hacktool.rootkit and logfile from Hijackthis

Question

Hi there, I have been having this problem for 2-3 days now.   Recently something happened to my computer. I have Norton Internet Security installed on my computer.     There was a change in my computer setting which i found weird. Whenever i click on my computer and i enter one of the drives(example D: or E:) , i nstead of opening it in the same window a new window will open. I tried changing the setting to open in the same window, but it does not help.   Right after that happens, a pop up notification is give from Norton that they have blocked Hacktool.rootkit.   I scanned my computer updated my virus list and i also have spybot installed updated and scanned using that too.   the problem is still there... I installed HJT alr3eady and this is my log. Thanks       Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:08:44 PM, on 9/9/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe E:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe E:\WINDOWS\system32\spoolsv.exe E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe E:\Program Files\Bonjour\mDNSResponder.exe E:\WINDOWS\system32\cisvc.exe E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe E:\Program Files\Common Files\LightScribe\LSSrvc.exe E:\WINDOWS\system32
vsvc32.exe E:\WINDOWS\system32	cpsvcs.exe E:\WINDOWS\Explorer.EXE E:\WINDOWS\System32\snmp.exe E:\WINDOWS\system32\svchost.exe E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe E:\WINDOWS\SOUNDMAN.EXE E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe E:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe E:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe E:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe E:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe E:\WINDOWS\system32\cidaemon.exe E:\Program Files\MSN Messenger\msnmsgr.exe E:\Program Files\Internet Explorer\IEXPLORE.EXE E:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rheographics.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe/Adobe Contribute CS3/contributeieplugin.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - E:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - E:\WINDOWS\IECodecPl.dll (file missing) O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - E:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - E:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe/Adobe Contribute CS3/contributeieplugin.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - E:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SW20] E:\WINDOWS\system32\sw20.exe O4 - HKLM\..\Run: [SW24] E:\WINDOWS\system32\sw24.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] E:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe O4 - HKLM\..\Run: [EPSON Stylus Photo R250 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHP.EXE /P30 'EPSON Stylus Photo R250 Series' /O6 'USB001' /M 'Stylus Photo R250' O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray O4 - HKLM\..\Run: [QuickTime Task] 'E:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [Acrobat Assistant 8.0] 'D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe' O4 - HKLM\..\Run: [Adobe_ID0EYTHM] E:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE O4 - HKLM\..\Run: [ccApp] 'E:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [osCheck] 'E:\Program Files\Norton Internet Security\osCheck.exe' O4 - HKLM\..\Run: [Symantec PIF AlertEng] 'E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe' /a /m 'E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll' O4 - HKCU\..\Run: [Skype] 'E:\Program Files\Skype\Phone\Skype.exe' /nosplash /minimized O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKCU\..\Run: [avpa] E:\WINDOWS\system32\avpo.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - E:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - E:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - E:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - E:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - E:\Program Files\Autodesk\3ds Max 9\mentalray\satelliteaysat_3dsmax9_32server.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32
vsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- End of file - 10727 bytes Message Edited by rheographics on 09-09-2007 01:19 PM

1972vet · Answer

Copy the data below in Bold text to Notepad and save it to your Desktop as 'findthese.bat' but without those quote marks. @ECHO Searching ...@ECHO offdir '%SYSTEMDRIVE%'\bdldr.dll /q/a/o:gn/s/x > '%SYSTEMDRIVE%'\found.txtdir '%SYSTEMDRIVE%'\fx3_s.exe /q/a/o:gn/s/x > '%SYSTEMDRIVE%'\found.txtdir 'C:\Windows\System32\drivers\bypass.sys' /q/a/o:gn/s/x > '%SYSTEMDRIVE%'\found.txtdir 'C:\Windows\System32\drivers\m11j.sys' /q/a/o:gn/s/x > '%SYSTEMDRIVE%'\found.txtdir 'C:\Windows\System32\drivers\r!3.sys' /q/a/o:gn/s/x > '%SYSTEMDRIVE%'\found.txtdir 'C:\Windows\System32\drivers\kdjhsg.sys' /q/a/o:gn/s/x > '%SYSTEMDRIVE%'\found.txt Now double click on the .bat file on your Desktop and allow the batch to run. When it completes the command prompt window will disappear. At this point, navigate to: C:\found.txt and Double-Click the text file. Copy the contents and paste it back here in this thread. Thanks!

rheographics · Answer

Hi,

i did the following and nothing happened. The found.txt was empty. I kind of guessed it was because i installed windows on E drive. Anyway i changed the c:/ to e:/ and did the search again.

@ECHO Searching ...
@ECHO off
dir "%SYSTEMDRIVE%"\bdldr.dll /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir"%SYSTEMDRIVE%"\fx3_s.exe /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir "E:\Windows\System32\drivers\bypass.sys" /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir "E:\Windows\System32\drivers\m11j.sys" /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir "E:\Windows\System32\drivers\r!3.sys" /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt
dir "E:\Windows\System32\drivers\kdjhsg.sys" /q/a/o:gn/s/x > "%SYSTEMDRIVE%"\found.txt

Found.txt came up with this

" Volume in drive E has no label.
Volume Serial Number is 48DC-DEF4"

thats all. .

1972vet · Answer

Quote: i did the following and nothing happened. The found.txt was empty. I kind of guessed it was because i installed windows on E drive. Good move. After attending a funeral for a friend yesterday who lost their 20 year old son, and having gone about 28 hours with no sleep and still resolving more than 20 different user's log requests for assistance, I would say the oversight is understandable...I apologize nonetheless. Anyway i changed the c:/ to e:/ and did the search again. Well, you changed more than the drive letter I can see...regardless, as it appears the search didn't find a single one of those files because you don't have the malware hacktool.rootkit on your system. Norton is well known for reporting a false positive regarding that particular malware...when did you last update your application? Please perform a scan with F-Secure Online Scanner Follow the directions in the F-Secure page for proper Installation. 1. Scroll down and click the' Start scanning' button. 2. You may receive an alert on the address bar at this point to install the ActiveX control. 3. Click on that alert and then click ' Install ActiveX component'. 4. Read the license agreement and click ' Accept'. 5. Click ' Custom Scan' and be sure the following are checked: Scan whole System Scan all files Scan whole system for rootkits Scan whole system for spyware Scan inside archives Use advanced heuristics 6. When the scan completes, click the ' I want to decide item by item' button. 7. For each item found, Select ' Disinfect' and click ' Next'. 8. When done, click the ' Show Report' button, then copy and paste the entire report into your next reply.

rheographics · Answer

hello, i am back. . .

I tried downloading the scanner a few times but failed.

I did manage to after quite a number of times. but the scan was too long. I was doing it right after finished my work to get ready for bed, the wait was too long!

Anyway a few times, it managed to detect tracking cookies. But that was about all it managed to find.

I gave up in the end. I just transfered my important documents, reformatted the pc and installed everything again.

Now i am using AVG.

Originally was i using an expired version of Norton Antivirus 2004, and it worked great. My computer was so fast.

Then just recently i bought 2007 Norton Security and right after that, my computer speed dropped tremendously. Along with the hacktool problem. .

Anyway I have only one last problem nwo which i cannot seem to solve.

The "My computer" Icon is on my desktop. I double click to open it and now when i open any drive, it asks me wat program i want to use to open. And i cannot check the box that says "always use this program". However If i use the folder tree, it works fine. I have never had such problems in all my years of using windows till now. . i wonder if it has to do with the virus. .

Message Edited by rheographics on 09-19-2007 11:56 PM

1972vet · Answer

Since you reformatted, the hjt issue should be cleared. Any virus should have been wiped as well with the reformat.

You should post your issue in the windows xp forum now since it's not a hjt issue. Thanks!

Virus & Spyware

Was this post helpful?