Hacktool Rootkit Nightmare...please Help!

[klauskinky]

Hi everybody,

I got infected by hacktool rootkit yesterday, and after spending hours to get to terms with my stupidity and the fact that I fell in the trap like a kid, I am giving up the fight to get rid of the nasty thing via usual means...you guys are my only hope! The problems are all the same: I run Symantec and the only thing that it does is quarantine the msdirectx.sys, that keeps reproducing over and over again...I followed microsoft's instructions, trying the manual delete, but no luck...

I attach my HJT log...

 

[Spike]

Firstly, I would like to welcome you to techspot

However, it would be greatly appreciated if you would read the stickies at the top of this forum, and then return here and use the 'edit' butoon to ammend your post.

 

[klauskinky]

Post modified

Dear Spike,

Sorry for overseeing that note at first...I have changed my post, and I hope you'll see something in it that might help to get rid of this hacktool burden!

thanx

K

 

[Phantasm66]

Here is someone with a success story:

http://www.daniweb.com/techtalkforums/nextnewesttothread24081.html

 

[RealBlackStuff]

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
msreged32.exe
WebRebates0.exe
PowerReg SchedulerV2.exe OR SchedulerV2.exe

Next, UNinstall (not delete yet) anything to do with:
C:\Program Files\Web_Rebates\WebRebates0.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\WINDOWS\system32\msreged32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.arianna.it/perie/hometestie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iol.it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Infostrada LIBERO
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.libero.it:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = abbonati.libero.it;www.libero.it;*.libero.;*.;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe msreged32.exe
O1 - Hosts: 198.65.164.168 00hq.com
O1 - Hosts: 198.65.164.168 8ad.com
O1 - Hosts: 198.65.164.168 008k.com
O1 - Hosts: 198.65.164.168 www.008k.com
O2 - BHO: Factiva - {4E7BD74F-2B8D-469E-C0FF-FD61BB96BC7D} - C:\WINDOWS\DOWNLO~1\fcombar.dll
O3 - Toolbar: Factiva - {4E7BD74F-2B8D-469E-C0FF-FD61BB96BC7D} - C:\WINDOWS\DOWNLO~1\fcombar.dll
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: PCSuiteperPanasonicX701 Detect.lnk = ?
O4 - Global Startup: PCSuiteperPanasonicX701 TS.lnk = ?
O4 - Global Startup: PowerPanel.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.it
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {4E7BD74F-2B8D-469E-C0FF-FD61BB96BC7D} (Factiva) - http://global.factiva.com/toolbar/fcombar.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.

Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Boot normal. When all OK, switch System Restore back on.

 

[klauskinky]

Thank you my saviour!

Here is what I did:

In Taskmanager/Processes I could NOT find any of the following:
msreged32.exe
WebRebates0.exe
PowerReg SchedulerV2.exe OR SchedulerV2.exe

There was no web_rebates folder in C:\Program Files, though it did show it in the HJT log...so I couldn't delete it

but I DID find traces of all webrebates, msreged32 fcombar and schedulerV2 in HJT, which I fix checked and deleted

I deleted all the content of the temp folder

I run the HJT again, and the only thing left was a trace of C:\Program Files\Web_Rebates\ which I still couldn't find in the program files folder

I performed an overall search, and the only trace of webrebates was in the Sybot - Search and destroy folder...there were two zipped files called webrebates, which I removed...

I performed another HJT, which I attach, where no trace of webrebates can be found...

DOES THIS MEAN I AM FINALLY CLEAN???

I owe you big time!

Klaus

 

[RealBlackStuff]

Your are not clean by any means! You either did not follow my instructions, or only a few, or your infection causes an UNDO of whatever you DO.

In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

Then repeat my previous instructions. Look for the mentioned files and/or directories again and delete if found.
Then post another log.

 

[klauskinky]

Dear Realblackstuff,

I have followed again your instructions accurately:

1) Boot in Safe Mode - DONE

2) Switch System restore OFF - DONE

3) Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
msreged32.exe
WebRebates0.exe
PowerReg SchedulerV2.exe OR SchedulerV2.exe
DONE (NONE OF THE ABOVE FOUND)

4) Next, UNinstall (not delete yet) anything to do with:
C:\Program Files\Web_Rebates\WebRebates0.exe
DONE (UNISTALLED BY USING ADD/REMOVE PROGRAMS)

5) Next, run a HJT scan and place a tick-mark in the little square before (if still there) - DONE (I FIXED AND DELETED 7 ITEMS)


6) Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp - DONE

7) I have turned on "show all files and folders, including hidden and system", but still no sign of Webrebates in Program Files...


After I have done all the above, Symantec stopped popping out the note saying it found and put in quarantine Hacktool Rootkit, which is why I thought I was finally clean. Moreover, I did go through HJT and couldn-t find any more traces of the nasty items you mentioned...is there something still there that I can't see?

Also, I have performed a wide search for either webrebates, schedulerv2 or msregedit and I found:

POWERREG SCHEDULERV2.exe in C:\WINDOWS\Prefetch

MSREGED32.exe-1B3D9F38.Pf in C:\WINDOWS\Prefetch

msreged32.exe in C:\WINDOWS\system32 (dated 2002)

Should I delete all of the above? And what else do you think I should do?

I enclose the latest HJT log and startup log....

Thx again,

KK

 

[IronDuke]

RBS - might this help Klauskinky RootKitRevealer

 

[RealBlackStuff]

KlausKinky
Yes, delete everything from the prefetch-area.
And your latest HJT log looks remarkably like the first one, with still nearly all the baddies in there. Webrebates was the least of your worries.

Follow IronDuke's advise and run that program.

Try this as well (make sure you can still see all files, system and hidden):
Check for C:\WINDOWS\SYSTEM32\setup32.exe.
Check in Task Manager for the file, end the process, then delete it manually from the SYSTEM32 folder. Empty your recycle bin.
Reboot in safe mode and run another HJT as described in my first procedure. Look if the HJT log looks different.

Also have your PC scanned online by TrendMicro:
http://be.trendmicro-europe.com/consumer/housecall/housecall_launch.php

Best of luck.

 

[klauskinky]

Trying hard...

Dear RealBlackstuff...

I have downloaded the two programs and will give you an output asap...in the meantime, how safe is it to do internet banking or sensitive stuff like that when infected with this baddies?

Thanx again,

KK

 

[Vigilante]

Not sure how safe you are unless the "baddies" you have are data-miners. But I would avoid that stuff for now.

If you are on XP, be sure to run in Safe Mode with Networking. Anytime you go back into Normal mode and open a web browser, you could potentially be infecting yourself again!

Follow all RBS's instruction from Safe Mode and don't go back to normal mode until ALL the scans turn up clean!
Run, and update, your ad-aware, spybot search and destroy, hijackthis, and antivirus. You might also look for a program called "BHOCaptor" and run that. You can get all this stuff online AND in Safe Mode if you started Safe Mode with Networking.

Once you run all those scans, and still in Safe Mode, try going to "housecall.trendmicro.com" and do a virus scan from their site, delete whatever it finds.
You may also have bad startups that HJT isn't finding, download "autoruns" from www.sysinternals.com and look through ALL the tabs for suspicious entries.

Lastly, if this infection still remains, even in Safe Mode, it could very well be a service. Pay special attention in autoruns to the services and explorer tabs.

good luck

 

[klauskinky]

Dear Vigilante,

Thank you for the tips...just one question: how do I understand when a scan is clean, and how do I recognize the baddies in the log??

 

[RealBlackStuff]

We'll do that for you, as far as possible.
A HJT-log is a pretty good indication (though not infallible).

 

[klauskinky]

New status...

So here is the latest of the klauskinky saga!

1) Spybot found and deleted:

- DSO Exploit
- BPS spyware remover (which I believe was my other adaware program...nevermind)

2) Norton Antivirus found nothing

3) Trend Micro Housecall found:

VIRUS:

- C:\program files\kazaa\perfectNavUninstaller.exe TROJ KEENVALE
- C:\mibmarccolvn.exe TROJ FEMAD.D
- C:\Q230903.exe TROJ WINSHOW.A
(all deleted)

SPYWARE:

- ADW BADBITOR.A
- ADW PWRSEARCH.A
(all deleted)

4 VULNERALITIES WERE ALSO FOUND, and they require MS patches

BHO CAPTOR found:

AcroIEHelpObj Class C:\program files\adobe\acrobat6\acrobat\activex\AcrolEHelper.dll

C:\Program Files\Spybot-Search & Destroy\SDHlper.dll

Google toolbar c:\Program Files\googletoolbar1.dll

AcroIEtoolbarhelper.class C:\Program Files\Acrobat\Acrobat6\Acrobat6\Acrobat\AcrobIEFavClient.dll

Also, I attach my latest HJT log and the autoruns log...

Thanx to both of you...here is some material to work on!!

KK

 

[Vigilante]

From Autoruns, I don't recognize this one:

c:\program files\biblioteca microsoft\diziorom\qs96i.exe

Is that some sort of bookshelf or library app? Can't find any info on it.

Sorry, the autoruns logfile is just to dang hard to read. Did you set the option to "hide signed microsoft entries"?

Just follow a few rules here:
Look for any entries that have wacky names. Pay special attention to files in the system and system32 folders. Delete ANY entries that are in a temp folder.
If an item is suspicious to you, just type it into Google and search, you'll quickly find out.
Cause the log is so hard to read, if you're industrious enough, post all the file names

As for HJT, remove:
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.arianna.it/perie/hometestie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iol.it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Infostrada LIBERO
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.libero.it:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = abbonati.libero.it;www.libero.it;*.libero.;*.;<local>
R3 - Default URLSearchHook is missing
O1 - Hosts: 198.65.164.168 00hq.com
O1 - Hosts: 198.65.164.168 8ad.com
O1 - Hosts: 198.65.164.168 008k.com
O1 - Hosts: 198.65.164.168 www.008k.com
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - Global Startup: PCSuiteperPanasonicX701 Detect.lnk = ?
O4 - Global Startup: PCSuiteperPanasonicX701 TS.lnk = ?
O4 - Global Startup: PGPtray.lnk = ?
O4 - Global Startup: PowerPanel.lnk = ?

This one is a tuff one, if you remove it, it could "break" your network and you won't be able to go online, however, if you are having Internet issues, this could be the problem:
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asdns.dll
I would suggest NOT deleting it until you download an LSP repair program such as "WinSockXPFix.exe" which you can download from the link on http://www.iup.edu/house/resnet/winfix.shtm
Once you have this file, then fix this LSP entry. Just in case HJT can't repair the Winsock itself.

Now keep cleaning:
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.it
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: CR - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Claudio\LOCALS~1\Temp\CR.exe

Once these are removed, scan again and look through them. Almost everything that is GOOD is pretty easy to tell by the path and file name. You can tell if something belongs to one of your programs etc...

When you fix the LSP entry, HJT will do a quick restart, scan again as soon as it does. I don't know why there are entries for "sysinternals" with file names in the temp folder. Could be they are going to remove something on startup? But doesn't matter just remove them.
Then post here again. And post the names from autoruns.

 

[klauskinky]

Disaster!! Call 911!!

Dear Vigilantes,

I have followed your instructions and deleted all the baddies, and downloaded WinSockXPFix.exe before deleting asdns.dll...as you mentioned, the internet stopped working, but instead of fixing anything, winsockxpfix simply says..."Nothing to repair!"...not only the internet doesn't work, but the bottom bar where START and the shortcuts usually are is gone!!! so I need to move around using My Computer...when I turned it back on in normal mode, the following message appeared:"Open SnyUtils.dll error, Pls log on Again"...and there seems to be an error with HKServ.exe too!! basically, I'm stuck!! Is there any solution to this????

Thx again...

 

[Vigilante]

Certainly, don't panick!

By the way, I'm guessing you have another PC that you are posting here from? Anyway, maybe that is not the right winsock fixer. Try http://www.softpedia.com/get/System/System-Miscellaneous/LSPFix.shtml
But look at the warning towards the bottom first about Adaware! (note I never used this one, this is just a quick google for an LSP fix).

If not, cause the one I use is so hard to find, I'll try to get a link to it. Try this: http://www.zacksdomain.com/Software/Utilities/WinsockXPFix.exe

With this one you just click "fix" and it will repair and then restart automatically. This one I use mostly, it works.
---

Next be sure to write down any file names and paths from those errors so you can remember them.
SnyUtils.dll appears to be something with a Sony driver of some kind? Not sure what, maybe a modem or video?
And HKServ.exe is part of a "special buttons" support thing. I gather by these that you have a Sony Laptop. This process enables some of the fancy functions of the special Sony buttons on the keyboard.

Because it's hard to tell what those are part of. My first suggestion would be to download the LSP fixer and get your Internet up first (in safe mode with networking). Then visit Sonys web site and look for new drivers. Particularly for video and keyboard stuff. This should fix the HKServ and SnyUtils errors.

Also, if/when you get Internet back, see if you can do another virus scan from "housecall.trendmicro.com". And see if it's clean.

If you get into Safe Mode but don't have a Start Bar, try pressing ctrl-alt-del and go into Task Manager. Click File-New Task and run "explorer". See what happens.

If all else fails and it looks pretty bad, you may have to just re-install Windows, backup your data. Or even attempt a repair install.

c ya

 

[klauskinky]

I see the light at the end of the tunnel...

Dear Vigilantes...

After an initial sense of defeat (Internet not working, start bar not appearing etc...) I have managed to find a way around it...I have re-instated the start bar by activating all the services from Autoruns, which were all disabled for some reason...so now all the basic functions are finally back. The Internet is back up, luckily, so all I have to do is find out if the bloody intruder is still there!! I have followed your suggestion and have written down all the services I found on Autoruns, which I attach, along with the latest HJT scan...Let's hope I am now as clean as a baby!! (I doubt it, but at this point hope is all I have left!!)

Looking forward to your reply

KK

 

[RealBlackStuff]

When are you finally going to remove those O15s? You don't trust ANYbody!

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
GUOERCIH.exe
QYVGMSA.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
GUOERCIH.exe
QYVGMSA.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
R3 - Default URLSearchHook is missing
O4 - Global Startup: PowerPanel.lnk = ?
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O23 - Service: GUOERCIH - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Claudio\LOCALS~1\Temp\GUOERCIH.exe
O23 - Service: QYVGMSA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Claudio\LOCALS~1\Temp\QYVGMSA.exe
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the dotted lines, delete the highlighted bold files.

Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].

Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).

Boot normal. When all OK, switch System Restore back on.

 

[klauskinky]

Dear RealBlackStuff (by the way, you make me thirsty every time I look at your pix )

Thank you again, and again, and again, for wasting so much time to fix me up.

I did all of the above, and when it got to fix the global startup item (O4 - Global Startup: PowerPanel.lnk = ?) a window pop out saying: "Error #52 (Bad file name or number) in SubGetLongPath (?.exe)"

...apart from this, it all went pretty smooth. I deleted all the temp files in Local. One details: in Documents and Settings/Claudio/Locals (not temp) I found a file called trav_svc.exe dated 2004, with a nasty looking logo...no idead what that thing is...I left it there for now...

Also, when I rebooted the system, I noticed that the google toolbar is gone (I have uninstalled now, since it's not there anymore)...

I have run a new HJT AFTER I rebooted in normal mode and AFTER I turned back on system restore, and it looks pretty ok apart from the following line:

17 - HKLM\System\CCS\Services\Tcpip\..\{8AB417DC-A60D-446D-9D4C-8783982B614C}: NameServer = 154.32.107.18 154.32.109.18

which looks pretty nasty to me?!

Let me know if I need to kill this too...

Thx,

KK

 

[Vigilante]

You DO want to get rid of name servers. UNLESS you have/need static IP information set. So get rid of:

O17 - HKLM\System\CCS\Services\Tcpip\..\{8AB417DC-A60D-446D-9D4C-8783982B614C}: NameServer = 154.32.107.18 154.32.109.18

Unless you need it.
A reverse DNS lookup for 154.32.107.18 turned up "res2.dns.uk.psi.net". Doesn't say much. Unless you are "on" psi.net, I would remove this entry.
---------

Also everybody, ROOTKITREVEALER is NOT a bad prog. It is a legitimate program from sysinternals that tries to find virus and spyware behavior in rootkits. Ya, I'm confused too. But basically, in order to NOT be killed by spyware and viruses, the sysinternals tool uses a service and a random filename to avoid being killed. Read about the program at this URL:
http://www.sysinternals.com/Utilities/RootkitRevealer.html

And here was my post on the sysinternals forum about these entries:
http://www.sysinternals.com/Forum/forum_posts.asp?TID=336&PN=1&TPN=1

cheers

 

[klauskinky]

Will I ever be clean?

Dear Vigilante,

I am not sure I am using that server...I usually connect via a dial-up to something called Fiberlink, a program that connects you wherever you are in the world...but I don't think it has nothing to do with psi...how can I be sure it's something I don't need? I wouldn't want to delete my only chance to connect to the internet...

 

[IronDuke]

Make a note of them. If yuo should need them they can be entered in you connection settings.

 

[klauskinky]

Mistery solved...

When I connect to the Internet and run HJT the item is not there anymore...and only comes back as soon as I connect...so I beliebe that is my connection.

Apart from that...how does my scan look? Can I consider myself clean?

KK