• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Hacktool.Rootkit - Transfering files from infected computer to new computer

Just bought a new computer (running Windows Vista home premium).

My old computer (running Windows XP professional) is infected with Hacktool.Rootkit.  I've tried the Norton fix but to no avail.  Rather than dance around it or do "brain surgery" on the computer, I plan to wipe the old computer clean by reformatting the hard drive, and reinstalling operating system and necessary software - I figure I'll have a local computer repair shop do that for me so it gets done right.

However, before that, I'd like to transfer some files (pictures, iTunes music library, various documents - MS Word, Excel, Publisher, Adobe PDF, etc.) from the old computer to the new one using my external hard drive.  Of course, I want to be sure that I don't end up infecting my new computer by doing this.

Any advice on what files to avoid transferring just to be safe?  Any advice on how to handle peripherals that may or may not be compromised?

I scanned my external hard drive (WD Sync) and Norton didn't find any infected files on it.  My other peripherals include an iPod and 3 flash drives.

Replies

Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Just bought a new computer (running Windows Vista home premium).

My old computer (running Windows XP professional) is infected with Hacktool.Rootkit.  I've tried the Norton fix but to no avail.  Rather than dance around it or do "brain surgery" on the computer, I plan to wipe the old computer clean by reformatting the hard drive, and reinstalling operating system and necessary software - I figure I'll have a local computer repair shop do that for me so it gets done right.

However, before that, I'd like to transfer some files (pictures, iTunes music library, various documents - MS Word, Excel, Publisher, Adobe PDF, etc.) from the old computer to the new one using my external hard drive.  Of course, I want to be sure that I don't end up infecting my new computer by doing this.

Any advice on what files to avoid transferring just to be safe?  Any advice on how to handle peripherals that may or may not be compromised?

I scanned my external hard drive (WD Sync) and Norton didn't find any infected files on it.  My other peripherals include an iPod and 3 flash drives.

Kudos1 Stats

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Considering the fact that a new computer is a valuable investment, I can only recommend that you take the appropriate steps to protect it.  Rootkits are comprised of many different files.  Because you see one, does not mean that is all there are.  There are several people on this forum that can help you, if you wish to proceed.

Once it is fully identified, it doesn't take too long to remove it.  You will be asked to follow the instructions given precisely because those who didn't compromised there operating system.

Once the main computer is clean, you will be able to use it to ensure that the peripherals are secure.  Only then would I suggest transferring files.

Your call.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos2 Stats

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

chasethedog -

Right now I would not transfer anything from the old system or any files from the peripherals to the new system until ALL the rootkits are removed from the old system and the peripherals.  When Norton scanned the WD Sync files did it uncompress the files to the original format (a Word document file say) or just look at the uncompressed encrypted file itself?  (WD Sync does encrypt the files also.)  If you are not sure, don't transfer any of them.

Unfortunately, the time to backup files is not after you find your system compromised.

If you want help in cleaning your old system so you can safely move the files, there are those here that are very knowledgeable about this and more than willing to help.  If you are worried about the "surgery" aspect of this, the only times I have seen this not go smoothly is where the users became impatient and did things on their own.

Win10 x64; Proud graduate of GeeksToGo
Kudos1 Stats

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Hacktool.Rootkit comprises a set of programs and scripts that work together to allow attackers to break into a system. If Hacktool.Rootkit is detected on a system, it is very likely that an attacker has gained complete control of that system. All files that are detected as Hacktool.Rootkit should be deleted. Infected systems may need to be restored from backups or patched to restore security.

Rootkits first appeared on the UNIX operating system. Administrator/Superuser accounts on UNIX systems are called root. Rootkits are kits of programs that are designed to gain root access on a system. The term rootkit now refers to any set of tools that can be used to gain unauthorized access to a system.

Occasionally a rootkit may use legitimate programs or operating system files to carry out part of an attack. These files are not detected as Hacktool.Rootkit.

______________________________________________________________

Have you followed the Removal Instructions (below)?

Removal Instructions for Hacktool.Rootkit: http://www.symantec.com/security_response/writeup.jsp?docid=2002-011710-0057-99&tabid=3.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos1 Stats

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Hi chasethedog,

 

Welcome to Norton Community!

 

First of all, let us know which Norton program(name and version) do you have in your new computer. Run LiveUpdate repeatedly until you see the message "No more updates..." and then run a full system scan. This is to make sure that your new computer is free from viruses. 

 

Now, go ahead and transfer the files from your old computer to the external harddrive(to a specific folder if possible).Attach the external drive to your new computer. When this removable drive appears under My Computer section, right-click on it and select the option to run a Norton scan. Check the scan results and if it detects any threats, fix/remove those threats.

 

For your old computer, if you have created any system restore points in it using Windows, better try restoring it than going for a complete clean wipe. 

 

Yogesh

Kudos1 Stats

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Hi Chasethedog

I would suggest that, on your old pc, you run Root repeal and GMER scans (SCANS ONLY, NO FIXING) and attach the logs here ("Add Attachments" below the "post" button). That way we can see what rootkits and other little buggers you have on your pc, and then we will be able to give you the best possible advice. Personally, I would take the old pc's HDD, put it in the new one, and boot in safe mode, then transfer the files over and do a manula scan with Norton (or whateva AV u have on the new one) by going start - run - type: nav32.exe /L (my memory is failing me here, that command might be wrong) and let it do a full scan. Problem = I cant gurantee that those rootkits you have won't be active in safe mode. I just don't know. But, in my opinion, what I have said would be the safest way of doing it. Also would suggest scanning your ext. HDD in safemode (also NAV32.exe /L (can't remember commands for specific drives etc.)

Good luck

Matt

"The fact that man knows right from wrong proves his intellectual superiority to other creatures; but the fact that he can do wrong proves his moral inferiority to any creature that cannot."- Mark Twain
Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Ok, I remember the command! navw32.exe /L

Matt

PS space between .exe and /L

"The fact that man knows right from wrong proves his intellectual superiority to other creatures; but the fact that he can do wrong proves his moral inferiority to any creature that cannot."- Mark Twain
Kudos1 Stats

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Please, folks:

The user only wanted to know whether or not to transfer files.  That has been answered and assistance offered.  Since the user has already stated that the repair advice by Symantec did not work, we can assume that the same scans will not work either.  Should he require further assistance, he will ask.

Realistically speaking, the only scan really required is the GMER.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos1 Stats

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Thanks for the replies everyone!  Sounds like I'm right to be concerned about transferring any files from my old computer to my new one, until I get the Hacktool.Rootkit issue fully taken care of.  I am interested in getting help.  Anyone willing to walk me through it step by step?  I did begin an on-line chat on the problem with the Norton techs in India.  Apparently, they have the ability to take control of the computer remotely to help with this as well.  What would you folks recommend?  Info & instructions from the forum community members (like yourselves), or trying to work with the Norton techs?

 

Here are some of the details from the infected computer:

 

  • Dell Dimension 2400
  • Windows XP Professional
  • running low on hard drive space (only 1.7GB free of 40GB total)
  • Norton Internet Security 2009 installed and running
  • Full scans flag the Hacktool.Rootkit virus and various tracking cookies.
  • I select the "fix" option for the tracking cookies, and it eliminates those
  • There's no fix option for the Hacktool.Rootkit - I clicked "Get Help" and followed the instructions on the Norton website, but to no avail - these steps included, turning off Windows System Restore, rebooting computer in Safe Mode, running full scan, reversing steps on system restore.  This didn't resolve the issue, and from what forum members have said, I'm guessing I have to run some other kind of scan to find and delete specific files.

 

Advice on next steps?

 

P.S. - My new computer is clean, and is also running Norton Internet Security 2009.  Any chance I can use my new computer to check and clean my peripherals (WD Sync external hard drive, 3 small flash drives, iPod, Sony Walkman MP3 player) - or should I be 100% careful, and not even plug these into my new computer - i.e., clean the old computer and then use it to check/clean these peripherals.

 

[edit: Changed font for better viewing.]

Message Edited by shannons on 07-04-2009 01:46 PM
Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Chasethedog:

Please provide a GMER log so we can see exactly what we are dealing with.

http://www.gmer.net/ 

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Here's what I got when I ran the gmer software.  Let me know if I should attach any of my peripherals and run gmer again to diagnose them.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-09 23:58:31
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code            F7648F92                                 ZwCreateDirectoryObject
Code            F7648D47                                 ZwCreateFile
Code            F76490E2                                 ZwCreateKey
Code            F764924A                                 ZwCreateSection
Code            F7649D62                                 ZwEnumerateKey
Code            F76499FB                                 ZwEnumerateValueKey
Code            F764A5D5                                 ZwLoadDriver
Code            F764903A                                 ZwOpenDirectoryObject
Code            F7648ED8                                 ZwOpenFile
Code            F76491A2                                 ZwOpenKey
Code            F764930A                                 ZwOpenSection
Code            F76493B2                                 ZwOpenSymbolicLinkObject
Code            F764A6B8                                 ZwQueryDirectoryFile
Code            F7649680                                 ZwQueryDirectoryObject
Code            F764A091                                 ZwQueryValueKey
Code            F7648E12                                 IoCreateFile
Code            F7648E88                                 IoCreateStreamFileObject
Code            F7648D46                                 NtCreateFile
Code            F7649249                                 NtCreateSection
Code            F7648ED7                                 NtOpenFile
Code            F764A6B7                                 NtQueryDirectoryFile
Code            F7648FE4                                 ZwCreateDirectoryObject
Code            F7648DA5                                 ZwCreateFile
Code            F7649140                                 ZwCreateKey
Code            F76492A8                                 ZwCreateSection
Code            F7649EF6                                 ZwEnumerateKey
Code            F7649BA9                                 ZwEnumerateValueKey
Code            F764A643                                 ZwLoadDriver
Code            F764908C                                 ZwOpenDirectoryObject
Code            F7648F33                                 ZwOpenFile
Code            F76491F4                                 ZwOpenKey
Code            F764935C                                 ZwOpenSection
Code            F7649404                                 ZwOpenSymbolicLinkObject
Code            F764A764                                 ZwQueryDirectoryFile
Code            F764983A                                 ZwQueryDirectoryObject
Code            F764A212                                 ZwQueryValueKey

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                 SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\Tcp                SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\Udp                SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\RawIp              SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0  ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass1  ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)

---- EOF - GMER 1.0.15 ----

Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Chasethedog:

Did you run the GMER with all of the boxes checked?  There isn't enough of it there to show a rootkit infection. Are you still getting the warning?  NIS2009 has the definitions now to remove this infection. 

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Sorry...  I didn't scan it properly the first time with GMER.  I just did it again the right way and here's what I got. GMER said it did find rootkits.  Are the red lines of text the problem areas?  I'll wait for your instructions on next step, but should I also attach my peripherals (iPod, Sony MP3 player, 3 flash drives, WD Sync external hard drive), and run GMER on them somehow?

**ACTUALLY - what is below is just a portion of the GMER log - the Norton forum text editor said my posting was over 20,000 characters long, so I deleted some lines of the log that didn't seem to indicate anything unusual.

---- System - GMER 1.0.15 ----

SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)  ZwDeleteKey [0xB10142C0]
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)  ZwDeleteValueKey [0xB1014820]
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)  ZwSetValueKey [0xB1014A70]
SSDT            8A1A3978                                                                                    ZwSuspendProcess
SSDT            8A459630                                                                                    ZwSuspendThread
SSDT            \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys                                          ZwTerminateProcess [0xB0E9F660]

---- Kernel code sections - GMER 1.0.15 ----

.text           ntoskrnl.exe!_abnormal_termination + 450                                                    804E2AAC 8 Bytes  JMP AF0C3B61
PAGE            ntoskrnl.exe!ZwOpenKey + 7                                                                  80568D60 1 Byte  [F5]
PAGE            ntoskrnl.exe!ZwCreateKey + 7                                                                80570664 1 Byte  [57]
?               SYMEFA.SYS                                                                                  The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                    SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0                                                     ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass1                                                     ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                   SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device          \Driver\ujypmcpx \Device\SAMPLEDEV35                                                        F7648416

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                   SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                 SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device                                                                                                      mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device                                                                                                      AF052D20

AttachedDevice                                                                                              fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device                                                                                                      Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module          wpsxbayy.sys (*** hidden *** )                                                              F7647000-F7650000 (36864 bytes)                                         

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start                                       1
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type                                        1
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath                                   \systemroot\system32\drivers\TDSSmqlt.sys
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group                                       file system
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules                                    
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv                            \systemroot\system32\drivers\TDSSmqlt.sys
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl                               \systemroot\system32\TDSSofxh.dll
Reg             HKLM\SYSTEM\ControlSet002\Control\Lsa@Authentication Packages                               msv1_0?C:\WINDOWS\system32\cbXQgGwv?
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Lsa@Authentication Packages                           msv1_0?C:\WINDOWS\system32\cbXQgGwv?

---- Files - GMER 1.0.15 ----

File            C:\WINDOWS\SYSTEM32\DRIVERS\wpsxbayy.sys                                                    25088 bytes executable                                                    <-- ROOTKIT !!!

---- Services - GMER 1.0.15 ----

Service         C:\WINDOWS\system32\drivers\wpsxbayy.sys                                                    [BOOT] ujypmcpx                                                           <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

chasethedog -

Please rum GMER again and this time save the log file as ctd.log.  Attach this file to a post here by using the Add Attachments link just below the orange Post button.  Please do not edit out any of the log file(s).

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Thanks for your patience.  The log file is attached.
File Attachment: 
Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Hi Chasethedog:

Now we have something to work with.  Quads will be along later due to time zone differences, and he will help you remove the rootkit.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Hi

I am working on yours, your registry entries and files don't seem to match but that's ok a bit more of a challenge.

Quads 

Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Hi 

Now  (read carefully) If you have Spybot S&D uninstall it.

Also during the restarts with Avenger if Your PC has a Startup repair center like with HP and Toshiba tell it to start Normally if it kicks in.

1. Download Avenger to your desktop,

Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/

Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop 

2. Click to run "Avenger.exe"  (right click "Run as Administrator" if using Vista)

3. In the "Input script here:" copy and paste the script between the lines


Drivers to disable:

TDSSserv.sys

ujypmcpx 

Drivers to delete:

TDSSserv.sys

ujypmcpx 

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\WINDOWS\SYSTEM32\DRIVERS\wpsxbayy.sys

Registry keys to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\TDSSserv.sys 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet011\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\TDSSserv.sys


Here is a screenshot (script updated since shot)

Make sure the "Automatically disable any rootkits found" is NOT selected

4. Click "Execute"

You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.

Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.

5. Restart the PC again, then see if you can install  Update and run Malwarebytes

Quads 

Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Quads et al.,

Sorry for the delay in responding.  Summer vacation interrupted my follow up.  I just followed your instructions - downloaded and ran Avenger with the script from your message.  Attached is the Avenger log that resulted.  First couple lines says no rootkits found??  Looks like it successfully disabled 1 driver and deleted 1 driver, 1 file, and 1 registry key, but it failed to disable or delete a bunch of others that were in your script.

After the computer restarted fully, Norton's autoprotect warning came up saying that a Hacktool.rootkit virus was still detected.  Should I run a full Norton virus scan to confirm that the Hacktool.rootkit is still there? 

What should my next step be?  Re-run GMER and send you the new log file?

File Attachment: 
Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Hi Chasethedog:

The next instruction to follow is to download, install, update and do a full system scan with Malwarebytes.  The rootkit is broken, but the pieces must be removed.  There are always extra files in the scripts to cover all the bases.  Many of them will show failed if the file does not exist.  It does get the ones we want.

Disable system restore.

http://www.malwarebytes.org 

Message Edited by delphinium on 07-28-2009 04:46 PM
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Delphinium et al.,

I downloaded, installed, and updated malwarebytes.  I turned off the system restore, then I ran a full malwarebytes scan.  It found a bunch of malware, and I told it to delete all of this.  Attached is the log file.

Feels like progress - THANKS!  Is that the last step?  Can I turn on my system restore, run a full Norton scan just to be sure, and if clean - declare victory?

If yes, then one last question.  Any suggestions on how to proceed in scanning my peripheral devices to make sure they are not infected - i.e., WD Sync external hard drive, 3 flash drives, iPod, Sony Walkman MP3 player.

THANK YOU!

Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Good morning Chasethedog:

Now that your computer is cleaned out, you want to make sure that auto run is turned off in your Windows settings.  Make sure Norton is fully updated, turn early load on, set heuristic detection to aggressive, and reboot to get the settings in place. Plug in your peripherals one at a time and run a custom scan on each one.  If there are any issues, Norton should be able to handle it.

Then you will be good to go.  Let us know if you have any issues with it.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos1 Stats

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Hi ChasetheDog

I Noticed these entries and ones in the registry belonging to the Seneka Rootkit

c:\WINDOWS\SYSTEM32\DRIVERS\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\SYSTEM32\DRIVERS\senekapqipxtny.sys (Trojan.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\SYSTEM32\DRIVERS\senekatqvvdltf.sys (Trojan.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\SYSTEM32\senekamuiyqogq.dat (Trojan.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\SYSTEM32\senekaqwykmtxa.dat (Trojan.Agent) -> Quarantined and deleted successfully.

Please Update Malwarebytes and Run a Full Scan again,  Why??   With some of the Rootkits and like Vundo, Malwarebytes and Superantispyware say deleted but with another scan it is still there.

I did the Avenger scan for 2 different Rootkit names, Not Seneka, If it still shows up I will have to create a new script.

Removable Flash Drives

http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/

Quads 

Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Gotcha.  I'll update Malwarebytes and re-run.  If that detects anything I'll delete it and forward the new log file.  If it says my computer is clean, I'll follow Delphinium's instructions on scanning my peripherals.  I'll use the flash disinfector if I have access issues with my peripherals.

Question - how do I turn off the auto run  feature in Windows?  I assume I should do this, so that any viruses on the peripherals don't have a chance to jump back to my computer when I plug them in.  Makes sense, but I don't know how to turn off/on the auto run feature in Windows XP.

Kudos0

Re: Hacktool.Rootkit - Transfering files from infected computer to new computer

Chasethedog:

How To Enable/Disable Autorun (Windows XP)
  1. Open Windows Explorer by pressing the Windows + "e" key.
  2. Right-click the desired CD-ROM and select Properties from the menu.
  3. Select the AutoPlay tab.
  4. Select each item from the pulldown list and for the Action to perform, select "Take no action" to disable autorun, or pick the apporpriate action to take if enabling autorun.
  5. Select OK.
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain

This thread is closed from further comment. Please visit the forum to start a new thread.