0

As a new poster I am not certain of the normal procedure on here so please bear with me. In short my norton sercurity has told me of a hacktool.rootkit infection but is unable to delete the file. This results in a continual norton warning pop up referring to the infection which is driving me crazy. Middle age was never meant to be so annoying. Many thanks in anticipation.

3
Contributors
7
Replies
10
Views
12 Years
Discussion Span
Last Post by crunchie
0

Go here to TrendMicro for an on-line scan & set it to autoclean for you. When it completes, post back the full filename of any files that cannot be cleaned or deleted.

Try this scan at Panda as well.

The scan here does not require an active X install, but uses java instead.
http://fr.trendmicro-europe.com/consumer/products/housecall_launch.php

Download HijackThis selfextracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

0

Thankd for the advice, I will get through all of the suggestions and repost as soon as I can.

Many thanks

0

The online scans which you suggested seem to have done the trick. Thanks for your help. -I now have my sanity back - well almost!

0

Logfile of HijackThis v1.99.1
Scan saved at 0:15:02, on 2005-7-2
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\xpjava.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
E:\Downloads\PowerDVD 5.0\PDVDServ.exe
C:\WINDOWS\VM_STI.EXE
E:\Applications\Adobe Acrobat 7.0 Pro\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\APPLIC~1\WINFAX~1.02\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
e:\Applications\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
e:\Applications\flexlm\i486_nt\obj\ptc_d.exe
E:\Applications\Norton Utilities\NPROTECT.EXE
E:\APPLIC~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\!WNM\wnb2.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\金山霸2003医学版\xdict.exe
C:\Program Files\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Applications\Adobe Acrobat 7.0 Pro\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B49DEB0-7E18-4792-BDDF-25C60C09D7EE} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\DOWNLO~1\SPYBOT~1.3\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\DOWNLO~1\FLASHG~1.62\jccatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Applications\Adobe Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\DOWNLO~1\FLASHG~1.62\fgiebar.dll
O3 - Toolbar: 电(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Applications\Adobe Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\dllcache\tintsetp.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\dllcache\tintsetp.exe /IMEName
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ScRunCdRomSetupExe] H:\USBDRV\..\setup.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [RemoteControl] E:\Downloads\PowerDVD 5.0\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "E:\Downloads\CloneCD5.1\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Anyvision USB PC Camera
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Applications\Adobe Acrobat 7.0 Pro\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "e:\downloads\quicktime 6.5\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QD FastAndSafe] E:\Applications\Norton CleanSweep\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [WFXSwtch] e:\APPLIC~1\WINFAX~1.02\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [gcasServ] "E:\Downloads\MS Antispyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [menu12] C:\WINDOWS\_DlrApps\menu12.exe /astart
O4 - HKCU\..\Run: [Skype] "E:\Downloads\Skype\Skype.exe" /nosplash /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Applications\Adobe Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Applications\Adobe Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Applications\Adobe Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Applications\Adobe Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Applications\Adobe Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Applications\Adobe Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Applications\Adobe Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Applications\Adobe Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 使用网际快车下载 - E:\Downloads\FlashGet1.62\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - E:\Downloads\FlashGet1.62\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义 - E:\Downloads\腾讯QQ 2005 Beta 1 瑚虫版 V3.1.2\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\Downloads\腾讯QQ 2005 Beta 1 瑚虫版 V3.1.2\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信该图片 - E:\Downloads\腾讯QQ 2005 Beta 1 瑚虫版 V3.1.2\qq\SendMMS.htm
O9 - Extra button: 信检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\APPLIC~1\MSOFFI~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - D:\金山霸2003医学版\XDictExB.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\Downloads\QQ2004II\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\Downloads\QQ2004II\QQ.EXE (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\DOWNLO~1\FLASHG~1.62\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\DOWNLO~1\FLASHG~1.62\flashget.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall 在线扫毒) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {F2EB8999-766E-4BF6-AAAD-188D398C0D0B} - http://www4.cmbchina.com/download/pb42.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F61A7BF-01C2-41E0-8127-BAD0A1B8558B}: NameServer = 202.96.134.133 202.96.128.166
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DC06D7C-D8B1-442A-BBBD-B0371A32F03A}: NameServer = 202.96.134.133
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - D:\金山霸2003医学版\XDictExB.dll (file missing)
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: FLEXlm server for PTC - GLOBEtrotter Software Inc. - e:\Applications\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Norton AntiVirus 自动防护务 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Applications\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\APPLIC~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

0

I CAN NOT GET RID OF IT USING ON-LINE SCAN, THE SCAN DOES NOT WORK AT ALL.
ABOVE IS MY LOG FILE. HOW TO KILL Hacktool.Rootkit ???????

0

Hi cxcworldwide.

First of all- welcome to Daniweb.

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules


Thanks for understanding.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.