Hacktool.Rootkit rofl.sys I can't get rid of it

[scooksey]

I've spent the week surfing various forums trying to get rid of Hacktool.Rootkit. I've had no luck. I came across your forum tonight and hope someone here can help me.

NAV finds rofl.sys everytime I boot. It quarantines the file, however, an endless loop of quarantining takes place. It appears rofl.sys keeps recreating itself.

I've attached my hijackthis log. I would appreciate any help someone can give.

Thanks.

 

[RealBlackStuff]

First Read: Only use these HJT-instructions when asked!
/P/ Process needs to be stopped
/S/ Service needs to be stopped
/U/ UNinstall anything to do with this
/R/ unRegister the xxx.DLL in that line
The text between the dotted lines underneath goes between the dotted lines of that post.
Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
...................................................................................................
/R/U/ R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
/S/ O4 - HKLM\..\Run: [Windows Logon Events] winlogons.exe
/P/O4 - HKLM\..\RunServices: [Windows Logon Events] winlogons.exe
O4 - HKCU\..\Run: [Windows Logon Events] winlogons.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
Fix ALL your O16 - DPF: entries
O23 - Service: EVTDES - Unknown owner - C:\DOCUME~1\ADMINI~1.STE\LOCALS~1\Temp\EVTDES.exe (file missing)
O23 - Service: GDTPJEH - Unknown owner - C:\DOCUME~1\STEPHA~1\LOCALS~1\Temp\GDTPJEH.exe (file missing)
...................................................................................................

 

[scooksey]

it worked

Thanks for you help. That seemed to take care of the problem. After getting a clean boot and clean scan, I did find that apparently several "group policies" had been set up on the computer firewall. It looked like some manipulation had taken place to allow access to the computer by a hacker. To be completely safe, I went ahead and did a "recovery" on the computer which re-established it as it was when it was purchased. A real pain to reload programs, but at least I know it's clean.

Thanks again for your help.

 

[drake_x]

ahh im having the same problem... please help!

I am having the same problem and do not know what to do...

I attached what I get when running hjt

my NAV keeps notifying me about Hacktool.Rootkit in C:\WINDOWS\system32\rofl.sys and looping.

I would greatly appreciate your help! Thank you in advance

 

[RealBlackStuff]

First Read: Only use these HJT-instructions when asked!
/P/ Process needs to be stopped
/U/ UNinstall anything to do with this
/R/ unRegister the xxx.DLL in that line
The text between the dotted lines underneath goes between the dotted lines of that post.
Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
...................................................................................................
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - Default URLSearchHook is missing
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
/R/ O2 - BHO: Bho - {BFFA51A0-0B64-4aa3-AAC4-325F9338D0BE} - C:\WINDOWS\system32\ahfohumn.dll
/R/ O2 - BHO: Bho - {D50BE162-D9B6-4008-B2FC-881326EC06EA} - C:\WINDOWS\system32\chsbwlxg.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
/P/U/ O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
/P/U/ O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
Fix ALL your O16 - DPF: entries
Unless these IP-numbers are from your ISP, fix this O17
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E103702-22FD-498A-8E70-A19A6DC01635}: NameServer = 68.94.156.1 206.13.30.12
O20 - Winlogon Notify: msrun - C:\WINDOWS\AppPatch\msrun.dll (file missing)
...................................................................................................

 

[drake_x]

thanks!

Thank you very much. That seemed to do the trick!

 

[=met=Badger]

Ok same prob and i cant get rid of it. id a spyware scan came up emtpy. did 2 seperate virus scans with AVG and trend micros. and i cant delete it or quarintine. also theres a blip process runnin lol.exe which seems to ghost around. only active for a short time and then gone completely. in the windows folders.i also ran HIJACKTHIS and nothin
and i couldnt find nothin similar between the three other than the rofl.sys so i went in ot services and BAM! there it was

service desciption
Change me go to hell :evil:

linked to the rofl.sys

i disabled it and it hasnt poped up since.
im looking right now on how to delete services so i wont re-enable.

*edit*
http://forums.infoprosjoint.net/showthread.php?t=5492
for info on deleting services :blackeye::knock:
:dead:
its gone from my system :angel:
Also most files or programs have installed directories similar to their file path anything in windows folder will be found in HKLM(HKEY_LOCAL_MACHINE) or HKCU (hkey_current_user). Use hijackthis to find the whole path of the key to manually delete it.

 

[jimgroening]

Help me with Hacktool.Rootkit in rofl.sys file

hello RealBlackStuff,

my Norton Antivirus 2003 detected that the file c:\windows\system32\rofl.sys is infested by Hacktool.Rootkit...

I already read the answer you gave the other people and then I downloaded and executed HijackThis and allegate the log file

I hope you can help me and I tell you thank you

P.S.: Sorry for my English but I'm Italian

 

[=met=Badger]

The solution is pretty clear. if you have the same virus. just

startmenu\Run: services.msc
find the entry linked to the virus disable it
run you antivirus delete file
then run through the steps of the link to eliminate the serivce & and registry key.

 

[jimgroening]

sorry, but how can I find the process linked to the virus?
If I delete the file in provvisory mode (by clicking F8 at the windows boot) is the same thing?

I already try to delete this file but he recreatring ifself at next boot.

I have to delete the service and the registryu key but I don't understand what service and what key:

> then run through the steps of the link to eliminate the serivce & and registry
> key.

what means? what steps of what link?

Thank you very much for the help

 

[jimgroening]

sorry

ahhhh OK =met=Badger,

sorry but now I have read your previous message with more attenction and I have understand, I've find the kink to the other forum with instruction... now I try....

Thank you very very very much , sei gentilissimo (=you are very nice)

 

[jimgroening]

Ok I need only another help...

I can't find what process is linked to the infected file (rofl.sys)...

how can I find it... by the process manager, by service.msc...????

help me thanks

 

[RealBlackStuff]

Your HiJackThis program is an antique! Get the latest version please.

From the (old-version) log, these are the evildoers:
O4 - HKLM\..\Run: [Windows service] files.exe
O4 - HKLM\..\Run: [SVCH Service] svch32.pif
O4 - HKLM\..\RunServices: [Windows service] files.exe
O4 - HKLM\..\RunServices: [SVCH Service] svch32.pif
O4 - HKCU\..\RunServices: [SVCH Service] svch32.pif

 

[jimgroening]

I've downloaded HijackThis v1.99.1

I hope this useful... this is the logFile

 

[RealBlackStuff]

Follow these instructions EXACTLY.
Put HijackThis in e.g. C:\Program Files\HJT and NOT in Temp or on the Desktop!.
Read: How to remove Begin2Search/Coolwebsearch and Other Nasties

What's the point in telling you what to get rid of, if you don't follow advice?
People like you are the reason I don't do HJT anymore.

 

[=met=Badger]

Exactly. You must have a knowledge of wat services you computer needs and the programs that you computer needs in order to run. Mainly when a program runs you can see it in the taskmanager. (ctrl+atl+del) Secound HJT tells limited info and the UI isnt for those unexperienced.

i've looked at you HJT file and this is what i'd remove
***remeber im not a computer tech or windows Pro i just know what i know to run my pc without any useless crap***

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.type2find.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.type2find.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dariodellamonica.tk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.type2find.com/sp2.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cds.unina.it:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

This two here is most likely your bug.
O4 - HKLM\..\Run: [Windows service] files.exe
O4 - HKLM\..\RunServices: [Windows service] files.exe

Use HJT to "fix" these two and your virus should be eliminated. if not
Run: regedit.exe go through the steps in that other forum link i posted up there and eliminate these 2 manually
Remembed i am not an expert just another windows user

FYI in services any service that you think is suspicious Google it. if nothin comes up get disable it.

PS to raise your spirits about Windows check this song out.
http://www.crusadingotter.co.uk/Windows_Experience.mp3

 

[scribbles1015]

I guess I'm late to the party, but I too am having this problem. Searching through the computer won't find rofl.sys either.

 

[Tedster]

read the other thread on how to remove this.

 

[jimgroening]

Solution for scribbles1015 and thank you to RealBlackStuff and =met=Badger

dear scribbles1015, I've solved the problem following steb by steb the instruction in the last message of RealBlackStuff. you have to click the link and following all the instruction with great attention:
1) download all the program
2) update the virus definition of all program
3) run the program in indicated order
4) follow the other instruction

I want say thank you to RealBlackStuff and =met=Badger for the help given me and I'm sorry if RealBlackStuff was angry but I ever followed the instruction with attention but maybe I didn't understand all you wrote very well because I'm Italian. I didn't want make you angry... Sorry and thank you to RealBlackStuff and =met=Badger

Good luck scribbles1015

 

[=met=Badger]

Theres more than enough info in this post to help anyone who has this similar virus. just use a little knowledge and basic computer know-how and you will be able to fix it. My first thread was based on those proceeding it and contains enough info on how to get rid of it.

 

[adias]

Needing help URGENT!!!!!

All the way from Portugal, i'm having the same prob.
I have avg and every time i reboot a message of a virus (rofl.sys) appears. I need to unplug avg so i can work!
I read all the other post and i did it, but i can't mange to get rid of it.
Please help me!

 

[=met=Badger]

You cant get rid of it beacuse the registry key and/or service entry is still there.

 

[adias]

But how can i get rid of it. Wich are the registry keys to delete? Can you help me?

 

[=met=Badger]

For all those who dont know. USE GOOGLE to search wat you may think is a virus if you dont recognize it search it. Hijackthis will give you a good start. Use the Regedit and service links provided in the earlier posts by me to delete all relating material. Read ,observe,learn, and know you computer and wat you put on it and wat is Windows. That wil make it easier for everyone in teh fight against bugs.



hloader_exe.exe is a worm
O4 - HKCU\..\Run: [auto__hloader__key] C:\WINDOWS\System32\hloader_exe.exe

win32ssr.exe
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe

Those are wat i found in your log. delete these with hijackthis also find the origin files and delete them. look thru services to see if any are linked to these files. and Double check the registry to make sure they were deteled.

****not an expert and resulting damage is not my fault. just a recemondation. I am not a certified Tech****

 

[XAxis06]

Same ol'

So i guess I won't surgar coat it. I read this whole forum and tried the steps along the way to no avail on my own. I have the rofl.sys thing in the same place like everyone else. My HJT log is attached, I'd appreciate any help I could get. Its bothersome because I just got done re-formatting my comp 2 days ago. Sorry to beat you guys up with the same problem. Thanks for the help. I'm usually a little more savvy and can fix these myself.

~Matt