Hacktool.rootkit / lock1.exe / xz ms-dos batch file (virus/worm?)

[Victor587]

I also have a Hacktool.Rootkit problem.. I tried following the Hacktool.Rootkit procedure stickied on this forum, but I did not have any of the aliases (javapanel.exe, taskcntr.exe, etc) I do have the file msdirectx.sys (which norton found 2 days after I realized I had a virus) and a ms-dos batch file that I accidently downloaded (could be a separate virus/worm?) titled "xz"

Can I have help removing this?

edit: BTW, the attached doc. is the hijackthis log

and sorry I didn't make a new thread.. the other forum I went on said to find one with the same topic.

 

[Victor587]

Myspace actually was my homepage since I use Firefox as my main browser.. Use IE for Symantec support and media applications.

I wasn't able to find the process (lock1.exe under task manager). I believe it is my new firewall.. Sygate Personal Firewall

I'll restart my pc now and come back.. thanks.

edit: I believe lock1.exe is gone.. I have yet to restart (once more.. it had 2 startup items under msconfig and I forgot the other). But there is still the "xy" ms-dos batch file. I used Pocket Killbox to delete it, but it reappeared in a folder titled "!Submit" in my C: drive ( looks like "C:\!Submit")

No visible problems though... I'll run some scans tonight and see if they find anything other than this xz file/lock1.

 

[RealBlackStuff]

The lock1.exe is NOT part of Sygate, but some other nasty that will probably crop up under a different name next.

Your problem is this:
C:\Program Files\LimeWire\LimeWire.exe

And copy&paste the contents of that xy.bat file here.
Just rename that file to xy.old to stop it for the moment.

 

[Victor587]

no I meant that I thought Sygate was blocking it.. and I moved the xy file

I can't get into Sygate anymore. I think that virus is preventing that..

 

[RealBlackStuff]

victor,

apart from

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

your log is clean.

 

[Victor587]

alright.. there is still that xz file though that you told me to paste in limewire

 

[Victor587]

I did what you told MSU ROX to do (for the xz file)

It says:
"@echo off
@title Windows Update
net stop "Security Center"
net stop "Windows Firewall/Internet Connection Sharing (ICS)"
net stop SharedAccess"

Seems pretty self-explanitory.. the only question is how to fix it? net start/continue? And would I do it in the command prompt (cmd I think)?

Thanks.

 

[RealBlackStuff]

We have some communication problems here.
You need to get rid of that crap program Limewire. That brings in all those bad guys!

The other guy calls the file xy.bat, you call it xz.bat. You using a German keyboard?
Yes the opposite commands would be net start ... given in a cmd-window.
Or copy that file to e.g. undo.bat, change stop into start and run it.
You need to find out what starts that xy.bat or xz.bat in registry or otherwise.

 

[Victor587]

I know, I know.. This may sound stupid but I want Limewire. And plus, I like troubleshooting my PC because I know it will help me in the long run/I get to know more, etc. Not like I'm intentionally inviting viruses into my system, just saying that it's good to know some stuff. I know more stuff now, for example, than a week ago. Sorry if this pisses you off, I really appreciate your help though.

I am using a normal English keyboard to what I know.. It's QWERTY type which I'm sure is the default for English. And the file on my computer is titled "xz" (now xz.old) Is .bat a command prompt file?

What about the "@echo off"? I think the "@title Security Update" just means to run those commands at security update. Just curious about echo off. And remember that it reinstalls itself if it's deleted.. I could try again using Pocket Killbox, restart, and tell you what happens.

And Sygate is working now that I switched let it run at startup under msconfig (I personally turned it off to see some things)


edit - I don't even have to restart before it pops up again, in the !Submit folder under C: drive (probably the same submit folder because we moved it to Limewire) Is something embedded in the registry?

 

[RealBlackStuff]

You need to check your Registry for any entries with xz.bat and remove them all.
Note where it comes from, then delete the (sub)directories as well.
Also click Start/Run and type msconfig and click OK and see if it is in there somewhere.

 

[Victor587]

Thanks.. I'm just nervous to go into the registry. That and maybe a little lazy but I'll do it.

And how do I create a .bat file? Or do I just edit the original? <-going to try that

I only have one question I really want you to answer.. what does "@echo off" mean? Thanks for everything.

 

[Victor587]

OMG I am so relived. I installed ZoneAlarm, or probably a malicious copy, and Windows would not boot! I fixed the problem by going into safe mode and add/remove programs. I will give the website: http://www.zonelabs.com/store/conte...alm/freeDownload.jsp?dc=12bms&ctry=US&lang=en

I'm not sure, it might be a legit file but most likely not if I can't even boot Windows. :dead: the file name is "zlsSetup_60_667_000" If you download it, it can be deleted without any problems that I can tell. Just don't install.. and if you do, do what I did. Boot in safe mode (press f8 when you hear the noise from bootup or the boot screen) and then go to Start, Control Panel, Add/Remove Programs, and remove it.

It was common sense but I was in so much shock it took me an hour

 

[RealBlackStuff]

Look at all the commands that can be put in an MS-DOS batch file (xxx.bat)
http://www.computerhope.com/batch.htm

Don't go experimenting, you obviously have no clue here!

@echo off is explained there as well.

And stay away from the resource-hogging Zonealarm firewall.
go to http://soho.sygate.com instead, much better!

 

[Victor587]

you obviously have no clue here! lol true

I had another scare today... but I just lost internet because my router is so bad. I am getting a D-Link when I can..

I already have Sygate, but thanks

There is no xz.bat in the registry. Do you recommend something else?

And I deleted some things, such as Music Match (I downloaded it but didn't want it - couldn't find uninstaller) in the registry, will that harm anything? I also deleted occurences of Zone Alarm.

And thanks once more.

 

[RealBlackStuff]

Don't get a D-Link.
Go here and read up about routers, brands, ISPs etc.
http://www.dslreports.com/

And check around in the Networking and Storage forum, to see where and with what brands others have problems!

Whatever you do, always make a backup of your registry first.
And you better prepare for a re-install, the way you are blundering through your registry!

 

[Victor587]

music match comes up under the !Submit file, what does that mean?

And I have it backed through Spybot, is that sufficient?

 

[RealBlackStuff]

I have no idea, if I can't see what's on your PC.

perhaps follow this: To fix Trojans, see How to remove Trojans and its ilk!

 

[Victor587]

these are my ewido scans