IE issues, hacktool, pwdump, etc

By cbrummell
Oct 26, 2008
  1. Hi All,

    I've had numerous problems but can't seem to shift them all. Have followed all of the steps in the 'before posting' section but still can't move them - Norton said that if I ran a scan in safe mode it would be able to delete the infections, but it wouldn't let me...

    IE is now not working properly, locking up, opening additional windows, generally being weird...especially when using the address bar...

    Firefox is ok for now but machine is generally not in a happy place...

    Attached all the logs (HJT, MWbytes and SASpyware)...

    Any help much appreciated! :)


  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm checking the logs. Mbam is clean, SuperAntispyware shows malware in the restore points. DO NOT use System Restore! We will drop those points when the system is clean. You log is long and it will take me a while. Just wanted to send this cation your way.
  3. cbrummell

    cbrummell TS Rookie Topic Starter

    No problem - I can be patient!!

    Thank you so much for looking at this, it's really appreciated. I did try to use System Restore when it first happened, but it actually wouldn't let me (no valid restore periods) so I gave up on that approach.

    Will await further instruction before doing anything else.

    Thanks :)
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Your Java is out of date. Pleas download the latest version which is v6u10 from here:

    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below:.
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

    Start> Run> type in ''msconfig' without the quotes> Selective Start-up> Startup tab> UNCHECK everything EXCEPT the Symantec/Norton antivirus and firewall> Apply> OK.

    Open Internet Options> Security tab> Trusted Zone> Sites> remove IP62.73.186.39> Apply> OK.

    Control Panel> Add.Remove Programs> Uninstall all Java EXCEPT v6u10.
    Uninstall ANY other programs that you do not use. If you find one you don't recognize, include it's name with the next log.

    Start> Run> service.msc> right click on JavaQuickStarterService> Properties> Change Startup type to Disabled

    Reboot into Normal Mode.
    Clear your existing System Restore points and establish a new clean restore point:
    Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
    Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
    This will remove all restore points except the new one you just created.

    Scan with HijackThis again and attach new log.

    NOTE: If speed is an issue, you have numerous processes starting at boot that done need to. This does not mean you will be unable to use the program. These can easily be started manually when needed, instead of at boot, then running in the background. Some are:
  5. cbrummell

    cbrummell TS Rookie Topic Starter

    Have tried to complete the below -

    Java, HJT instructions, msconfig instructions, restore points
    - done
    - Tried to do this - site was not in the list- in fact no sites were listed.
    - Wouldn't let me remove any progs in safe mode - restarted in normal mode then did it.
    - Machine wont find 'service.msc'

    Look forward to hearing your response.

    Thanks again x
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good job! I need a performance assessment. How is the system running. Are previous problems resolved? IF ot, what remains? How is your speed? Better? Still a few unneeded startup to play with.

    Please go to the Control Panel> Add/Remove Programs> Java>>> Verify that you now have v6u7 and that no other Java programs shows installed- the entries are just showing v6.

    Let's turn off the Java auto-update:
    Control Panel> Java> Update tab> UNCHECK 'check automatically for updates'> answer YES when asked if you're sure> Close.

    The entry that was in the Trusted Zone doesn't appear now- good. I am extra conservative about anything being out in Trusted Zone. It is something that can backfire on a user easily.

    Services can also be accessed using this path:
    Control Panel> Administrative Tools> Services.

    Question: Have you intentionally set Restriction:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    Please check the information here about Restrictions. If you set, okay. Make sure the setting is correct. If you did not set, we need to remove the restriction, but you should check to see what the Restriction is first:

    If the performance is good and the problems are resolved
    tools it finds and then delete itself (requiring a reboot).

    The Restore Points have been cleaned.

    Note: It appears that you did an online scan using Housecall. This continues to run in the background unless you remove the program- you may want to do that:
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -

    Easiest way to do this is to download and run this file:

    Let us know if you need more help. It was a pleasure helping you.
  7. cbrummell

    cbrummell TS Rookie Topic Starter

    OK, So I've done the same again - put my comments on how I'm doing below in CAPS.

    - Main problem is that norton is still picking up hacktool and pwdump when scanning and it cannot get rid of them - so still need som help on that front.

    Trusted Zone, Java instructions - DONE
    - I stopped it accessing the internet as i kept accidentally opening it, and it was freezing up my system!
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you Blind Dragon. That is very helpful:
    cbrummell, please access this site on TechSpot:

    If is a well written detailed instruction for : How to remove Hacktool.Rootkit
    Please follow each instruction carefully use the links that are supplied and when through, attach the appropriate logs which will include a hew HijackThis log.

    We will go from there.

    You may enjoy this comment on site: "As an interesting aside: it seems that ONLY people who run NAV/NORTON/SYMANTEC bloatware seem to be HIT by this!"
  10. momok

    momok TS Rookie Posts: 2,265

    actually, its services.msc
    Note to cbrummell: try not to copy and paste everything our volunteers say. just quote a few relevant sections if needed, or better still, no need to quote at all and just reply normally instead of using caps. This ensures a shorter post as well as easy reading for us to help you. =)
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good catch momok. I left the last letter out. Thanks.
  12. cbrummell

    cbrummell TS Rookie Topic Starter

    No worries - apologies, I'll try and do this going forward (see I've started already!) :)

    I'll try working through the hacktool repair tonight, will let you know how I get on!
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks momok. I left that 's' off twice! Hopefully I've learned it by now!
  14. cbrummell

    cbrummell TS Rookie Topic Starter

    I've followed the steps in that other thread, but Norton is still detecting hacktool and pwdump... :(

    HJT Log attached.
  15. momok

    momok TS Rookie Posts: 2,265

    I would recommend using an anti-rootkit here as conventional tools may prove to be useless against this variant of infections (rootkits). Either Panda or Fsecure blacklight is a good choice.

    Also, the log shows "Windows XP SP2". SP3 is already out, so updating is recommended.
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...