Hacktool.Rookit

Question

TheGu3st 0 Newbie Poster

18 Years Ago

:cry:
My Sysmantec Antivirus has been continuously popping up with a message every 10 seconds or so telling me that I have a virus named hacktool.rookit on my computer. I currently have a whooping 493 items of this same virus in my quarantine and it doesnt seem like it will ever stop.

The folder it says is infected is:
C:\WINDOWS\system32\hpdriver.sys

Im running on windows XP. Please help me.

Also, I feel like I should note that w32.spybot was detected after a friend sent me a link via AIM to "See her new pictures". Then, after removing that virus hacktool.rookit began to come up over and over again.

Please someone help me :)

windows-virus

3 Contributors
25 Replies
359 Views
3 Weeks Discussion Span
Latest Post 18 Years Ago Latest Post by jaishankar

All 25 Replies

jaishankar 0 Posting Whiz

18 Years Ago

:cry:
My Sysmantec Antivirus has been continuously popping up with a message every 10 seconds or so telling me that I have a virus named hacktool.rookit on my computer. I currently have a whooping 493 items of this same virus in my quarantine and it doesnt seem like it will ever stop.
The folder it says is infected is:
C:\WINDOWS\system32\hpdriver.sys
Im running on windows XP. Please help me.
Also, I feel like I should note that w32.spybot was detected after a friend sent me a link via AIM to "See her new pictures". Then, after removing that virus hacktool.rookit began to come up over and over again.
Please someone help me :)

Hey similar problem was posted, try this link, it may help u and let us know did it solve the problem

http://www.daniweb.com/techtalkforums/thread36290.html

DMR 152 Wombat At Large

18 Years Ago

Hi TheGu3st, welcome to DaniWeb :)

Before we start to remove the infection, there is one thing you have to take care of first:

C:\DOCUME~1\SADHWA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

Once you've done the above:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Spy Sweeper and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open Norton Antivirus and use its Live Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with Norton; just close it once it is updated.

2. Download and install the CCleaner utility, but don't run it yet.

3. Run HijackTHis again, put a check mark next to the following entry, and then click the "Fix checked" button. Close HJT once it has finished performing the fix:

O20 - Winlogon Notify: Quests - Quests.dll (file missing)

4. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

5. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.

6. Run Norton, SpyBot, ewido, AdAware, and MS Antispyware beta consecutively; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

7. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search your entire C: drive for the Quests.dll file and delete it if it still exists

8. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the log that ewido generated.

DMR 152 Wombat At Large

18 Years Ago

Your HJT log is clean, but not all of the components of the particular infection that Norton is finding are reported in a HijackThis scan. Do a manual check to make sure the infected files have been deleted:

1. Reboot into Safe Mode again.

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

3. Delete the C:\WINDOWS\system32\hpdriver.sys file if it still exists.

4. Search for the following file; delete it if it exists: C:\WINDOWS\Ntfsprotect.exe

5. Empty your Recycle Bin and reboot normally.

6. Once rebooted, run another scan with Norton and see if it still detects the infection.

jaishankar 0 Posting Whiz

18 Years Ago

I was not able to find either of those 2 files in my system.

Even search the registry manually

jaishankar 0 Posting Whiz

18 Years Ago

Umm... how? And what do I do when I get there?

Start-Run and type "regedit" without quotes
Press Ctrl+F or go to edit menu and click on find and type the word which u wanna find

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

TheGu3st 0 Newbie Poster · Answer 1 · 2005-12-17T06:15:53+00:00

Hi, thanks for your help but I still havent been able to remove it. I followed suit with that other guy and downloaded hijack this. Here is my logfile...

Logfile of HijackThis v1.99.1
Scan saved at 7:13:59 PM, on 12/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\SADHWA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\system32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Quests - Quests.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Any suggestions?

TheGu3st 0 Newbie Poster · Answer 2 · 2005-12-19T03:29:38+00:00

Thanks for the quick reply, I did as you asked and here are the following logs.

Ewido Log:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           4:24:43 PM, 12/18/2005
+ Report-Checksum:      21DEF065


+ Scan result:


HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
C:\Documents and Settings\Sadhwani Family\Desktop\Internet Downloads\52113.scr -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\WINDOWS\SYSTEM32\clsass32.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\SYSTEM32\Quests.exe -> Logger.SCKeyLog.ac : Cleaned with backup



::Report End



And here is the second Hijack this log:


Logfile of HijackThis v1.99.1
Scan saved at 4:29:12 PM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sadhwani Family\Desktop\Spyware Tools\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\system32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\Spyware Tools\security suite\ewidoctrl.exe (file missing)
O23 - Service: ewido security suite guard - Unknown owner - C:\Program Files\Spyware Tools\security suite\ewidoguard.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

So, am I all clear?

TheGu3st 0 Newbie Poster · Answer 3 · 2005-12-19T22:44:27+00:00

I was not able to find either of those 2 files in my system.

TheGu3st 0 Newbie Poster · Answer 4 · 2005-12-20T15:46:43+00:00

TheGu3st 0 Newbie Poster

18 Years Ago

Umm... how? And what do I do when I get there?

TheGu3st 0 Newbie Poster · Answer 5 · 2005-12-21T02:58:55+00:00

I searced for

C:\WINDOWS\Ntfsprotect.exe

and

C:\WINDOWS\system32\hpdriver.sys

and there was nothing found. So, I'm all clear?

jaishankar 0 Posting Whiz · Answer 6 · 2005-12-21T09:39:09+00:00

I searced for
C:\WINDOWS\Ntfsprotect.exe
and
C:\WINDOWS\system32\hpdriver.sys
and there was nothing found. So, I'm all clear?

Plz dont include the path(C:\windows) and the extensions(.exe, .sys) while searching the registry

Go to find and type Ntfsprotect in the search box

DMR 152 Wombat At Large Team Colleague · Answer 7 · 2005-12-21T10:18:15+00:00

Plz dont include the path(C:\windows) and the extensions(.exe, .sys) while searching the registry

Right; if you search the Registry for "hpdriver" or "ntfsprotect", you may find a a few leftover entries.
In terms of the actual files, if you searched for the filenames in the way I described in my last post but didn't find them, that means that your utilities found and deleted them.

TheGu3st 0 Newbie Poster · Answer 8 · 2005-12-22T00:47:52+00:00

Ok, I searched the registry as I was instructed to do, without the C:\ or the extensions (only hpdriver and ntfsprotect) and hpdriver turned up 2 results. I'm not going to modify it until you tell me which one, I'll post a screenshot:

[IMG]http://img407.imageshack.us/img407/299/virushelp4qs.png[/IMG]

I'll do whatever you tell me to do with it.

DMR 152 Wombat At Large Team Colleague · Answer 9 · 2005-12-22T03:56:40+00:00

That sounds right- hpdriver.sys does have two or three related Registry entries, but I'm pretty sure ntfsprotect.exe doesn't.

Please post the full and exact path of the Registry entries. For example:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HPDRIVER

TheGu3st 0 Newbie Poster · Answer 10 · 2005-12-22T11:03:05+00:00

The full registry entry for hpdriver-

HKEY_LOCAL_MACHINE/SYSTEM/ENUM/ROOT/LEGACY_HPDRIVER

:-( I just noticed that was a waste of time... you hit it right on target besides the "CurrentControlSet" part.

DMR 152 Wombat At Large Team Colleague · Answer 11 · 2005-12-22T13:05:59+00:00

The full registry entry for hpdriver-
HKEY_LOCAL_MACHINE/SYSTEM/ENUM/ROOT/LEGACY_HPDRIVER
:-( I just noticed that was a waste of time... you hit it right on target besides the "CurrentControlSet" part.

Can you check that path again, please? There is no (valid, at least) ENUM subkey directly under the HKLM\SYSTEM key; the ENUM subkeys should only appear under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x subkeys.

jaishankar 0 Posting Whiz · Answer 12 · 2005-12-22T20:16:36+00:00

That sounds right- hpdriver.sys does have two or three related Registry entries, but I'm pretty sure ntfsprotect.exe doesn't.
Please post the full and exact path of the Registry entries. For example:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HPDRIVER

Yes

TheGu3st 0 Newbie Poster · Answer 13 · 2005-12-23T04:02:04+00:00

Eh, you're right... Sorry.

Its actually:

HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/ENUM/ROOT/LEGACY_HPDRIVER

DMR 152 Wombat At Large Team Colleague · Answer 14 · 2005-12-23T10:40:34+00:00

OK- that looks right.
If you're comfortable editing the Registry you can just delete the LEGACY_HPDRIVER subkey yourself.

Otherwise:

* Open a new file in Windows Notepad
* Copy-n-paste the text in the Code box below into that document
* Save the file to your desktop as hpdriver.reg
* Double-click on the file to run it
* Click "Yes" when prompted to add the information to the Registry
* Reboot

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HPDRIVER]

TheGu3st 0 Newbie Poster · Answer 15 · 2005-12-25T22:07:17+00:00

Ok, I did what you asked me to do and added that to the registry but do I also have to delete the other registry? Or was it replaced? I have only done the second part of what you said by adding

Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HPDRIVER]

to the registry.

DMR 152 Wombat At Large Team Colleague · Answer 16 · 2005-12-26T21:27:57+00:00

do I also have to delete the other registry?

The "other" registry? I don't understand what you're asking. If you made the hpdriver.reg file and merged it with the registry, it will have deleted the LEGACY_HPDRIVER registry key, which is the only registry entry you mentioned.

The confirmation prompt you received when you merged the .reg file I had you create does ask if you want to "add this information to the Registry", but in this case the .reg file actually performs a deletion, not an addition. Notice the hyphen at the beginning of the HKEY_LOCAL_MACHINE\... line in the .reg file; it is interpreted as a "minus" sign, telling the system to remove the key following it.

TheGu3st 0 Newbie Poster · Answer 17 · 2005-12-29T11:28:54+00:00

Oh ok, thank you so much for all your help! I love you Daniweb and DMR! :D

jaishankar 0 Posting Whiz · Answer 18 · 2005-12-29T18:35:01+00:00

jaishankar 0 Posting Whiz

18 Years Ago

me too :cheesy:

DMR 152 Wombat At Large Team Colleague · Answer 19 · 2005-12-29T18:51:48+00:00

Glad we could help, TheGu3st. Have a happy and virus-free New Year. :)

jaishankar 0 Posting Whiz · Answer 20 · 2005-12-30T10:07:23+00:00

Glad we could help, TheGu3st. Have a happy and virus-free New Year. :)

Happy New Year to all of u Guys :D

Hacktool.Rookit

Recommended Answers Collapse Answers

All 25 Replies

Recommended Answers