# Download and save Gmer
http://www.gmer.net/gmer.zip

1) Extract the archive into its own directory

2) Right click the gmer file and rename it to something with random name like andkjn.exe

3) Start the renamed Gmer

4) When you first start the program it might warn you of a presence of a rootkit

5) Don't change the settings and press the SCAN button to beging scanning for rootkits

Scanning will take some time , be patient.

6) When it is ready , you'll notice it won't be "doing anything" - you know changing the scanning object at the bottom

7) Do not attemp to remove anything on your own . Be informed that not everything show is malicious and needs fixing.

8) When the scan is ready use the Save button to save a log file on your computer .

9) Attach the log file to this thread in your next reply

# In addition to Gmer's scan log , let us know what exactly Norton fixed (what file/object , its path...) .

You might also perform the following :

# Download and run Malwarebytes' AntiMalware (MBAM) from http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

1. When the download has finished , double click the file to start installation .
2. Follow the instructions to install the program with default options
3. At the end , make sure you leave it update itself
4. It should start automatically . If not , run it by yourself . If there is a problem , notify the forum
5. Perform Quick scan and remove anything MBAM finds

At the end , it will generate a log file , which you could save and attach here.

6. Restart the computer.

"hacktool.rootkit!inf."

Norton is not allowed to remove the file detected as the above, this is by design.

Quads

I attached the files requested, but have not tried the other software you suggested.

I noticed that in the Norton log it shows wuaucldt.exe and hacktool.rootkit!inf were quarantined, (that may explain why I don't see wuaucldt.exe running in my processes anymore and my computer is not acting up thankfully.

To my knowledge Norton should not have removed the Hacktool.Rootkit!inf (cdrom.sys) 

Quads

Hi again!

From the logs you show , it seems that wuaucldt.exe you worried about is gone thanks to Norton , as well as the rootkit . Norton might have removed/quarantined the cdrom.sys driver but it is important for Windows and needs fixing by being replaced with a new clean genuine one.

ComboFix is utility which will check this driver (and other stuff , too) and restore the original one from a back-up copy Windows may have kept.

# Download ComboFix from http://download.bleepingcomputer.com/sUBs/ComboFix.exe

1) Save the file on your Desktop

2) Right click ComboFix and rename the file to something random like ggg.exe

3) Right click Norton's icon (on the system tray) and temporary disable the protection - for 15 minutes

4) Start Combofix and follow the prompts

Scanning make take some time , be patient . At the end , it may reboot your computer . At the end , when ComboFix is finished , it will producte a log file . Please , save it and post it here.

N.B.! Prior to using ComboFix , you should remove Windows Defender (WD). I noticed your Norton application has created firewall rules for it . Since you use Windows XP , uninstall Windows Defender from Control Panel -> Add or remove programs . Norton can keep you safe and it is not recommened to have WD running , too.

# Download and scan with Malwarebytes' Anti-Malware using the intructions I posted earlier.

In order to give us more information about your computer :

# Please , download HiJackThis (the executable) from http://www.bleepingcomputer.com/files/hijackthis.php

1. When the download has finished , right click the file and rename it to something random like Baloon.exe
2. Run the renamed HijackThis
3. Press the button "Do a system scan and save a logfile"
4. In a few seconds a pop-up from Notepad will appear . Please , save this log file and use the attachment option of the forum to post it in your next reply.

Warning from bleeping computer about the use of ComboFix:

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

I got this too.  And as you said, it was sometime around a couple months ago that it started.  I had t get ne of the IT guys from my office to help me remove and replace the infected cdrom.sys file.  But I still get action alerts everyday from Norton saying that it partally cleans hacktool.rootkit files.  Today I noticed the wuaucldt.exe in msconfig.  How do I get rid of it??

Hello JRMints

Welcome to the Norton Users Discussion Forum

I would suggest a visit to bleeping computer to get this rootkit cleaned up. Please put hacktool into the subject line. Here are some instructions for Bleeping computers.

When Bleeping Computer Aid is Needed

http://www.bleepingcomputer.com/forums/forum22.html

Please follow their directions ( I think link is from Quads)

Please come back and let us know if this has helped you. Thanks