I had completed the 8 steps and everything else you had asked me to, but as I read more about the virus it occured to me that the best option is to use a recovery disk and reboot. But thanks very much for your time and effort.

    Jthomas
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    jthomas, you have a choice.
     
  6. jthomas

    jthomas TS Rookie Topic Starter

    Feedback

    Hi Bobbye:

    Thanks for the help but I have reinstalled the OS using the recovery disk. I have a question though. Do you feel i should still reset the router and follow the steps that you have suggested?
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I am very big on troubleshooting and very reluctant to advise recovery/repair/reformat/reinstall- unless nothing else will work.

    I suggest you do a new HijackThis scan and attach the log for me to review for the entries.
    Then I'll have you remove any cleaning tools still on the system.

    If you find the redirects happening, reset. Either way, follow the Java instructions. That needs to be kept up to date and the older versions uninstalled.
     
  8. jthomas

    jthomas TS Rookie Topic Starter

    Feedback

    Hi Bobeye:

    I have installed the latest version of Java like you said and have removed the older versions. As of now, there aren't any redirects.

    Attached is the HJT. Please let me know if there is anything I need to do.

    Thanks very much
     
  9. jthomas

    jthomas TS Rookie Topic Starter

    Feedback

    Hi Bobeye:

    I have installed the latest version of Java like you said and have removed the older versions. As of now, there aren't any redirects.

    Attached is the HJT. Please let me know if there is anything I need to do.

    Thanks very much
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Wow! Did I miss this?
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

    File sharing programs are a straight road to malware. Many of us suggest and unintall of these P2P programs.

    There is still an earlier version of Java loading. Please check add/Remove Programs in the Control Panel and uninstall all but Java v6u14.

    Otherwise the log is clean. If the original problem have been resolved:

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTCleanIt by OldTimer:
    Save it to your Desktop.
    Double click OTCleanIt.exe.
    Click the CleanUp! button.
    If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

      NOTE: Empty the Recycle Bin when through.

      A NOTE: Toshiba preloads a lot of processes on the system. Many don't use most of them, many don't even know they're loading. Check out all the Toshiba processes showing in the HijackThis log. Search for what they do if you don't know and if you don't use it, uncheck on startup and uninstall in Add/Remove Programs.

      Let me know if you need more help.
     
  11. jthomas

    jthomas TS Rookie Topic Starter

    Feedback

    Hi Bobeye:

    I have done everything like you said. Everything looks fine now.

    Thanks again for all the help.

    Jthomas
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You welcome.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...