Hacktool.rootkit virus

By nhelp1 ยท 15 replies
Oct 3, 2009
  1. My antivirus detected rootkit virus. I tried using the AVG software to remove. I've lost my desktop and startmenu after rebooting. I am running Win XP with SP3. I've booted to safe mode and I still can't see my desktop and startmenu. I am able to navigate through ctrl+alt+del task manager -new task. I can't run explorer from taskmanager, it gives me error. Can someone please help me
  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

  3. nhelp1

    nhelp1 TS Rookie Topic Starter Posts: 42

    Updated posting with attachments. After a reboot, the start menu and desktop reappeared.
  4. nhelp1

    nhelp1 TS Rookie Topic Starter Posts: 42

    Hi, Can you please review the log files and let me know if my system is clean. Thank you.
  5. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    First of all you need to take action with the mbam log, and you have a lot of crap in the Hijackthis log
  6. nhelp1

    nhelp1 TS Rookie Topic Starter Posts: 42

    I am not knowledgeable about computers - can you please walk me through. Sorry, I'm going to need step by step instructions. Please help me get rid off the virus on my machine.
  7. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Download, install and run free Avast antivirus and Advanced SystemCare free. After running these, run Malwarebytes and delete anything found. Rerun Superantispyware and Hijackthis and repost the 3 logs
  8. momok

    momok TS Rookie Posts: 2,265

    The key thing to note would be to ensure mbam has its actions for detected items set to "quarantine and delete".

    I do not recommend having two antivirus progams on your system due to the possible conflicts that may arise on your system as well as the crazy resources hogged.. Since AVG did not do the right job, you may choose to uninstall it before you install any of our recommended antivirus programs.
  9. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Yes Momok, I neglected to say "delete you existing antivirus program" before installing another...
  10. nhelp1

    nhelp1 TS Rookie Topic Starter Posts: 42

    Thank you again for your support. I deleted AVG and am running the Avast Free. No viruses were found by Avast. I installed the Advanced SystemCare Free (log file attached).

    I looked at mbam quarantine from 10/4/09 shows the following:
    Trojan.Agent from folder c:\Program Files\Microsoft Common
    Security.Hijack from registry value HKEY_LOCAL_Machine\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options\Explorer.exe\debugger (Data: C:\Program Files\Microsoft Common\Svchost.exe
    Should I delete the two quarantine?

    Reran 1. CCleaner, 2. mbam, 3. SuperAntiSpyware (identified and deleted 19 tracking cookies), 4. Hijackthis
    Log files attached. Please guide me on how to remove the baddies from my machine. Thank you again for your time.
  11. momok

    momok TS Rookie Posts: 2,265


    You can fix this in Hijackthis.

    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

    Apart from that, all your logs turn up clean.

    Yes, you may (in fact you should) proceed to clear all quarantine folders and files from your system.

    Next, run system restore:
    Turn it off then turn it back on again. < this clears any bad stuff still residing in your old restore points.

    After that, I would say you're good to go =)
  12. nhelp1

    nhelp1 TS Rookie Topic Starter Posts: 42

    Momok, Tmagic650,

    Excellent! thank you for sticking with me.
    1. In Hijackthis, I will delete the "O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)"
    2. I will delete the 2 files found in the mbam quarantine
    3. How do I run system restore? is that through the Advanced System Care Free program
    4. How do I Turn it off then turn it back on again?
  13. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    To turn off System Restore go to Control Panel, System, Advanced, System Restore and unckeck the checked drive(s). This will delete all old restore points. Just recheck the box for the hard drive to restart System Restore...

    Bobbye always got on me for suggesting turning off System Restore, and saying to delete "no name" and "file missing" notations in a Hijack log. Is Bobbye right or wrong?
  14. momok

    momok TS Rookie Posts: 2,265

    Hm.. good question. The recommended action to take with system restore is to leave it until last; after we are more or less pretty sure the user is clean, before we clear the restore points.

    The rationale for this is because in rare situations, we may encounter a case so difficult to handle it may even prove a problem just doing simple tasks in windows. Then we still have the option of trying a system restore to an earlier point. Even if that point was infected, it would still most likely be an easier situation to handle.

    I guess the issue on the (file missing) entries is pretty subjective depending on experience. If the entry is legit, I usually dont try to fix it more than once if it returns. A common example would be the O2 windows live messenger entry. It is always nameless, and always returns even when fixed in HJT. A good source to check O2 entries would be http://www.downloads.subratam.org/startuplist.html

    Some places where legit entries persist in HJT are O2, O9 and O23. I cant recall if there are others though.
  15. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Thanks so much Momok... The Startup List, a good resource!
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Bobbye told you that you do NOT drop the System Restore points at the beginning of the cleaning, but rather at the end. Bobbye also told you that not all files that say "file missing" are actually really missing: for instance, the yahoo Toolbar always shows up as 'file missing'- it isn't.

    Feel free to sent me a PM if there is anything else you would like to ask.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...