Resolved: Hacktool.rootkit etal

By Kavaril
Feb 24, 2010
  1. Had some serious problems over the last few days! Foolishly believed my computer to be safe boasting a fully updated version of Norton 360....soon learned my mistake!

    One evening came back to find Norton flashing away like crazy about Trojans and hacktool.rootkit. I followed the Symantec advice and booted into safe mode to complete removal etc. The computer never booted up again properly and became unusable! After a complete format I started again...all my work was backed up onto USB however and the virus remains on these it seems....

    The virus and problems are now back on my fully updated but empty PC and I can't wipe the USB sticks and start again as my Uni thesis data is on there!

    Been trying to fix it in various stages but I thought it best to admit defeat and ask some professionals!

    I am running AVG and Norton both as AVG appeared to find the problem on the USB sticks that Norton didn't... I am enclosing all requested logs and can provide any details about other symptoms or Virus warnings if necessary.

    Suspicious.MH690.A ------> Is the only persistent but new problem appearing at the moment, appears in AVG folder - is this a quarantined virus/software conflict?

    Hacktool.rootkit ---------> All old virus' that have appeared a couple of times in Norton since rebooting.

    As mentioned there was a Trojan removed off the USB drives via AVG. I am worried that the hacktool has just compromised my system so much that it is just not picking up the viruses anymore? If anyone can help me they will get an acknowledgement in my thesis hehe :)


    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Malwarebytes showa a file in the Qoobox. That is the folder that Combofix puts quarantined files if. Meaning you have run Combofix.

    The other 2 files are in the restore points. They are out of your system, but don't use the System Restore feature now.

    This can make the system more vulnerable as well as slow it down.Please uninstall one of them: It is more likely that you have backed up infected files. I am not sure just how you used the USB drive when the system was infected, but it's likely there may be malware on the flash drive, then using the flash drive reinfects the system.

    Use either of these tools:
    AVG Removal: Note: You may have to reinstall AVG to uninstall it fully
    Norton Removal Tool

    Please disable TeaTimer before doing any more scans:
    • Right click the TeaTimer icon in the system Tray [​IMG]
    • Then click Exit Spybot-S&D Resident
    • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

    See if there are any active infections: Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please leave the Eset log and a new log for HJT after you remove one of the AV programs and have disabled TeaTimer.
  3. Kavaril

    Kavaril TS Rookie Topic Starter

    Firstly thank you for taking the time to reply and work on the problem!

    Just to clarify about the USB flash drives - I believe these were the source of the original infection. I had to backup my data when I first started to get problems so it is possible a new virus or the original one still remains on there...After I formatted the problems reappeared when I restored files from the drives. I would wipe them and reformat but I can't afford to loose the data.

    Also I had already run combofix following a thread referring to fixing hacktool.rootkit and before reading the warning on the forums, sorry if this creates any more problems!

    Regarding your solution - AVG unistalled and all instructions followed - logs as attached. Just to confirm. Nod32 found 2 issues, one on a flash drive, as requested neither were removed.


    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's see if this will resolve the malware problem: But before starting, please temporarily disable the Real Time Protection, Tea Timer (from Spybot S&D) as previously requested- it can interfere with the scans:
    • Right click the TeaTimer icon in the system Tray [​IMG]
    • Then click Exit Spybot-S&D Resident
    • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe
    What I'm seeing: Win32/Peerfrag.GA worm in autorun.inf
    Description: The autorun.inf file is a worm which spreads all over your partitions by creating a copy of itself and comes usually comes from USB flash drives . It is frequently gotten from P2P file sharing or social networking sites. It won’t let you access your drives by giving you an autorun menu when double clicking on your c: or your usb flash drive.

    How to remove autorun.inf from your flash drive: Hopefully this solution will work for you:
    • Click on "Start"> Then "Run"> Type CMD
    • Type your flash drive path letter: Type: F:> then press Enter
    • Then type:
      ATTRIB -H -S -R Autorun.inf
    • HIT Enter
      You will notice the autorun file will appear in your pen drive [​IMG]
    • Do a right click> Delete

    Repeat the same procedure to remove the autorun.inf file from your C: and D: partitions.
    Restart your computer when finished

    The other entry in the Eset log shows the files is in the Qoobox folder which is the quarantine folder for Combofix.

    [Rescan with Eset online and repeat HijackThis. attach the new logs.

    FYI: About the Commands: You need to change the attributes of the file:
    ATTRIB = attributes
    The ATTRIB Options"
    -H - Use the -H option to turn off the HIDDEN attribute.
    This will change the setting so that hidden files and folders will show.
    -S - Use the -S option to turn off the SYSTEM attribute.
    -R - Use the -R option to change the file protection attribute back to normal (so it can be read, changed, or deleted).
    (If you try to delete a file set to 'read-only', you will get an "Access Denied" message)
  5. Kavaril

    Kavaril TS Rookie Topic Starter

    Thanks again, could only find the file on the USB drive to remove. ESET log and HJT log enclosed.

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Again, you did not disable Tea Timer. Your HijackThis now has an entry:
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\ which is for AVG Free 8.5.

    It's important you get the most accurate information available. IF you're running Real Time Protection like Tea Timer, it could affect the scans. So please disable it before you do the last HijackThis scan.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Use Windows Explorer: Windows key + E> click on My Computer> Local Drive (C)> Windows> scroll down to avgrsstarte and do a Right click> Delete.

    Now double click the C Drive to open and click on Programs. If there is any program folder for AVG> do a right click> Delete.

    Boot back into Normal Mode and do a new HijackThis scan. Attach new log.
    Please advise if there are any of the original malware problems.
  7. Kavaril

    Kavaril TS Rookie Topic Starter

    I swear I disabled teatimer last time - sorry if this was not the case. AVG Free 8.5 was installed and removed as you requested in first post...followed the instructions but could not find the above file in location or at all. All other AVG folders (empty) were deleted. Did a search for the file in safe mode as well with no results. Hidden folders are veiwable so is it possible that is just a dud reference in the HJT log? Including a new log anyway but the

    O20 - Winlogon Notify: avgrsstarter

    still there...

    No virus reported by Norton since 27th of Feb. No obvious symptoms of infection, only thing detected by Norton is teatimer trying to create a registry key on startup.


    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Ha! Norton doesn't play well with anybody! I don't see any other entries that need removal. You can try reopening HJT, check the 020 AVG entry, click on Fix checked and maybe it will go away! Then you can clean up:

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you want.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    You have Active X processes running for both Panda and Eset Online scans already on the system. After the above cleanup has been completed, run one of them just to be sure we haven't missed anything. I won't close the thread until after checking that.
  9. Kavaril

    Kavaril TS Rookie Topic Starter

    Brilliant, all looks clear! Combofix deleted, restore points wiped and new created, other software removed!

    ESET log enclosed. Are there any scanning programs/real time protection I should keep a hold of or install to stay secure?


    Attached Files:

    • log.txt
      File size:
      2.6 KB
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Very good! I'm including some tips for you- all or some can be used according to your needs:

    Please follow these simple steps to keep your computer clean and secure:
    1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

    System Restore Guide

    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently.
      You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • ">Download Foxit Reader It is free and does the same thing as Adobe without the bloat.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    3.Make Internet Explorer safer. Follow the suggestions HERE
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    4.Remove Temporary Internet Files regularly: Use5. Use an AntiVirus Software(only one)
    6.Use a good, bi-directional firewall(one software firewall)
    See Understanding and Using Firewalls including links to download a firewall.

    7.Consider these programs for Extra Security
    • Spywareblaster:
    • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad
    • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know.
  11. Kavaril

    Kavaril TS Rookie Topic Starter

    Thanks for all the help with this you have been brilliant, problem looks fixed...I did however make a tiny screwup 2 weeks ago however and put the same USB stick in my girlfriends laptop. Similar problems are appearing on hers as well...I assume it will not be an identical fix so would it be okay to hijack this thread and some more of your time or should I start a new thread?

    Again thank you,
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Glad to help.

    Yes, please start a new thread for the others system. We may do some of the same things, but each system is unique. The tips I left though can also be applied to the other machine.

    I'll close this thread.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...