Help me get rid of HACKTOOL.ROOTKIT Please!

By djbosch
Oct 8, 2005
  1. I am trying to fix my friend's mom's laptop. I have no idea what she has downloaded but I have uninstalled most of what I think is bad. I have been reading some other threads and downloaded Hijacker - I have attached the log, could someone give me some advice as to what I should do from here?

    Norton keeps finding the virus in c:\windows\system32\kbdrv64.sys. I can delete it in safe mode but it keeps coming back. I can't seem to find what program is creating it.

    I know that I need to get the SP2, but I think I should install that after I get rid of this?

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Run HJT and let it fix:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
    O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINDOWS\System32\ssl.exe (file missing)

    Read: How to remove Hacktool.Rootkit
  3. djbosch

    djbosch TS Rookie Topic Starter

    Anything else?

    I've followed all the steps, but still have the hacktool.rootkit in kbdrv64.sys. The only step I couldn't complete was the scan from trend micro, it wouldn't load for me. I've attached a copy of the most recent hijack results. Do you have any other advice. Thanks so much!
  4. djbosch

    djbosch TS Rookie Topic Starter

    I think it's fixed.

    I went through the hijacker list again and fixed some more items. I believe the system might be clean. I connected to the internet and pulled up several web sites for about an hour last night, ran norton and ewido again. Everything came up clean. I'm just afraid I am going to plug it in at her house and the virus is going to pop up again. Anything you think I should check or run to make sure it is really gone? Thanks again!
  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    This is cosmetics, fix it with HJT:
    O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\USBSubsystem (file missing)

    Other than the Read: How to.. I have no other help, I'm afraid.
    Try Google
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...