TechSpot

Hacktool.rootkit problem!

By Eua
Jul 21, 2005
  1. Hi, I am new to this forum and admittedly am not a technically gifted person but I recently and stupidly unwittingly downloaded hacktool.rootkit virus onto my computer. Now the pop-up ads are unstoppable. I've scanned with ad-aware, spy-bot, panda, and trend micro's house call and I still have problems. Thanks to this forum, I downloaded HJT.

    EDIT : the logfile is attached :) Thanks for the help with that.

    If anyone with more knowledge on this subject could help me out and tell me what I need to get rid of, I'd be much obliged!!! Thanks!
     

    Attached Files:

  2. Spike

    Spike TS Rookie Posts: 2,371

    Firstly, I'd like to welcome you to Techspot :D

    Secondly however, I'd like to try to politely encourage you to read the stickes relevant to your post at the top of this forum (for your own benefit as well as ours :) ) after you have done so, please edit your original post as appropriate :D

    Spike means: see How to post your Hijackthis log-files as an attachment.

    Then to this post here, and follow the instructions EXACTLY, especially about UPDATING and HJT-location.
    How to remove Begin2Search/Coolwebsearch and Other Nasties

    And post a new log.
     
  3. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    You did NOT follow the instructions EXACTLY!
    Download & install each program in its OWN directory, NOT on your Desktop or in Temp!
    C:\Documents and Settings\Adrianne\Desktop\hijackthis\HijackThis.exe

    And this one should also have been gone by now!
    C:\Program Files\AWS\WeatherBug\Weather.exe


    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    xmconfig.exe
    Weather.exe
    palsp.exe
    eliteutj32.exe
    repcale.exe

    Next, try to UNinstall anything to do with (not delete yet!):
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\WINDOWS\EliteToolBar\

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    C:\WINDOWS\system32\xmconfig.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    c:\windows\system32\palsp.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msu.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
    O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
    O4 - HKLM\..\Run: [stratas] xmconfig.exe
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteutj32.exe
    O4 - HKLM\..\Run: [Boarddata] c:\windows\system32\repcale.exe c:\windows\system32\palsp.exe
    O4 - HKLM\..\RunServices: [stratas] xmconfig.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [stratas] xmconfig.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109943703937
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.
     
  4. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    Rootkit is a tough one. Just be sure to follow ALL instruction you get. But an important note is that you need to STAY in safe mode and NOT restart until EVERYTHING says you are clean. Restarting before you are 100% clean will just reinfect you. And you'll have to start all over again.

    Download the program autoruns from www.sysinternals.com and look through that for anything fishy in your startups. They also have a program to help surface rootkits, just do a search on the home page for "rootkit" and it might give you some helpfull information.

    good luck!
     
  5. Eua

    Eua TS Rookie Topic Starter

    thanks!

    Hi,

    thank you both for your advice! it seems to have worked, though i will continue to monitor it. sorry i didnt follow those directions exactly; i did my best, but as i said in my original post, i'm not good at these technical things.
    i'll post the new logfile from HJT in an attachment should anyone be interested in viewing it.
    thanks a TON,
    eua
     

    Attached Files:

  6. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    Looks okay. You have a bunch of stuff relating to languages and such, that may not be bad to remove. Out of HJT, I notice these:

    (These TOP FOUR entries seem to have to do with various language and character things with MS Word or Office. Do a google search for each file name, such as "imjpmig.exe" to see what it is and whether you want it or not before deleting.)

    (Also note none of these are really "bad", as such, just not needed. Except weather, which has a missing file anyway. Remove as you want to.)

    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
    -----------------------------

    You're welcome, and try to keep yourself clean now! Run all your new tools once a week. And if you have XP, install the Microsoft Antispyware Beta tool. Get right off their home page.
     
  7. Eua

    Eua TS Rookie Topic Starter

    thanks!

    Thanks bunches! The language stuff was intentionally added by me.
    Out of curiosity, what's up with WeatherBug? That's a program I intentionally installed and have used for about a year, but I did notice some spyware with weatherbug in its filename when running one of these programs.
     
  8. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Eua,
    I'v told you twice, as did Vigilante, to get rid of this damn Weatherbug!
    If you do not plan on following instructions, don't bother asking for further help!
     
  9. Eua

    Eua TS Rookie Topic Starter

    weatherbug

    Actually, I have deleted at least the main program. If I haven't gotten rid of it entirely, it's because I am still trying to figure out how (read: I need help with this stuff; that's why I posted asking for help in the first place). I greatly appreciate the help and advice you've given me, as it has saved my computer, but I don't understand the need for such a hostile reply to a simple query. I'm trying to understand the problem as well as get rid of it -- thus the questions.
     
  10. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    Thus is the pandoras box of the PC world. NO program but NO program will remove itself "entirely" from you PC using just the build-it remove function. They leave files, folders, settings, registry entries, all kinds of stuff, laying all over the place.

    Weatherbug was all spyware when it first came out, all the tools removed it. They changed the program some and tried to make themselves "not" spyware and fight the antispyware people, but they've had a bad name ever since.

    Simple fact is that computers "can" do a lot of stuff, but do they "have" to? Do you really need a weather program? Or a "clock" program? Or a program to make your icons animated? Or a program to change your mouse cursor to be horses and ducks? The best way to use a computer is to keep it CLEAN with as little extra garbage as possible. Use it for what it is meant to be used for and nothing else. Don't let the kids try to download free music and movies, cause there's no such thing. Don't let the wife search for free screensavers. Cause 99.99% of them either will load junkware or have viruses attached. Always beware of the term "free", that is rare. If you want free stuff stick to the main places like www.download.com or www.nonags.com.

    This is different from "personalizing" your PC. Change your colors, change your theme, change your screensaver, change your background. But add as few extra programs as possible. It bogs down your system, chews up your Internet connection, sends you popup adds, tracks your online activites. Better be safe then sorry.
    If it's important to have the weather then just open your browser and go to msn or something.

    I would suggest, before downloading any program, to check it out at www.spywareguide.com.

    RealBlackStuff has been around a LONG time, as his post count verifies. He has little patience for hearing the same questions and fixing the same problems for the BILLIONTH time! He just wants to GIT HER DONE!
     
  11. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Amen to that!
    Thx for the support, Vigilante :approve:
     
     
  12. Eua

    Eua TS Rookie Topic Starter

    thanks for the explanation, Vigilante. that helped a lot, and my compy is now weather-free. :) i understand, RealBlackStuff, that you must get frustrated with computer-illiterate people like me, but i assume you do post on this forum voluntarily and with the knowledge that we aren't all experts. if i thought asking a question would have irked you so much, i might not have asked it. sorry if i offended you. my computer is happy once again thanks in large part to you. by the way... guinness definitely happens to be my favorite liquid meal, lol. :)
     
  13. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    In case you haven't noticed, I am a born dictator. I am not, and have never been, a 'groupie', nor am I willing to be part of any team.
    I spent my working life as an independent contractor for that very reason.
    I am by no means unsocial and have loads of friends.
    I just hate it when people rub me the wrong way by not following my advice or 'orders'.
    Every once in a while I blow up, and you just happened to be at the wrong place at the wrong time. Tough!
     
  14. Phantasm66

    Phantasm66 TS Rookie Posts: 6,504   +6

    Indeed. I could not agree more. If necessary, have a dedicated machine for doing all sorts of crap / playing on / letting the kids on, drive image it after its been clean installed and routinely restore from the image, wiping any crap out.

    For important stuff, like e-mail and online banking, consider buying a cheap laptop to use exclusively for these activities. Use this laptop ONLY to do these activities, never use it for surfing / playing, etc. Never install any crap on it. Sweep it for viruses and so forth more often than on your other systems.
     
  15. Spike

    Spike TS Rookie Posts: 2,371

    I've never needed a translator before :D - well once, but I was far to drunk to speak english.

    I have to agree with the not installing needless programs thing though. Personally, I've found that when you install god-only-knows-what on your machine, windows has a nasty habit of doing unexpected things over the course of a fe months of doing it.

    For example, My remote assistance is inoperable, and so I can't acctually give anybody remote assistance any more. This happened not long after I decided that it was time for a re-install anyway and so it didn't really matter what rubbish I installed as long as it wasn't full of adware or the likes.

    I have a strange feeling that my remote assistance problems may be down to one or more of these programs... (see attachment)

    Needless to say, I never did get around to re-installing (I will one day). but when you have this much rubbish on your pc (not accounting for activeX's, plugins, and all other rubbish), It gets kinda hard to decide what's causing a problem - particularly when the problem's somewhat obscure.
     

    Attached Files:

  16. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Spike,
    You only need to completely uninstall these (incl. cleaning Registry):
    AOL, KaZaa Lite and Download Accellerator.
    That should give you back remote assistance.
    There's tons of other crap, but they should not interfere...
     
  17. webadi

    webadi TS Rookie

    Hacktool.rootkit problem

    i got this hacktook virus in these files under system32 folder: "orans.sys" and "et54fg". Norton will block access to these files so booted to safe mode and deleted them manually, but on restarting normally, it comes back again. Its not even in the quarantine files list in norton. Can anyone help please?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.