I booted my machine this morning to find Norton reporting that I had the Hacktool.Rootkit trojan. It reported that it had delted the file successfully and I rebooted without any problem. A subsequent Full system scan didn't detect any further infections, and I reboted again without any problem. I'm currently running another full system scan just to be sure :)

My main question is how could I have contracted this virus? I run XPsp2 and Norton Internet Security & keep it up to date. I run a scan weekly. I have both Norton's firewall and my router's firewall running. I haven't downloaded and installed any new software recently (as in not for 6 months) and generally only use download.com if I do. I'm cautious about running any email attachments unless I've scanned them myself (and I haven't done this for months on this machine anyway). Given all this I'm concerned that I still managed to get this nasty virus and if possible I'd like to know how I got it so I can avoid making the same mistake twice! I've tried searching these forums and google but couldn't find any information about how this particular virus spreads.

I've not detected any unusual activity on this computer, but would also like to know, if possible, how worried I need to be about any security breach and whether Norton will have properly removed it.

Thanks for your help.

Recommended Answers

All 3 Replies

Do a google for AVG AntiRootkit Free Edition by Grisoft. Download + run it.

Sometimes norton derects false positives. What apears to be rootkits can sometimes be legitimate activities by the windoew O/S as most rootkits use a hidden layer of the NTFS filesystem to hide themselces in.

Its possiblt you got it from a web addon , activex control or something like that though. The one currently going around is this one:


Thanks for the reply - that was very helpful.
AVG didn't turn anything up after a deep scan, which is a relief.
The file Norton identified and deleted was c:\documents and settings ... \local settings\temp\imspqmn.sys if that helps anyone work out where I picked this up (I use Firefox instead of IE).

If you haven't done this, reboot in Safe Mode and run the full scan again... we just had to deal w/ this at work. My guess is that this came from a web site you visited.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.