TechSpot

Hacktool.Rootkit removal

By Prot
Oct 31, 2005
  1. Hi there!

    I have the same problem as many other it seems. Just recently got this very annoying warning coming up every 15 secs on my desktop about that Hacktool.Rootkit...

    I found your forums via Google and seen that you are able to help if i attach the Hijack log as txt file to a post...

    I really hope you could help me out of this mess. Tried everything (even the free scan from Panda Software), i booted in secure mode and run my Symantec numerous times, actually detecting the Hacktool, but it comes back. My Windows backup sys is disabled...

    This is my last attempt to fix the problem, otherwise i will format the HDD...

    BTW: Symantec AntiVirus Notification gave me 12(!!!!) more warnings about that tool while i wrote this post... :dead:
     

    Attached Files:

  2. Prot

    Prot TS Rookie Topic Starter

    sorry for the doublepost...

    Maybe a short update on the situation prior to the infection to have a clearer picture of the problem; I got my connection set up last Friday. My desktop at that time was not connected to any network or the internet, purely used for entertainment purposes. A very virgin SP1 status OS from probably a year ago... I connected it to the web and before i could get the updates for my OS installed (or even dloaded) there were plenty of various trojans already on my system...

    I run EVIDO and did the scan (as described on this forum) which helped me a lot. It got rid of all nasties except one, the damn Hacktool.Rootkit... :mad:

    My OS is now on the newest updates and SP2 which took me ages to install. The hacktool slows down my system rapidly and even locks down all procedures after about 20 minuts. I.e. the IE is not building up after a while and even the Task Manager doesn't pop up when I press the Ctrl+Alt+Del combo... I could not even shut my machine down and had to force it for a restart...

    My knowledge of such things is very limited and i try to read myself through every possible information first before i do anything to "fix" the problem. However, i think i managed to shut all open doors on my system now to prevent further infection. But my Symantec gives me still notifications about the Hacktool every 15-20 seconds, which he puts in quarantaine (mind the spelling pls :p )...

    I guess that is the limit of my poor selfeducated skills and I fully depend on helf from you guys. I would really appreciate your assistance in this. Should i post another HJT log in here run on the newest OS of my comp? Or is the first one good enough to identify the f**ker?

    Thank you in advance!
    Prot
     
  3. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    F:\Documents and Settings\Ernest\Desktop\HijackThis.exe
    put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.

    Run CWshredder from www.intermute.com/spysubtract/cwshredder_download.html.

    Then Read: Only use these HJT-instructions when asked!
    The text between the dotted lines underneath goes between the dotted lines of that post.
    Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
    ...................................................................................................
    /P/ F:\WINDOWS\System32\xpjava.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchtheworld4you.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchtheworld4you.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchtheworld4you.com/sp2.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
    /P/ O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
    /P/ O4 - HKLM\..\Run: [Win32 USB2 Driver] updatemgr.exe
    /P/ O4 - HKLM\..\Run: [System service79] F:\WINDOWS\\\etb\\pokapoka79.exe
    /S/ O4 - HKLM\..\RunServices: [Win32 USB2 Driver] updatemgr.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130781409406
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: Win32 USB2 Driver (bots.warez-net.net) - Unknown owner - F:\WINDOWS\System32\updatemgr.exe" -netsvcs (file missing)
    ...................................................................................................
     
  4. Prot

    Prot TS Rookie Topic Starter

    Fantastic! :grinthumb

    I appreciate your assistance. Will get right on it when I'm home from work!

    I'll keep you posted on the outcome!

    Cheers!
    Prot
     
  5. Prot

    Prot TS Rookie Topic Starter

    Hi Blackie! ;)

    I have followed your instructions step by step and it seems that I finally got rid of that f**ker! :grinthumb

    Thank you very much for your assistance in this very annoying situation. Your advice was clear and easy to follow. I will recommend these forums to every of my friends if they should need help or simply for gaining knowledge on all those topics that to some (like me) are still categorised as "black magic"... :haha:

    I myself will keep lurking the boards, being sure to find many useful tips and ways to master future situations/issues concerning these bloody computers we all love and hate...

    Ok, before I start to get sentimental, I better shut up now... :D

    Cheers again for your help!

    Prot

    P/S: I attached the last HJT log to this post. Hope it looks clean now... :suspiciou
     

    Attached Files:

  6. Prot

    Prot TS Rookie Topic Starter

    LOL It's me again...

    Just a curiosity of which i thought might be worth mentioning/reporting...

    I run a EWIDO scan on my system after all that hassle. It detected further 24 threats. While the first alerts of the GUARD appeared and I started clicking the REMOVAL option, the "old" Symantec notification about detection of the Hacktool.Rootkit appeared on my screen... Just once so far. Was about 30 minutes ago... :suspiciou

    Now, I am not sure what might have caused this. It did not appear since then again. If it will do so, I will post this here. However, I am attaching the EWIDO scan-report to this post for reference...

    I am sure that I need a firewall on my system to complete the security aspect on my machine. Currently I got only the Windows "inbuilt" firewall running/operating... Do you guys have any recommendations in this regard?
    Note: I am doing a bit of online gaming and from experience I know that some firewalls are making problems while I'm online... Therefore a solution "tolerating" this "habit" would be more than welcome. Although the comment probably will be: Just do NOT do online gaming at all... Or something similiar... :rolleyes:

    Thanks again in advance and apologies for the trouble this causes... :rolleyes:

    Prot
     

    Attached Files:

  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    There is still ONE HUGE PEST on your PC. It's called Symantec/Norton puke:
    Up to you if you want to keep it. Most people replace it with the free AVG from http://free.grisoft.com, which does at least as good a job, without all the 'overload' on your system resources!

    Check the firewall posts in this forum (Search this forum). I'm tired of repeating myself...
     
  8. Prot

    Prot TS Rookie Topic Starter

    Aye, will do so...

    Thank you for the comment on this. In fact the licence for my symantec expires in about a week, so i will look around for something else. Was somehow attarcted recently towards trying out Kaspersky...

    Anyway, thanks again for the help, I really appreciate it!

    ;)
     
  9. Prot

    Prot TS Rookie Topic Starter

    Hey there!

    Well, some days passed now and my machine is running properly. Will get my firewall installed this weekend, time is a DOG at the moment, i simply did not look for some jet...

    But i spoke to some friends and showed them my latest logs of HJT and EWIDO (attached above^). They pointed out that this USB2 Driver looks odd and i should get rid of it as well., stating that there is no such thing. There is a USB2.0 Driver, but no USB2 Driver on a normal system...

    Here is the entrance in the HJT log naming the files:
    Further they recommended a similiar software to HJT; StarDreck. I have downloaded it and run a scan. Saved the log and sant it to one of my friends, who apparently knows this scanner well, for review (I attached it to this message).

    He came back with these points:

    So now i had this USB2 Driver pointed out twice from 2 different sources. And additionally this RemoteRegistry (I disabled it via the (start--->run--->services.msc) )

    Odd thing is, I cannot find the updatemgr.exe on my system! I have show all hidden folders and files ticked in the folder options. I checked for it in 2 places:

    1) run regedit (start--->run--->regedit)

    HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run
    and
    HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\RunOnce


    I,ve been pointed out, that the Driver runs as service too (according to the StarDreck log)

    2) Run command line (start--->run--->cmd)
    performed following commands:

    sc qc bots.warez-net.net (next to "BINARY_PATH_NAME" is the location of the USB2 Driver);I was not able to find it under the given directory name: F:\WINDOWS\system32\updatemgr.exe


    It is odd not being able to find them physicly on my driver and delete them. :suspiciou

    Don't get me wrong, I am not here to criticise anything. Your footer says: post on the forums, so others can benefit from it...
    Just wanted to share the above with others here and also ask for your opinion on this.

    Last thing: I do not know if I should post the dload link to this StarDreck scanner for reference or not. Dont want to violate any rules on these boards, so if you want it, please advise...

    All comments, suggestions are highly appreciated!

    Prot

    EDIT: I realised that the first comment on the HJT log, saying these USB2 Drivers look odd, referrs to the first HJT log. The one that you analised Blackie... Sorry, this is getting a bit complicated for a n00b like me... :haha:

    But the StarDreck log is from today... :suspiciou
     
  10. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Yeah, I have no idea what you are going on about.
    I told you right from the start to get rid of that USB2 thingie!
    If you did NOT do so, that's your problem!

    That StartDreck program gives an overload of unnecessary info, with which most people can do nothing or very little.
    I for one am NOT interested in it, nor impressed by it. The program is an ego-trip for some Austrian or German who is really convinced of himself.

    PS: call me RBS or by my full username please...
     
  11. Prot

    Prot TS Rookie Topic Starter

    Roger that RBS...

    I understand. Got rid of the entries in the meantime as well. Was just a bit "spooky" finding trace of the Driver that i deleted beofre and not being able to find the actual file in the pointed out direction...

    I installed Outpost Firewall now on my system, works great, easy to set up and to customise and works quite advanced as well...

    Once again, cheers for the help you gave me. I am glad that i found this place with so much potential and knowledge AND ppl willing to share it with others...

    Prot
     
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.