Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

rheographics

3 Posts

697

September 9th, 2007 04:00

hacktool.rootkit and logfile from Hijackthis

Hi there,
I have been having this problem for 2-3 days now.
 
Recently something happened to my computer. I have Norton Internet Security installed on my computer.
 
 
There was a change in my computer setting which i found weird. Whenever i click on my computer and i enter one of the drives(example D: or E:) , i nstead of opening it in the same window a new window will open. I tried changing the setting to open in the same window, but it does not help.
 
Right after that happens, a pop up notification is give from Norton that they have blocked Hacktool.rootkit.
 
I scanned my computer updated my virus list and i also have spybot installed updated and scanned using that too.
 
the problem is still there... I installed HJT alr3eady and this is my log.
Thanks
 
 
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:44 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
E:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\cisvc.exe
E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
E:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\tcpsvcs.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
E:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
E:\WINDOWS\system32\cidaemon.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rheographics.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - E:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - E:\WINDOWS\IECodecPl.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - E:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - E:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - E:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] E:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] E:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] E:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R250 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHP.EXE /P30 "EPSON Stylus Photo R250 Series" /O6 "USB001" /M "Stylus Photo R250"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] E:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "E:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [avpa] E:\WINDOWS\system32\avpo.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - E:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - E:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - E:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - E:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - E:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 10727 bytes


Message Edited by rheographics on 09-09-2007 01:19 PM

1972vet

3.3K Posts

September 9th, 2007 09:00

Copy the data below in Bold text to Notepad and save it to your Desktop as "findthese.bat" but without those quote marks. 

@ECHO Searching ...
@ECHO off
dir "%SYSTEMDRIVE%"\bdldr.dll /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir "%SYSTEMDRIVE%"\fx3_s.exe /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir "C:\Windows\System32\drivers\bypass.sys" /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir "C:\Windows\System32\drivers\m11j.sys" /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir "C:\Windows\System32\drivers\r!3.sys" /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir "C:\Windows\System32\drivers\kdjhsg.sys" /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt


Now double click on the .bat file on your Desktop and allow the batch to run. When it completes the command prompt window will disappear. At this point, navigate to:
C:\found.txt and Double-Click the text file. Copy the contents and paste it back here in this thread. Thanks!

rheographics

3 Posts

September 9th, 2007 11:00

Hi,
 
i did the following and nothing happened. The found.txt was empty. I kind of guessed it was because i installed windows on E drive. Anyway i changed the c:/ to e:/  and did the search again.
 
@ECHO Searching ...
@ECHO off
dir "%SYSTEMDRIVE%"\bdldr.dll /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir"%SYSTEMDRIVE%"\fx3_s.exe /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir "E:\Windows\System32\drivers\bypass.sys" /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir "E:\Windows\System32\drivers\m11j.sys" /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir "E:\Windows\System32\drivers\r!3.sys" /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir "E:\Windows\System32\drivers\kdjhsg.sys" /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
 
 
Found.txt came up with this
 
" Volume in drive E has no label.
 Volume Serial Number is 48DC-DEF4"
 
 
thats all. .

1972vet

3.3K Posts

September 9th, 2007 19:00

Quote: i did the following and nothing happened. The found.txt was empty. I kind of guessed it was because i installed windows on E drive.
Good move. After attending a funeral for a friend yesterday who lost their 20 year old son, and having gone about 28 hours with no sleep and still resolving more than 20 different user's log requests for assistance, I would say the oversight is understandable...I apologize nonetheless.

Anyway i changed the c:/ to e:/ and did the search again.
Well, you changed more than the drive letter I can see...regardless, as it appears the search didn't find a single one of those files because you don't have the malware hacktool.rootkit on your system.

Norton is well known for reporting a false positive regarding that particular malware...when did you last update your application?

Please perform a scan with F-Secure Online Scanner
Follow the directions in the F-Secure page for proper Installation.
1. Scroll down and click the" Start scanning" button.
2. You may receive an alert on the address bar at this point to install the ActiveX control.
3. Click on that alert and then click " Install ActiveX component".
4. Read the license agreement and click " Accept".
5. Click " Custom Scan" and be sure the following are checked:
  • Scan whole System
  • Scan all files
  • Scan whole system for rootkits
  • Scan whole system for spyware
  • Scan inside archives
  • Use advanced heuristics
6. When the scan completes, click the " I want to decide item by item" button.
7. For each item found, Select " Disinfect" and click " Next".
8. When done, click the " Show Report" button, then copy and paste the entire report into your next reply.

rheographics

3 Posts

September 19th, 2007 14:00

hello, i am back. . .
 
I tried downloading the scanner a few times but failed.
I did manage to after quite a number of times. but the scan was too long. I was doing it right after finished my work to get ready for bed, the wait was too long!
 
Anyway a few times, it managed to detect tracking cookies. But that was about all it managed to find.
 
I gave up in the end. I just transfered my important documents, reformatted the pc and installed everything again.
Now i am using AVG.
 
 
Originally was i using an expired version of Norton Antivirus 2004, and it worked great. My computer was so fast.
Then just recently i bought 2007 Norton Security and right after that, my computer speed dropped tremendously. Along with the hacktool problem. .
 
 
Anyway I have only one last problem nwo which i cannot seem to solve.
The "My computer" Icon is on my desktop. I double click to open it and now when i open any drive, it asks me wat program i want to use to open. And i cannot check the box that says "always use this program".   However If i use the folder tree, it works fine. I have never had such problems in all my years of using windows till now. . i wonder if it has to do with the virus. .


Message Edited by rheographics on 09-19-2007 11:56 PM

1972vet

3.3K Posts

September 19th, 2007 15:00

Since you reformatted, the hjt issue should be cleared. Any virus should have been wiped as well with the reformat.

You should post your issue in the windows xp forum now since it's not a hjt issue. Thanks!

Was this post helpful?

View All

0 events found

No Events found!

Top