[JimS34]

Hi, first time using this site and I'm hoping you will be able to assist me. One week ago my system did a scheduled full system scan (Norton Anti-Virus 2006, updated and current) and discovered the Hacktool.Rootkit virus but would not quarantine or remove it, stated it needed to be removed manually. My system is a Pentium 4 2.0 Ghz, with Windows XP. I searched the registry but did not find any reference to this. Any assistance would be greatly appreciated. JimS34

[Advertisements]

Hi there,

Welcome to GeeksToGo.

According to your description, I need to give you the following warning before proceeding to see if we can clean your machine:

Important information: You have signs of a backdoor trojan and/or rootkit on your system (more info). These have the potential to harvest confidential data, and require special attention. Although rare, identity theft, or other fraudulent financial activity is a possibility. We generally have good success removing all signs of these infections. However, if you have adequate backups, required media (CDs), and the ability, at this point it would be wise to consider reformatting and reinstalling your operating system and applications. We can provide you with some helpful links if needed.

If you used the infected system for online banking, any online financial transactions (including eBay and Paypal), or access any sensitive information online, please use a known clean computer, and change your passwords as soon as possible. It would also be wise to contact those same financial institutions to let them know your account information and passwords may have been compromised. Closely monitor all bank and credit card statements. In the event you do notice suspicious activity, it's important you act quickly. Follow these steps recommended by the FTC: Defend: Recover From Identity Theft

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Please ensure you have word wrap turned off in Notepad. To do this, open Notepad, choose Format, then ensure Word Wrap is Un-checked. (Word Wrap makes reading your logs difficult).

Next, I would like to make sure that you can view hidden files and folders;

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Under the Hidden files and folders heading SELECT Show hidden files and folders.
• UNCHECK the Hide protected operating system files (recommended) option.
• UNCHECK the Hide extensions for known file types option.
• Click Yes to confirm.
• Click OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download DDS and save it to your desktop. Disable any script blocking protection programs. If you are unsure of how to disable these programs, please refer to this page for details.

• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

Please include the contents of the following in your next reply:

• DDS.txt
• Attach.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:

• The contents of both DDS.txt and Attach.txt
• The contents of GMER.txt

Please make a separate post for each log.

Regards,
RatHat

[RatHat]

Hi there,

Welcome to GeeksToGo.

According to your description, I need to give you the following warning before proceeding to see if we can clean your machine:

Important information: You have signs of a backdoor trojan and/or rootkit on your system (more info). These have the potential to harvest confidential data, and require special attention. Although rare, identity theft, or other fraudulent financial activity is a possibility. We generally have good success removing all signs of these infections. However, if you have adequate backups, required media (CDs), and the ability, at this point it would be wise to consider reformatting and reinstalling your operating system and applications. We can provide you with some helpful links if needed.

If you used the infected system for online banking, any online financial transactions (including eBay and Paypal), or access any sensitive information online, please use a known clean computer, and change your passwords as soon as possible. It would also be wise to contact those same financial institutions to let them know your account information and passwords may have been compromised. Closely monitor all bank and credit card statements. In the event you do notice suspicious activity, it's important you act quickly. Follow these steps recommended by the FTC: Defend: Recover From Identity Theft

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Please ensure you have word wrap turned off in Notepad. To do this, open Notepad, choose Format, then ensure Word Wrap is Un-checked. (Word Wrap makes reading your logs difficult).

Next, I would like to make sure that you can view hidden files and folders;

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Under the Hidden files and folders heading SELECT Show hidden files and folders.
• UNCHECK the Hide protected operating system files (recommended) option.
• UNCHECK the Hide extensions for known file types option.
• Click Yes to confirm.
• Click OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download DDS and save it to your desktop. Disable any script blocking protection programs. If you are unsure of how to disable these programs, please refer to this page for details.

• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

Please include the contents of the following in your next reply:

• DDS.txt
• Attach.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:

• The contents of both DDS.txt and Attach.txt
• The contents of GMER.txt

Please make a separate post for each log.

Regards,
RatHat

[RatHat]

Do you still require assistance with this log?

Regards,
RatHat

[RatHat]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.