TechSpot

Hacktool.Rootkit rofl.sys I can't get rid of it

By scooksey
Oct 16, 2005
Topic Status:
Not open for further replies.
  1. I've spent the week surfing various forums trying to get rid of Hacktool.Rootkit. I've had no luck. I came across your forum tonight and hope someone here can help me.

    NAV finds rofl.sys everytime I boot. It quarantines the file, however, an endless loop of quarantining takes place. It appears rofl.sys keeps recreating itself.

    I've attached my hijackthis log. I would appreciate any help someone can give.

    Thanks.
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    First Read: Only use these HJT-instructions when asked!
    /P/ Process needs to be stopped
    /S/ Service needs to be stopped
    /U/ UNinstall anything to do with this
    /R/ unRegister the xxx.DLL in that line
    The text between the dotted lines underneath goes between the dotted lines of that post.
    Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
    ...................................................................................................
    /R/U/ R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
    O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
    /S/ O4 - HKLM\..\Run: [Windows Logon Events] winlogons.exe
    /P/O4 - HKLM\..\RunServices: [Windows Logon Events] winlogons.exe
    O4 - HKCU\..\Run: [Windows Logon Events] winlogons.exe
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    Fix ALL your O16 - DPF: entries
    O23 - Service: EVTDES - Unknown owner - C:\DOCUME~1\ADMINI~1.STE\LOCALS~1\Temp\EVTDES.exe (file missing)
    O23 - Service: GDTPJEH - Unknown owner - C:\DOCUME~1\STEPHA~1\LOCALS~1\Temp\GDTPJEH.exe (file missing)
    ...................................................................................................
     
  3. scooksey

    scooksey TS Rookie Topic Starter

    it worked

    Thanks for you help. That seemed to take care of the problem. After getting a clean boot and clean scan, I did find that apparently several "group policies" had been set up on the computer firewall. It looked like some manipulation had taken place to allow access to the computer by a hacker. To be completely safe, I went ahead and did a "recovery" on the computer which re-established it as it was when it was purchased. A real pain to reload programs, but at least I know it's clean.

    Thanks again for your help.
     
  4. drake_x

    drake_x TS Rookie

    ahh im having the same problem... please help!

    I am having the same problem and do not know what to do...

    i attached what i get when running hjt

    my NAV keeps notifying me about Hacktool.Rootkit in C:\WINDOWS\system32\rofl.sys and looping.

    I would greatly appreciate your help! Thank you in advance
     

    Attached Files:

    • log.txt
      File size:
      7.2 KB
      Views:
      14
  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    First Read: Only use these HJT-instructions when asked!
    /P/ Process needs to be stopped
    /U/ UNinstall anything to do with this
    /R/ unRegister the xxx.DLL in that line
    The text between the dotted lines underneath goes between the dotted lines of that post.
    Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
    ...................................................................................................
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
    /R/ O2 - BHO: Bho - {BFFA51A0-0B64-4aa3-AAC4-325F9338D0BE} - C:\WINDOWS\system32\ahfohumn.dll
    /R/ O2 - BHO: Bho - {D50BE162-D9B6-4008-B2FC-881326EC06EA} - C:\WINDOWS\system32\chsbwlxg.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    /P/U/ O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    /P/U/ O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    Fix ALL your O16 - DPF: entries
    Unless these IP-numbers are from your ISP, fix this O17
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1E103702-22FD-498A-8E70-A19A6DC01635}: NameServer = 68.94.156.1 206.13.30.12
    O20 - Winlogon Notify: msrun - C:\WINDOWS\AppPatch\msrun.dll (file missing)
    ...................................................................................................
     
  6. drake_x

    drake_x TS Rookie

    thanks!

    Thank you very much. That seemed to do the trick! :)
     
  7. =met=Badger

    =met=Badger TS Rookie Posts: 37

    Ok same prob and i cant get rid of it. id a spyware scan came up emtpy. did 2 seperate virus scans with AVG and trend micros. and i cant delete it or quarintine. also theres a blip process runnin lol.exe which seems to ghost around. only active for a short time and then gone completely. in the windows folders.i also ran HIJACKTHIS and nothin :mad:
    and i couldnt find nothin similar between the three other than the rofl.sys so i went in ot services and BAM! there it was

    service desciption
    Change me go to hell :evil:

    linked to the rofl.sys

    i disabled it and it hasnt poped up since.
    im looking right now on how to delete services so i wont re-enable.

    *edit*
    http://forums.infoprosjoint.net/showthread.php?t=5492
    for info on deleting services :blackeye::knock:
    :dead:
    its gone from my system :angel:
    Also most files or programs have installed directories similar to their file path anything in windows folder will be found in HKLM(HKEY_LOCAL_MACHINE) or HKCU (hkey_current_user). Use hijackthis to find the whole path of the key to manually delete it.
     
  8. jimgroening

    jimgroening TS Rookie

    Help me with Hacktool.Rootkit in rofl.sys file

    hello RealBlackStuff,

    my Norton Antivirus 2003 detected that the file c:\windows\system32\rofl.sys is infested by Hacktool.Rootkit...

    I already read the answer you gave the other people and then I downloaded and executed HijackThis and allegate the log file

    I hope you can help me and I tell you thank you

    P.S.: Sorry for my English but I'm Italian
     

    Attached Files:

  9. =met=Badger

    =met=Badger TS Rookie Posts: 37

    The solution is pretty clear. if you have the same virus. just

    startmenu\Run: services.msc
    find the entry linked to the virus disable it
    run you antivirus delete file
    then run through the steps of the link to eliminate the serivce & and registry key.
     
  10. jimgroening

    jimgroening TS Rookie

    sorry, but how can I find the process linked to the virus?
    If I delete the file in provvisory mode (by clicking F8 at the windows boot) is the same thing?

    I already try to delete this file but he recreatring ifself at next boot.

    I have to delete the service and the registryu key but I don't understand what service and what key:

    > then run through the steps of the link to eliminate the serivce & and registry
    > key.

    what means? what steps of what link?

    Thank you very much for the help
     
  11. jimgroening

    jimgroening TS Rookie

    sorry

    ahhhh OK =met=Badger,

    sorry but now I have read your previous message with more attenction and I have understand, I've find the kink to the other forum with instruction... now I try....

    Thank you very very very much , sei gentilissimo (=you are very nice)
     
     
  12. jimgroening

    jimgroening TS Rookie

    Ok I need only another help...

    I can't find what process is linked to the infected file (rofl.sys)...

    how can I find it... by the process manager, by service.msc...????

    help me thanks
     
  13. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Your HiJackThis program is an antique! Get the latest version please.

    From the (old-version) log, these are the evildoers:
    O4 - HKLM\..\Run: [Windows service] files.exe
    O4 - HKLM\..\Run: [SVCH Service] svch32.pif
    O4 - HKLM\..\RunServices: [Windows service] files.exe
    O4 - HKLM\..\RunServices: [SVCH Service] svch32.pif
    O4 - HKCU\..\RunServices: [SVCH Service] svch32.pif
     
  14. jimgroening

    jimgroening TS Rookie

    I've downloaded HijackThis v1.99.1

    I hope this useful... this is the logFile
     
  15. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

  16. =met=Badger

    =met=Badger TS Rookie Posts: 37

    Exactly. You must have a knowledge of wat services you computer needs and the programs that you computer needs in order to run. Mainly when a program runs you can see it in the taskmanager. (ctrl+atl+del) Secound HJT tells limited info and the UI isnt for those unexperienced.

    i've looked at you HJT file and this is what i'd remove
    ***remeber im not a computer tech or windows Pro i just know what i know to run my pc without any useless crap***

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.type2find.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.type2find.com/sp2.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dariodellamonica.tk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.type2find.com/sp2.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cds.unina.it:3128
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

    This two here is most likely your bug.
    O4 - HKLM\..\Run: [Windows service] files.exe
    O4 - HKLM\..\RunServices: [Windows service] files.exe

    Use HJT to "fix" these two and your virus should be eliminated. if not
    Run: regedit.exe go through the steps in that other forum link i posted up there and eliminate these 2 manually
    Remembed i am not an expert just another windows user

    FYI in services any service that you think is suspicious Google it. if nothin comes up get disable it.

    PS to raise your spirits about Windows check this song out.
    http://www.crusadingotter.co.uk/Windows_Experience.mp3
     
  17. scribbles1015

    scribbles1015 TS Rookie

    I guess I'm late to the party, but I too am having this problem. Searching through the computer won't find rofl.sys either.
     
  18. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    read the other thread on how to remove this.
     
  19. jimgroening

    jimgroening TS Rookie

    Solution for scribbles1015 and thank you to RealBlackStuff and =met=Badger

    dear scribbles1015, I've solved the problem following steb by steb the instruction in the last message of RealBlackStuff. you have to click the link and following all the instruction with great attention:
    1) download all the program
    2) update the virus definition of all program
    3) run the program in indicated order
    4) follow the other instruction

    I want say thank you to RealBlackStuff and =met=Badger for the help given me and I'm sorry if RealBlackStuff was angry but I ever followed the instruction with attention but maybe I didn't understand all you wrote very well because I'm Italian. I didn't want make you angry... Sorry and thank you to RealBlackStuff and =met=Badger

    Good luck scribbles1015
     
  20. =met=Badger

    =met=Badger TS Rookie Posts: 37

    Theres more than enough info in this post to help anyone who has this similar virus. just use a little knowledge and basic computer know-how and you will be able to fix it. My first thread was based on those proceeding it and contains enough info on how to get rid of it.
     
  21. adias

    adias TS Rookie

    Needing help URGENT!!!!!

    All the way from Portugal, i'm having the same prob.
    I have avg and every time i reboot a message of a virus (rofl.sys) appears. I need to unplug avg so i can work!
    I read all the other post and i did it, but i can't mange to get rid of it.
    Please help me!
     
  22. =met=Badger

    =met=Badger TS Rookie Posts: 37

    You cant get rid of it beacuse the registry key and/or service entry is still there.
     
  23. adias

    adias TS Rookie

    But how can i get rid of it. Wich are the registry keys to delete? Can you help me?
     
  24. =met=Badger

    =met=Badger TS Rookie Posts: 37

    For all those who dont know. USE GOOGLE to search wat you may think is a virus if you dont recognize it search it. Hijackthis will give you a good start. Use the Regedit and service links provided in the earlier posts by me to delete all relating material. Read ,observe,learn, and know you computer and wat you put on it and wat is Windows. That wil make it easier for everyone in teh fight against bugs.



    hloader_exe.exe is a worm
    O4 - HKCU\..\Run: [auto__hloader__key] C:\WINDOWS\System32\hloader_exe.exe

    win32ssr.exe
    O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe

    Those are wat i found in your log. delete these with hijackthis also find the origin files and delete them. look thru services to see if any are linked to these files. and Double check the registry to make sure they were deteled.

    ****not an expert and resulting damage is not my fault. just a recemondation. I am not a certified Tech****
     
  25. XAxis06

    XAxis06 TS Rookie

    Same ol'

    So i guess I won't surgar coat it. I read this whole forum and tried the steps along the way to no avail on my own. I have the rofl.sys thing in the same place like everyone else. My HJT log is attached, I'd appreciate any help I could get. Its bothersome because I just got done re-formatting my comp 2 days ago. Sorry to beat you guys up with the same problem. Thanks for the help. I'm usually a little more savvy and can fix these myself.

    ~Matt
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.