TechSpot

Hacktool.rootkit what am I doing wrong?

By redsand209
Mar 30, 2009
  1. I followed the 8 step removal of viruses to get rid of this virus i could not kill--it's immortal--it's like the highlander.
    i'm not sure if it's gone or not at this point.

    i'm attaching the 3 logs in the next reply for hijackthis, malware byte, and super antispyware free.

    the old hijackthis log was attached earlier, but may be irrelevant at this point. the new one is
    called hijackthis2.log

    am i in the clear or are there persistent files needing my attention?

    here they are
     
  2. touch

    touch TS Rookie Posts: 978

    Hello redsand209

    According to the (removed) infections in malwarebyte log, it looks like you have more infections, I´ll therefore suggest you post a combofix log ->

    Please download combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

    Now, please make sure no other programs are running, close all other windows.

    Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
    Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.

    It may take a while to complete scanning and this is normal.

    You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
    scanning has completed.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt,
    please attach it to your next post
     
  3. redsand209

    redsand209 TS Rookie Topic Starter

    combofix log

    Here's the requested combofix log.
    I also renamed the program as requested, and posted that log as well (named combolog2.txt)

    thanks
     

    Attached Files:

  4. touch

    touch TS Rookie Posts: 978

    Unfortunality are one of the system files infected, and we´ll need to replace it with a clean file.

    So will you please check these files:
    Upload and have these files scanned:

    d:\windows\ServicePackFiles\i386\user32.dll
    d:\windows\system32\dllcache\user32.dll

    Here
    http://virusscan.jotti.org/ or: http://www.virustotal.com/en/indexf.html


    Post back the results
     
  5. redsand209

    redsand209 TS Rookie Topic Starter

    For the first file nothing was found.


    For the second file:

    ArcaVir found W32.Patched.Bb
    Avast found Win32:SysPatch
    Dr. Web found BackDoor.Zapinit
    F-Secure Anti-Virus found Trojan.Win32.Patched.dr
    Kaspersky Anti-Virus found Trojan.Win32.Patched.dr
    NOD32 found Win32/Pinit
    Panda Antivirus found W32/Patched.D
    Quick Heal found Trojan.Patched.AP
    Sophos Antivirus found Troj/User32Hk-A
    VirusBuster found Trojan.Patched.AP
     
  6. touch

    touch TS Rookie Posts: 978

    Copy the entire contents of the Quote Box below to Notepad.
    Name the file as CFScript
    and Save it on the desktop

    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.
     
  7. redsand209

    redsand209 TS Rookie Topic Starter

    response

    alllllllllright


    here's the next file requested.

    ps. i hate whoever creates viruses. may they burn in hell.
     
  8. touch

    touch TS Rookie Posts: 978

    They probably will :D


    Please download http://jpshortstuff.247fixes.com/FileLook.exe
    by jpshortstuff and save to your Desktop.
    Double-click FileLook.exe to run it.
    Important! If using Windows Vista, be sure to Run As Administrator.
    Ensure that BBCode Ouput is checked. Copy and paste everything in the code box below into the empty textfield under FileLook by...

    Code:
    d:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
    Click the FileLook button to start the scan.
    When finished, Notepad will open with the results of the scan in a text file named fl_log.txt which will automatically be saved to the root of your system drive. (Typically C:\fl_log.txt)

    It looks like you have missed java update part, update it from here: -

    8-step Viruses/Spyware/Malware Preliminary Removal Instructions

    Please attach the contents of Filelook log in your next reply, along with fresh Hijackthis log.
     
  9. redsand209

    redsand209 TS Rookie Topic Starter

    all right touch,

    here's the next 2.

    about the java--when i first posted the query i did not update because the viruses were effin with my internet connection. either yesterday or the day before i updated. so it shooouuuuld be ok.
     
  10. touch

    touch TS Rookie Posts: 978

    Ok. The file are a legal Microsoft file, and hijackthis log looks ok.

    Now your computer problems are solved, it is time for the clean-up procedure ->

    Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.


    I also suggest you read Tony Klein´s article :
    So how did I get infected in the first place?
    http://www.spywareinfoforum.com/index.php?showtopic=60955
     
  11. redsand209

    redsand209 TS Rookie Topic Starter

    that didn't work!

    that link for OTCleanIt is not valid.

    also, as of yesterday, in the lower right hand corner of my desktop, the taskbar i guess, where the clock goes, isn't showing as many icons as it usually does. my symantec antivirus is running, but won't show that it is. it was scheduled for a system check last night, and ran fine, and deleted some things that it shouldn't have. i forget exactly what unfortunately, but namely, apoint.exe, which is the program for my touchpad that gives it extra functionality.

    now i can certainly reinstall that prog, but any idea why this happened?
    if you send me the right link for OTcleanit, i will see if that works and all, but should i try a system restore before that? (like to a couple days ago, after deleting viruses but before yesterday when this new problem presented itself)
     
  12. redsand209

    redsand209 TS Rookie Topic Starter

  13. touch

    touch TS Rookie Posts: 978

    This link should work -Please download OTCleanIt

    Rightclick on the file (a box will pop up) choose - rename
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...