Post by: electroguy on November 05, 2005, 07:21:34 AM
Last time I had a great help by removing a virus. Now a friend of mine got a big problem.
He formatted his computer. Norton recovered the Hacktool.root kit virus. He can't remove it. His connection with the internet isn't established. Can anybody give me some instructions or tools to remove this virus?
Thanx in advance
Post by: guestolo on November 06, 2005, 01:30:02 AM
Quote
His connection with the internet isn't established
So he never went online but he got an infection anyways
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> Or do you mean he can't get online since the infection ?
I think I'll need to see a Hijackthis log, remember to save it too a permanent folder on the drive
You can transfer it from one computer to the other
It's very small in size
Post by: electroguy on November 06, 2005, 04:22:37 PM
Logfile of HijackThis v1.99.1
Scan saved at 21:18:25, on 6-11-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Documents and Settings\pa\Mijn documenten\hijackthis.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Norton Antivirus gives a msdirectx file on C:\ as being infected. Deleting this file makes no difference. After rebooting its there again.
Post by: guestolo on November 06, 2005, 04:41:52 PM
I don't see any 04 entries in this log
If this is the case
Open Hijackthis>>View a list of backups
RESTORE all backups
Are you disabling any entries from running on startup
If this is the case, run mscofig and enable everything on startup
If any of the above is true, Please restart the computer and post a fresh hijackthis log
We need to get this computer online, or it will be tough for you to get it back to normal
It has no Windows updates on it and that leaves it open for security risks
If you didn't disable anything on startup or haven't used Hijackthis yet
You may have to Uninstall all of Norton's and see if you can get online
It looks as it has been compromised anyways
Can you try something for me please
Restart the computer in safe mode with networking
Do this for minimal time
Can you get online with the machine???
Post by: electroguy on November 07, 2005, 01:39:13 PM
The computer has been formatted and re installed. We did a complete fix with hjt.
We're now trying to update windows and fix the whole computer and see if we will get it online. Then we check if it has any virusses. If so we will contact again.
Thanx again
Post by: guestolo on November 07, 2005, 09:33:16 PM
Quote
We did a complete fix with hjt
In the future, if you need a hand with a Hijackthis log, don't fix anything until I get a chance to look it over
If you don't mind
Hiding the bad guys don't help me out at all.......
I'll lock this up
Take care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />