It would appear that one lapse in my usually good pc protection has led to me getting the hacktool.rootkit.

Norton kept on spamming me messages about it continuously so I did a full scan and it found it but couldn't remove it.

I have re-booted into safe mode and tried again, but still no joy.

I have since noticed that on reboot, the svchost.exe process is now taking up 80-90% of the cpu for about 6-8 minutes, then it closes itself (the process not the pc).

I have run norton, ad-aware and spybot and nothing has changed.

It picked up a file called nkit.dll which I have deleted but it hasn't done any good.

I have also noticed that norton's autoprotect is now disabled and I am unable to re-instate this. If I try manually it just gives me an error.

I have completed a scan via the norton website as well,

I have run HJT and included the report below.

If anyone has any ideas I would be grateful as I have tried all the things I can think of.


HJT Report:

Logfile of HijackThis v1.99.1
Scan saved at 11:30:47, on 07/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\Virus Busting\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\scvhost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\RunServices: [Windows Update] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\RunOnce: [Windows Update] C:\WINDOWS\scvhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [dm2launcher.exe] "C:\PROGRA~1\DESKTO~1.0\dm2launcher.exe" -start
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe -all
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0C8E4A8-FCAE-4E3A-BC96-F5DDD6D38C4D}: NameServer =
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JTWPBZA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Andy\LOCALS~1\Temp\JTWPBZA.exe
O23 - Service: KService - Unknown owner - C:\Program Files\KService\KService.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

10 Years
Discussion Span
Last Post by Colin Mac


DownLoad http://www.downloads.subratam.org/KillBox.zip

Download Brute Force Uninstaller to your desktop.

* Right click the BFU folder on your desktop, and choose Extract All
* Click "Next"
* In the box to choose where to extract the files to,
* Click "Browse"
* Click on the + sign next to "My Computer"
* Click on "Local Disk (C or whatever your primary drive is
* Click "Make New Folder"
* Type in BFU
* Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK on this link http://metallica.geekstogo.com/alcanshorty.bfu
and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu

Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Run a a system scan only with Hijackthis and place a check beside

02 - REG:system.ini: Shell=Explorer.exe scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\scvhost.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\RunServices: [Windows Update] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\RunOnce: [Windows Update] C:\WINDOWS\scvhost.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
20 - Winlogon Notify: ckpNotify - C:\WINDOWS\

Make sure all other windows are closed and click Fix checked

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste the following line, then click on the X button after you enter the file. It will ask for confimation to delete the file. Click Yes.


Reboot into normal mode

Download AVG Anti-Spyware http://www.ewido.net/en/download/
· Install and run
· Click Scanner
· select the "Settings" tab.
· Once in the Settings screen click on "Recommended actions" and then select "Delete".
· Select "Automatically generate report after every scan"
· UnSelect "Only if threats were found"
· Click Complete System Scan and the scan will begin.
· When the scan is finished, Set all items to delete
· Click Apply all actions
· Click the Save report button.
· Save the report to your C: Drive
Post that log and a new HiJack log

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.