Hacktool.Rootkit PROBLEMS

[Jenni3587]

ok good.at least i know im making progress.

I tried to open up my norton, it wont. I dont know why, but it just wont open.
So i went to use the housecall that you told me togo to and it told me thati cannot use mozilla to view it that i needed to use IE.

So i went to use IE and it said that i am not authrized to view that site.


so confused.....lol, any idea?

 

[Jenni3587]

did i mention that i downloaded that spywareblaster program you suggested in a nother post? Is that why i cant view the site? maybe? just a guess.

 

[Jenni3587]

scratch that. when i went in to use it with ie, it gave me the same page. that it only works with ie, even though i was running ie.

 

[Vigilante]

The "not authorized" error means the housecall ActiveX control is being blocked. This is normal behavior of IE security. Annoying, but not to worry about it.

Go to this page: http://www.pcpitstop.com/testax.asp
It should pop up a box for you to accept something. Otherwise, just read the page, it will give you some insight into IE security. If a box never pops up, or the page throws an error. Go to this page: http://www.pcpitstop.com/faq/security.asp
Which also explains and will tell you how to enable ActiveX controls.

And Spywareblaster would not have done this. SWB only blocks known bad things.
Norton probably doesn't work because of Safe Mode. Don't worry about that.

Lastly, if you like, and can't get housecall to work, download their offline scanner.

Download these two files into a NEW folder somewhere.
1) The engine: http://www.trendmicro.com/ftp/products/tsc/sysclean.com

2) The pattern file: http://www.trendmicro.com/ftp/products/pattern/lpt843.zip
Unzip into same folder as the engine.
Then run sysclean and let it scan. It is pretty much the same scan as if you ran it online. Same scan engine. But with this you can download and scan offline.

Good luck

 

[Jenni3587]

ok, so i downloaded those two files. my mozilla just saved then both to my desktop. does it run the scan automatically when it is saved because i got this:

There are [38] new virus detected by the pattern file.
All detailed virus names please refer to the list below.

BKDR_AGENT.ER
BKDR_BEASTDOR.G
BKDR_CUK.A
BKDR_GRAYBIRD.BZ
HTML_STARTPAG.AC
TROJ_BERIUMHY.A
TROJ_DLOADER.ACB
TROJ_DLOADER.ACC
TROJ_DROPPER.LB
TROJ_FANTIBAG.C
TROJ_LOWZONES.DS
TROJ_PAKES.AD
TROJ_PAKES.AE
TROJ_PAKES.AF
TROJ_PAKES.AG
TROJ_PROXY.BX
TROJ_RANKY.FX
TROJ_SMALL.ARB
TROJ_VB.SB
TSPY_AGENT.ZH
TSPY_BANCOS.AVO
TSPY_BANCOS.AVP
TSPY_BANKER.ACJ
TSPY_BANKER.ACK
VBS_PHEL.AB
VBS_SOBER.AA
WORM_AGOBOT.AWJ
WORM_ANTINNY.AJ
WORM_RBOT.CGA
WORM_RBOT.CGB
WORM_RBOT.CGC
WORM_RBOT.CGD
WORM_RBOT.CGE
WORM_REATLE.H
WORM_SDBOT.CGC
WORM_SOBER.AA
WORM_SPYBOT.AIL
WORM_TRAXG.S

no clue what its talking about.

im so sorry if im being a pain. i dont mean to be taking so long to get all this worked out.

 

[Jenni3587]

i ran the scan....i dont know what to write down and look for to delete. there is a very LONG list the begin with "an error occured while scanning file...blah" and "could not set file for reading on .....blah" and then at the end of that long list there are a couple of files under files detected. do i just copy down the files detected? or that WHOLE long list...cause thats a LOT.

btw. the files under files detected look something like this:

it gives the copyright and report date and then the address looks like this.

c:/programfiles/commandfiles/system/mapi/1033/vscantim.bin/nbpm/s/cleanall/lappend/ld/lc/lcf/nm/nb/C:*.*


that doesn't even look familiar to me.

 

[Vigilante]

What you want to do is look at the log file when it's done scanning, and towards the end is the summary. It'll say some like "Maybe 5 viruses found total" or something to that effect. It'll say how many files were scanned and how many found, how many this and how many that. Should be easy to spot, towards the end. But somewhere will have a line that says how many viruses were found.

The rest of the log just has notes on various files, mostly ones that couldn't be scanned or opened as you saw. Actual infected ones will be in the log as well, and will have the name of the virus at the end, such as "...infected with [virus name]" or something to that effect.

It sounds like you're about done cleaning house. As long as we confirm your two backdoors are gone, it should be safe once more. Then just decide whether you want to keep Norton and it's 17 henchman who couldn't keep any of it out.

 

[RealBlackStuff]

From all these tribulations, I gather that Norton/Symantec is the biggest trojan/virus of them all!
Incompetent, crappy, resource-hogging bloatware! Get rid of it ASAP.

Jenni, you couldn't possibly have all those trojans on your system and Windows still running! That list must be a summary of new items the program can detect!

 

[Jenni3587]

OK. so. Norton is a big bad, i got that. I havent removed it yet because i havent bought anything to replace it yet. Im a college student living on a college student budget, so i have to wait. BUT. something else is going on now too. I ran Norton last night and it found no viruses, but When i look through my files in my windows folder, there are a handful of files that are suspicious to me with names like $MSI31Uninstall_KB893803v2$.....i know that they all say uninstall...blah blah....you think they are viruses that maybe norton just didn't notice cause it sucks?

And also! lol, yes more. i know....when i start my computer up, or when i start microsoft word up (those are the two that i have noticed so far) two small windows pop up. the one in front saying "Norton AV 2005 does not support the repair feature. Please uninstall and reinstall." and the box behind it says, "Please wait while windows configured NAV"
They pop up three times ina row. i need to click out of them before using my computer or MW.

Wacha think guys? i dont really want to reinstall norton and get possible doubles of their crapy files on my comp, now!

 

[RealBlackStuff]

Those $MSI31Uninstall files are safe and part of the system.
You can get the free AVG Antivirus from http://free.grisoft.com
and the free Sygate Personal Firewall from http://soho.sygate.com
Download them, disconnect your PC from the internet, UNINSTALL anything to do with Norton/Symantec (also Liveupdate, both from Add/Remove Programs).
Reboot, then first install AVG. When it says 'successfully installed' or something like that, Reconnect to the web, and continue with AVG setup.
Then install Sygate.
Your PC will thank you with smoother running.

 

[Jenni3587]

OK! Realblack stuff (where the hell did you think up that name, btw?), i deleted all norton stuff and downloaded those two things you told me to.

I should be set, but how do i make sure. how so i make sure that mycomp is everything-free and how do i make sure that norton is totally gone, i want to make sure that it didn't keep any sneaky files on my comp just to slow me down and stuff. any suggestions?

Thank you btw, for your help.

 

[Vigilante]

So you installed AVG? Is it up to date? Run a scan with it.
You installed Sygate? Is it up to date? Make sure you allow what you know is good. And do research on the ones you don't know about.

Are Adaware, Spybot, Microsoft Beta up to date? Run a scan with them.

Usually those all give a good sign. If you like, post one last HJT log.
Run the Crap Cleaner for your temps once more.

As for Norton, I'm quite SURE there will always be remnants. But one quick way to see is click Start-Run and type msconfig and <enter>. Once in, go to the Services tab. Click the "Hide Signed Microsoft..." check box. Now take a look at what's left, any Symantec or Norton in there?
Next click the Startups tab, look through that list as well.

Then if you are really industrious, do a search for this term, exactly: symantec;norton;liveupdate;livereg Just type the whole thing in the search box. Then take a look at what it finds.
Note that some other programs may have a "Liveupdate". So just be cautious deleting any of those files. Chances are good you'll find a couple Symantec and Norton folders. And maybe a folder in the Common Files directory.

Glad it's coming to an end!

 

[Jenni3587]

Nice suggestiong!

Yea there were like three files left. aside fromthat, nomore.

i havent downloaded microsoft beta, and spybot ithink i deleted it by mistake so ill get those assap.

everything else seems going well. so far. phew.

hope i dont jinx myself. ill get the hjt lop asap.

thanks guys.

 

[Vigilante]

Well you don't really need all three, I thought you already had all of them. Adaware and Spybot are a good combo. Or maybe just AA and MSbeta. See, MSB runs in the background, so it will actively help block things in the future, so install that. And Adaware you want to manually open it, update it, and run once a week.
Spybot has the extra function of being able to "immunize" your system. So if you reinstall it, update it, click on the immunize function and do that. It will put a stop to hundreds upon hundreds of nasty sites.

And did anyone mention to start using Firefox as your Internet browser? www.mozilla.org. Simply use it for everything, then if a page you really need doesn't work, go to it in Internet Explorer instead. It's small and free and automatically blocks popups and activex controls and other things that allow junk to get on your system.

Rest easy tonight!

 

[Jenni3587]

Well, i do not have spybot or microsoft beta-thing. I have ewido, hjt, and adaware, i thinkis what i have, oh and i have spysweeper.

I just took my first college exam, psych, i am really nervy right now. lol, stressing.

I am going to do the hjt lop, now.

i do already have mozilla, i even got a ocuple of extensions and skins to personalize it. i love it. it tells me the weather for the net few days, i can control my music inthe same mozilla window and everytime i open it it is a different funny name. like right now my mozilla says, mozilla Thunderpanda. (instead of firefox). just something that makes me smile whenever i remember to look.

But yea, my computer seems to be running smoother then it was. (knock on wood) Its all due to you guys. thank you so much again.

I am going to go do the hjt now.

 

[Jenni3587]

here it is!

 

[Jenni3587]

Microsoft beta will not let me validate?

It said something about my activex conrtols. it tried for me to validate a different way, it said to click on open from the site instead of downlaoding it to my comp but i didn't even get that option.

so i have adaware, spybot, spysweeper, hjt, and ewido. is that good enough? oh not to mention avg and avgfirewall which i havent figured out how to enable, and the spyblaster, i think its called? doesn't that run without my needing to do anything?

 

[Jenni3587]

You guys.....?

I dont know what to do with my hjt. is it clean? there were a couple that i thought looked suspicious. so check it out for me please?

THanks again.

 

[Vigilante]

So it would seem your ActiveX controls need work? That could be two things: Either they are disabled in your browser, or you need to reregister some DLLs.

Your spysweeper already runs in the background, no need for MSbeta as well. Just make sure SS appears to be working and active.

As for your log, you are clean now. But you can remove these if you like:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

No need for gatewaybiz to be your start page, change it to google or something. And you probably don't need the pcpitstop control anymore.

I suppose you already tried the ActiveX test page from PCpitstop? Maybe that is why you have that control in your HJT log. Try it again: http://www.pcpitstop.com/testax.asp

It will lead you on how to check your browser for ActiveX support in the Security Settings.
If the security settings are right, I'll have to post a batch file I made so you can register the right DLLs automatically.

Lastly, just for the heck of it, if you still want the MSBeta, or any Microsoft software and updates that need validation, do this:

Open Internet Explorer
Go to Tools and Internet Options
Click the "Programs" tab
Click the "Manage Addons" button
When the list populates, find the one called "Windows Genuine Advantage"
Click on it once, and then select the "Disable" radio button down below
Then exit out of the screens

Now you should be able to download things without the annoying validation.

 

[Jenni3587]

Thanks so much. maybe i can finally get a handle on my computer, instead of the other way around.

I HAVE THE POWER.....lol.

I have actually gotten pretty addicted to these forums, so i will still be around.