TechSpot

Possible Hacktool.rootkit ++ attacks

By Rolfen31
Jan 23, 2008
  1. I've just run a program which is called "Norton Security Scan",
    which I was presented after I did an Adobe Shockwave Update.

    This program states that I've got several problems:

    Tracking Cookie
    Hacktool.rootkit
    Downloader
    and
    Trojan.Perfcoo

    None of these can be removed by this program it says.
    I run AVAST antivirus, and have got Windows Defender running (I think)

    Can you pls help me to resolve this?
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Viruses/Spyware/Malware, preliminary removal instructions
    http://www.techspot.com/vb/topic58138.html

    Also download / update and full scan with SuperAntiSpyware:
    http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

    You will need to re-submit a HijackThis Log afterwards info here:
    http://www.techspot.com/vb/topic19133.html

    Although I myself, am not a malware specialist. From doing the above and posting back your logs, hopefully someone will reply to you then.

    Also this process will take some time before you are able to post back.
     
  3. Rolfen31

    Rolfen31 TS Rookie Topic Starter

    Reports from prelim virus scans

    My Panda antiroot kit scan found nothing.
    By the way i couldn't open the webpage with the tool called vundufix !
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Done well
    Although I myself, am not a malware specialist
    I have found two files in your log, that are trojans
    You may follow the proceedure below, or wait for a specialist to advise you.

    KernelDrv.exe Trojan on your system
    pr2ah4nc.exe Trojan on your system

    C:\windows\system32\KernelDrv.exe
    C:\windows\system32\pr2ah4nc.exe

    Use Ctrl + Alt + Del and kill the process KernelDrv.exe and pr2ah4nc.exe if running
    Then go to C:\windows\system32 and delete the file KernelDrv.exe and pr2ah4nc.exe
    Then go to [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    And if KernelDrv.exe and pr2ah4nc.exe is in the list, delete it.
    Then go to System Restore (right click My Computer) and turn it off.
    Then update Ad-Aware and do a full scan
    http://www.lavasoft.com/single/trialpay.php

    Once finished removing anything found
    Go back to System Restore, and put it back on
     
  5. Rolfen31

    Rolfen31 TS Rookie Topic Starter

    New report from Hijackthis

    This is the new report after I did the new scan with adaware
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    KernelDrv.exe

    Still exists in c:\windows\system32

    Did you follow the steps in full above ?
     
  7. Rolfen31

    Rolfen31 TS Rookie Topic Starter

    Answer

    Yes I did. But I couldn't find kerneldrv.exe in C:\WINDOWS\System32 folder.
    So I couldn't delete it.

    By the way, I searched the registry and there I found some entries of kerneldrv and kerneldrv.exe in :
    HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603\000 & \001 (type REG_SZ)

    Is this where the "culprit" could be buried?

    PS Thanks for helping me !!!
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I'd remove it (the key in registry)

    Also are you viewing all files and folders when doing a search for c:\windows\system32\KernelDrv.exe
    Tools - Folder Options - View - All files and Folders - Show hidden/system files
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...