« previous next »
Pages: [1]

Author Topic: Hachtool.root kit  (Read 560 times)

Offline electroguy

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Hachtool.root kit
« on: November 05, 2005, 07:21:34 AM »
Hi there again,

Last time I had a great help by removing a virus. Now a friend of mine got a big problem.

He formatted his computer. Norton recovered the Hacktool.root kit virus. He can't remove it. His connection with the internet isn't established. Can anybody give me some instructions or tools to remove this virus?

Thanx in advance
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Hachtool.root kit
« Reply #1 on: November 06, 2005, 01:30:02 AM »
Quote
His connection with the internet isn't established

So he never went online but he got an infection anyways  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
Or do you mean he can't get online since the infection ?

I think I'll need to see a Hijackthis log, remember to save it too a permanent folder on the drive
You can transfer it from one computer to the other
It's very small in size
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline electroguy

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Hachtool.root kit
« Reply #2 on: November 06, 2005, 04:22:37 PM »
Here's the hjt log file:
Logfile of HijackThis v1.99.1
Scan saved at 21:18:25, on 6-11-2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Documents and Settings\pa\Mijn documenten\hijackthis.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Norton Antivirus gives a msdirectx file on C:\ as being infected. Deleting this file makes no difference. After rebooting its there again.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Hachtool.root kit
« Reply #3 on: November 06, 2005, 04:41:52 PM »
Did you already try some fixes with Hijackthis?????

I don't see any 04 entries in this log

If this is the case
Open Hijackthis>>View a list of backups
RESTORE all backups

Are you disabling any entries from running on startup
If this is the case, run mscofig and enable everything on startup

If any of the above is true, Please restart the computer and post a fresh hijackthis log

We need to get this computer online, or it will be tough for you to get it back to normal

It has no Windows updates on it and that leaves it open for security risks

If you didn't disable anything on startup or haven't used Hijackthis yet

You may have to Uninstall all of Norton's and see if you can get online
It looks as it has been compromised anyways

Can you try something for me please
Restart the computer in safe mode with networking
Do this for minimal time
Can you get online with the machine???
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline electroguy

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Hachtool.root kit
« Reply #4 on: November 07, 2005, 01:39:13 PM »
Thanx for all the help.

The computer has been formatted and re installed. We did a complete fix with hjt.

We're now trying to update windows and fix the whole computer and see if we will get it online. Then we check if it has any virusses. If so we will contact again.

Thanx again
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Hachtool.root kit
« Reply #5 on: November 07, 2005, 09:33:16 PM »
Quote
We did a complete fix with hjt

In the future, if you need a hand with a Hijackthis log, don't fix anything until I get a chance to look it over
If you don't mind

Hiding the bad guys don't help me out at all.......

I'll lock this up
Take care  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »