Hacktool and Hacktool.Rootkit (8 Steps Completed)

[phoenix115]

Hi everyone,

My computer has been infected with the "Hacktool" virus as well as the "Hacktool.Rootkit" virus. I have been doing some research online about the removals of the two viruses and came across this site. Experts, I need your help! These 2 viruses are driving me crazy. Here is my description of the situation:

I use Norton Antivirus. The results of the Norton scan indicates:

Hacktool
Affected Area:
2 Files
2 Services
1 Browser Cache

Hacktool.Rootkit
Affected Area:
1 File
1 Service
1 Browser Cache

Every single time I restart my computer and run a Norton scan, the 2 viruses are detected again. Norton prompts me to restart my computer and says that the 2 viruses are "fully removed" yet the next time I restart my computer, they come back again. Upon looking at the security log for Norton, the Details section indicates:

Hacktool
c:\windows\system32\drivers\qh3s.sys
c:\windows\system32\drivers\jsdpp32.sys

Hacktool.Rootkit
c:\windows\system32\drivers\oxauau96.sys

Does this mean that these are the locations of the viruses? If Norton "removed" them, why do they come back after I restart my computer?

(Also, I currently have System Restore turned off; I read on some websites that this should be done to prevent the virus from coming back. I hope I didn't make the wrong decision. > <")

I came across TechSpot yesterday and saw someone else with the similar virus problem. I followed the instructions in that thread and completed the 8 steps. I repeated each step twice. The newest Malware log indicates that no malware is found. The SuperAntiSpyware indicates no infections as well. I have attached both logs as well as the HijackThis log.

Sorry for the long post. Please help me remove these 2 viruses for good. Thank you for your time and expertise. Your help is greatly appreciated.

 

[mflynn]

OK Boot to Safe Mode with Networking and do the below.

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del /f /q /s tdss*.*
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del /f /q "%UserProfile%\Desktop\Antivirus 2009.lnk"
del /f /q  "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
del /f /q "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
del /f /q "%UserProfile%\Start Menu\Antivirus 2009\*.*"

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del /f /q c:\WINDOWS\system32\ieupdates.exe
del /f /q c:\WINDOWS\system32\scui.cpl
del /f /q c:\WINDOWS\system32\winsrc.dll

attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel

del /f /q c:\program files\xwdxqu.txt
del /f /q c:\windows\x
del /f /q c:\windows\SxsCaPendDel

attrib -h -s -r c:\windows\system32\drivers\qh3s.sys
attrib -h -s -r c:\windows\system32\drivers\jsdpp32.sys
attrib -h -s -r c:\windows\system32\drivers\oxauau96.sys

del /f /q c:\windows\system32\drivers\qh3s.sys 
del /f /q c:\windows\system32\drivers\jsdpp32.sys
del /f /q c:\windows\system32\drivers\oxauau96.sys

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys

del /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
del /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop WinSvchostManager
sc delete WinSvchostManager

sc stop ntndis
sc delete ntndis

attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"

del /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
del /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"

sc stop u_lehj
sc delete u_lehj

attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
del /f /q "c:\program files\Common Files\System\u_lehj32.dll"

attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"

del /f /q "C:\WINDOWS\system32\svcprs32.exe"
del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
del /f /q "C:\WINDOWS\system32\mdmcls32.exe"

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

This should run and exit!

It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

Then Run MBAM Quick Scan
then SAS Quick Scan
Attach logs!

Then still in Safe Mode do the below.

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: SDFix will reboot to Normal you may run ComboFix from there!
Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

 

[phoenix115]

Hi Mike~

Thank you for your detailed response.
I am not very good with computers so I was wondering if you can further explain these instructions for me. Thank you for your patience in advance. ^_^

>>Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Do you mean to select all of what's in the box and copy it?

>>Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

What is an open command prompt? Where on the computer do I go for this?...sorry

>>This should run and exit!
After pasting the text, everything will automatically "run and exit"?


Thanks again for your help!

Oh, and can I download SDFix now? or do I have to do it in Safe Mode?

And does it matter what account I log into when I'm restarting to get to Safe Mode?

Thanks again!


Sorry...one more question...
Do you need the new logs done with the computer in Safe Mode or Normal?

 

[mflynn]

That is exactly what I meant highlight and copy all in the box!

Start Run
type
cmd click OK

Command prompt opens

Left click once anywhere inside the black screen to make it active, then rt click and paste. It will run and close!

Go to next step.

You do know how to enter Safe Mode, right?

Mike

 

[phoenix115]

Yes sir~
I do know how to get to Safe Mode. ^^

Thank you for your quick reply. Be back with logs as soon as I finish.

Hi!
I am currently running in Safe Mode with Networking.
I just pasted the code in the command window but it didn't close.

It says

sc stop TDSSserv.sys
DOS/32A -- Protected Mode Run-time Version 7.2
Copyright Supernar Systems Ltd, 1996-2002

at the bottom of the window. Did something go wrong? Or do I close the window and proceed with the next steps?

The following message just popped up:

C:\windows\system32\cmd.exe-sc stop tdssserv.sys
NTVDM has encountered a system error
The service did not respond to the start or control request in a timely fashion.
Choose 'Close' to terminate the application.

Any idea what went wrong? I will try the command again. > <

 

[mflynn]

Nope don't try again! Abort out and continue with the other steps.

Something really has its claws in!

Start here: This should run and exit!

Mike

 

[phoenix115]

Sorry for the messages...I just wanted to report whatever I see.

After the message above popped up and "Close" was clicked, the bottom of the command window says the following:

OCAL_MACHINE\SOFTWARE\tdss"/f
The system cannot find the path specified.
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.*/s


Edit:

Hi Mike, Thank you for your quick response. I didn't see your post before posting the message. I will continue from the step you instructed. Thank you again!

 

[mflynn]

Cancel close command prompt and continue with the next steps.

Mike

 

[phoenix115]

Hi Mike~

I followed your instructions; here are my logs.

The SDFix Report was too big to upload so I split the report into two separate files -SD1 and SD2 and will post them in the next reply because I reached the upload limit.


[Thanks again!

Here are the SD Logs.

Thanks!

 

[Squiggly1]

yet the next time I restart my computer, they come back again

What do you mean by "come back"? Do you mean that when you run a virus scan, Norton finds it again? Or do you get an error window at start up, such as a missing file error? Sometimes these anti-virus programs don't remove all of the registry files (AKA orphan registry files), but otherwise the computer runs fine. Just making sure.

You might try typing in the name of the virus on Google and stumble upon a manual removal method.

Also just curious how you caught this virus? Do you know? LimeWire?

 

[kimsland]

@Squiggly1 please read here: Special governing rules for the Virus & Malware removal board
If you are not going to read the logs then, don't try supporting on Virus\Malware removal

Member mflynn is supporting properly in this thread

 

[mflynn]

Good morning Phoenix

Four steps below all to be done in Safe mode networking.

Step 1
---------------------------------------------------------------------------------------------------------------------------------------------------
Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) at the END of the line ONLY at the end and...

Step 2
--------------------------------------------------------------------------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "During cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
----------------------------------------------------------------------------------------------------------------------------------------------------
Step 3

Another run indicated!
OK there were found/removed items in ComboFix and SDFix so we need to run again as the first run likely exposed things that were not even seen the first time.

Run the below in order given below

ComboFix
SDFix

Attach logs first then do the below!

Step 4
----------------------------------------------------------------------------------------------------------------------------------
Go here Download DrWeb https://www.techspot.com/vb/post724044-3.html

Boot to Safe Mode only! Not with Networking.

DrWeb will fisrt do and Express Scan on its own when it completes then do a full scan.

The first Virus it finds select Cure and do the same for all the rest.

This will take hours but is your best chance at this point!

Mike

 

[phoenix115]

Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) at the END of the line ONLY at the end and...

Good morning Mike! Again, thank you for your help. I will start with your instructions right away.


@Squiggly:

Yes, every single time I restart my computer and run a Norton scan, the scan detects and "fully removes" the 2 viruses again.

Hi Mike,

I have some questions:

The ATF Cleaner doesn't have a Registry option. I just clicked "Select All" (the options were mainly temporary files). Is this ok?

And I tried to create a System Restore point in Safe Mode with Networking mode but it said that there was not enough free space and at least 200 MB was needed. However, I have 16GB of free space. Initially, I thought that this had to do with how I turned off System Restore earlier. I checked under System-System Restore and it said C drive was suspended. I rebooted my computer and am now in Normal mode. I checked System Restore and C drive says Monitoring. Do you know what happened? How can I create a restore point as you instructed in the Safe Mode With Networking mode?

Since I am in normal mode again, do I have to repeat the steps I've already done earlier in Safe Mode with Networking mode again?

Thank you again!

 

[mflynn]

No you do not have to repeat.

Create SR point in Normal mode.

No it is CCleaner that has the registry clean option.

But run all else in Safe mode!

Mike

 

[phoenix115]

Hi Mike

Here are my logs. Again, the SD logs are split into 2.

Also, before seeing your post, I was trying the steps again. When I was in Safe Mode with Networking Mode, I did not receive the same message about System Restore as before. However, when I opened the System Restore Wizard, the option of creating a restore point was not available. I created a Restore Point in Normal mode after the computer rebooted from the SDFix scan finish.

I am working on your last step right now. Please let me know what to do next.
Thanks so much!

 

[mflynn]

The DrWeb scan has now become critical!

Will check in in morning.

Goodnight,
Mike

 

[phoenix115]

Hi Mike~

I ran Dr. Web 3 times since last night and the results indicate that my system is clean. I am going to restart my computer now and run in Normal mode. I will then run a Norton scan to see if it picks up the 2 viruses again. Will let you know what happens asap.

 

[mflynn]

You mean the results were clean on each run??

Get me the log..

DrWeb Log
Paste the following line to the run command

%USERPROFILE%\DoctorWeb\CureIt.log

Post it!

And no need yet to run it in Normal mode!

Mike

 

[phoenix115]

hi mike, I interrupted my last DrWEB scan so I am running a scan in safe mode now. I will attach a log as soon as the scan finishes. The first scan picked up on 7 or 8 things including SD Fix and ComboFIX (archive includes infected objects). I was prompted to move some things. Also, at the end of the scan , I moved the incurables. (Was I supposed to delete them? ><) The scan apparently "moved" Combo Fix as it is no longer on my desktop and the folder under Program Files is empty. The 2nd and 3rd scans did not find anything. Btw, I ran Norton under Normal mode(didnt see your post in time) and the 2 viruses were detected, "fully removed" n comp was prompted to restart again. T.T I am on my phone right now; apologize 4 my typing. will keep checking back 4 ur instructions) Thanks!

 

[mflynn]

OK the SDFix and ComboFix are false positives only look like Malware to DrWeb.

Move is good you can always put moved items back if they are in fact good.

Good on the "fully removed".

Mike

 

[phoenix115]

Good on the "fully removed".

Huh? No Mike, it's not good. That means the problem has not been resolved;it is the same as before... Norton Auto-detects Hacktool and Hacktool.Rootkit and automatically scans. The results of the scans are what I indicated in my fist post. Norton claims that the viruses has been "fully removed" and prompts me to restart computer. Yet, the same process REPEATS after computer restarts. This is the problem that needs to be fixed; I need the 2 viruses to be removed permanently and not come back once I restart the computer. DrWEB scan is almost over. will post log asap

 

[mflynn]

No what said was if moved then that was a safe option "good".

Depends on where they are I need to see the log. If they are in a Quarantine folder or System Volume Information then they are isolated and we can clean them. Or they are being found in the Moved files by DrWeb (which is a quarantine folder)..

If they are attached only to an application like say "Wordpad.exe" then we can handle it but if in the Windows system then we have more work to do.

This is why I need all logs. get me the Norton.

Mike

 

[phoenix115]

hi Mike Sorry I misunderstood. what part of the CureIT log do you need? the entire log is around 16 MB , it is way too big to upload

I realized why the log file is so big; it is the log of all the scans.
I have saved the log file onto my desktop and deleted it in the DrWeb location.
I am going to run a scan again in Safe Mode. Hopefully the log file will only document the newest scan.

 

[phoenix115]

Mike...the new log is about 14 MB...still too big.

What should I do? What part of the log do you need to look at?

 

[mflynn]

OK describe briefly what it did.

Mostly Cured Moved ?

Then run MBAM SAS quick scan and post logs.

Followed by a ComboFix log.

Mike