Hacktool.rootkit / lock1.exe / xz ms-dos batch file (virus/worm?)

By Victor587
Sep 30, 2005
Topic Status:
Not open for further replies.
  1. I also have a Hacktool.Rootkit problem.. I tried following the Hacktool.Rootkit procedure stickied on this forum, but I did not have any of the aliases (javapanel.exe, taskcntr.exe, etc) I do have the file msdirectx.sys (which norton found 2 days after I realized I had a virus) and a ms-dos batch file that I accidently downloaded (could be a separate virus/worm?) titled "xz"

    Can I have help removing this?

    edit: BTW, the attached doc. is the hijackthis log

    and sorry I didn't make a new thread.. the other forum I went on said to find one with the same topic.

    Attached Files:

  2. Victor587

    Victor587 Newcomer, in training Topic Starter Posts: 52

    Myspace actually was my homepage since I use Firefox as my main browser.. Use IE for Symantec support and media applications.

    I wasn't able to find the process (lock1.exe under task manager). I believe it is my new firewall.. Sygate Personal Firewall

    I'll restart my pc now and come back.. thanks.

    edit: I believe lock1.exe is gone.. I have yet to restart (once more.. it had 2 startup items under msconfig and I forgot the other). But there is still the "xy" ms-dos batch file. I used Pocket Killbox to delete it, but it reappeared in a folder titled "!Submit" in my C: drive ( looks like "C:\!Submit")

    No visible problems though... I'll run some scans tonight and see if they find anything other than this xz file/lock1.
  3. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    The lock1.exe is NOT part of Sygate, but some other nasty that will probably crop up under a different name next.

    Your problem is this:
    C:\Program Files\LimeWire\LimeWire.exe

    And copy&paste the contents of that xy.bat file here.
    Just rename that file to xy.old to stop it for the moment.
  4. Victor587

    Victor587 Newcomer, in training Topic Starter Posts: 52

    no I meant that I thought Sygate was blocking it.. and I moved the xy file

    I can't get into Sygate anymore. I think that virus is preventing that..
  5. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    victor,

    apart from

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    your log is clean.
  6. Victor587

    Victor587 Newcomer, in training Topic Starter Posts: 52

    alright.. there is still that xz file though that you told me to paste in limewire
  7. Victor587

    Victor587 Newcomer, in training Topic Starter Posts: 52

    I did what you told MSU ROX to do (for the xz file)

    It says:
    "@echo off
    @title Windows Update
    net stop "Security Center"
    net stop "Windows Firewall/Internet Connection Sharing (ICS)"
    net stop SharedAccess"

    Seems pretty self-explanitory.. the only question is how to fix it? net start/continue? And would I do it in the command prompt (cmd I think)?

    Thanks. :)
  8. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    We have some communication problems here.
    You need to get rid of that crap program Limewire. That brings in all those bad guys!

    The other guy calls the file xy.bat, you call it xz.bat. You using a German keyboard?
    Yes the opposite commands would be net start ... given in a cmd-window.
    Or copy that file to e.g. undo.bat, change stop into start and run it.
    You need to find out what starts that xy.bat or xz.bat in registry or otherwise.
  9. Victor587

    Victor587 Newcomer, in training Topic Starter Posts: 52

    I know, I know.. This may sound stupid but I want Limewire. And plus, I like troubleshooting my PC because I know it will help me in the long run/I get to know more, etc. Not like I'm intentionally inviting viruses into my system, just saying that it's good to know some stuff. I know more stuff now, for example, than a week ago. Sorry if this pisses you off, I really appreciate your help though.

    I am using a normal English keyboard to what I know.. It's QWERTY type which I'm sure is the default for English. And the file on my computer is titled "xz" (now xz.old) Is .bat a command prompt file?

    What about the "@echo off"? I think the "@title Security Update" just means to run those commands at security update. Just curious about echo off. And remember that it reinstalls itself if it's deleted.. I could try again using Pocket Killbox, restart, and tell you what happens.

    And Sygate is working now that I switched let it run at startup under msconfig (I personally turned it off to see some things)


    edit - I don't even have to restart before it pops up again, in the !Submit folder under C: drive (probably the same submit folder because we moved it to Limewire) Is something embedded in the registry?
  10. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    You need to check your Registry for any entries with xz.bat and remove them all.
    Note where it comes from, then delete the (sub)directories as well.
    Also click Start/Run and type msconfig and click OK and see if it is in there somewhere.
  11. Victor587

    Victor587 Newcomer, in training Topic Starter Posts: 52

    Thanks.. I'm just nervous to go into the registry. That and maybe a little lazy :blush: but I'll do it.

    And how do I create a .bat file? Or do I just edit the original? <-going to try that

    I only have one question I really want you to answer.. what does "@echo off" mean? Thanks for everything. :)
  12. Victor587

    Victor587 Newcomer, in training Topic Starter Posts: 52

    OMG I am so relived. I installed ZoneAlarm, or probably a malicious copy, and Windows would not boot! I fixed the problem by going into safe mode and add/remove programs. I will give the website: http://www.zonelabs.com/store/conte...alm/freeDownload.jsp?dc=12bms&ctry=US&lang=en

    I'm not sure, it might be a legit file but most likely not if I can't even boot Windows. :dead: the file name is "zlsSetup_60_667_000" If you download it, it can be deleted without any problems that I can tell. Just don't install.. and if you do, do what I did. Boot in safe mode (press f8 when you hear the noise from bootup or the boot screen) and then go to Start, Control Panel, Add/Remove Programs, and remove it.

    It was common sense but I was in so much shock it took me an hour :blush:
  13. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Look at all the commands that can be put in an MS-DOS batch file (xxx.bat)
    http://www.computerhope.com/batch.htm

    Don't go experimenting, you obviously have no clue here!

    @echo off is explained there as well.

    And stay away from the resource-hogging Zonealarm firewall.
    go to http://soho.sygate.com instead, much better!
     
  14. Victor587

    Victor587 Newcomer, in training Topic Starter Posts: 52

    you obviously have no clue here! lol true

    I had another scare today... but I just lost internet because my router is so bad. I am getting a D-Link when I can..

    I already have Sygate, but thanks :)

    There is no xz.bat in the registry. Do you recommend something else?

    And I deleted some things, such as Music Match (I downloaded it but didn't want it - couldn't find uninstaller) in the registry, will that harm anything? I also deleted occurences of Zone Alarm.

    And thanks once more.
  15. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Don't get a D-Link.
    Go here and read up about routers, brands, ISPs etc.
    http://www.dslreports.com/

    And check around in the Networking and Storage forum, to see where and with what brands others have problems!

    Whatever you do, always make a backup of your registry first.
    And you better prepare for a re-install, the way you are blundering through your registry!
  16. Victor587

    Victor587 Newcomer, in training Topic Starter Posts: 52

    music match comes up under the !Submit file, what does that mean?

    And I have it backed through Spybot, is that sufficient?
  17. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  18. Victor587

    Victor587 Newcomer, in training Topic Starter Posts: 52

    these are my ewido scans
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.