Ad:

Viruses, Spyware and other Nasties Discussion Thread
Unsolved
Views: 12306

Jun 17th, 2005

Hacktool.rootkit virus in WinXP

Expand Post »

Hi,
My Norton Antivirus detects the Hacktool.rootkit virus but is unable to delete it as it says that the msdirect.sys file cannot be accessed.
This is an annoying problem as the error window from Norton keeps popping up, and I need to disable Autoprotect to proceed. Hope someone can help me out with this.

See below my Hijackthis log:
---------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:01:37 PM, on 6/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\navupdts.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
D:\Rahul\dload\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe changeme.exe
F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} -

C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670}

- C:\Program Files\Yahoo!\Messenger\ycomp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

- C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} -

C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec

Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE

/STARTUP
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common

Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

-quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program

Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Download with &DAP -

C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP -

C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} -

C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O17 -

HKLM\System\CCS\Services\Tcpip\..\{97532E07-3B59-4A1A-B520-5FF023D3B626

}: NameServer = 202.54.10.2 202.54.1.30
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) -

Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation

- C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner -

C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -

Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) -

Symantec Corporation - C:\Program Files\Norton Internet

Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec

Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe

Regards,
Rahul.

Similar Threads

HackTool.Rootkit virus - Help Needed in Viruses, Spyware and other Nasties
Unable to completely remove HackTool.Rootkit virus in Viruses, Spyware and other Nasties
Hacktool.Rootkit virus, round 2! in Viruses, Spyware and other Nasties
Unable to completely remove HackTool.Rootkit virus in Viruses, Spyware and other Nasties
Another HijackThis Log for hacktool.rootkit virus in Viruses, Spyware and other Nasties

rahulgbe

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

2 posts
since Jun 2005

Permalink

Jun 18th, 2005

Re: Hacktool.rootkit virus in WinXP

Hi Rahul, welcome to DaniWeb

First, you should go to Windows Update and get SP1a for both XP and IE.

Then go here and follow the instructions:
http://securityresponse.symantec.com...l.rootkit.html

After you've done that, close any open browser windows, scan with hijackthis, and post a new log please.

dlh6213

Team Colleague

Reputation Points: 63

Solved Threads: 213

Posting Maven

Offline

2,962 posts
since Jul 2004

Permalink

Jun 21st, 2005

Re: Hacktool.rootkit virus in WinXP

Quote originally posted by dlh6213 ...

Hi Rahul, welcome to DaniWeb

First, you should go to Windows Update and get SP1a for both XP and IE.

Then go here and follow the instructions:
http://securityresponse.symantec.com...l.rootkit.html

After you've done that, close any open browser windows, scan with hijackthis, and post a new log please.

Hey dlh,
Thanks. I am currently in the process of downloading SP2 for WinXP, as
Windows update allows me to download SP2, bypassing the SP1a install.
Hope SP2 would have these security issues rectified.
As SP2 is a few 100MB, its taking me some time to download. Let me know
if I'll be able to get rid of the hacktool.rootkit virus with this new ServicePack
of XP.

Rahul.

rahulgbe

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

2 posts
since Jun 2005

Permalink

Jun 21st, 2005

Re: Hacktool.rootkit virus in WinXP

It's best to wait until your system is clean before getting SP2.

SP2 won't fix the hacktool problem, you need to follow the instructions from Symantec to remove it.

After you've finished the updates and the hacktool removal procedure, please post a new log.

dlh6213

Team Colleague

Reputation Points: 63

Solved Threads: 213

Posting Maven

Offline

2,962 posts
since Jul 2004

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Spyware and Adware won't go away!

Next Thread in Viruses, Spyware and other Nasties Forum Timeline: homepage hijack please help!

DaniWeb Message

Cancel Changes

User Name
Password