Hacktool.Rootkit - Transfering files from infected computer to new computer

Just bought a new computer (running Windows Vista home premium).

 

My old computer (running Windows XP professional) is infected with Hacktool.Rootkit.  I've tried the Norton fix but to no avail.  Rather than dance around it or do "brain surgery" on the computer, I plan to wipe the old computer clean by reformatting the hard drive, and reinstalling operating system and necessary software - I figure I'll have a local computer repair shop do that for me so it gets done right.

 

However, before that, I'd like to transfer some files (pictures, iTunes music library, various documents - MS Word, Excel, Publisher, Adobe PDF, etc.) from the old computer to the new one using my external hard drive.  Of course, I want to be sure that I don't end up infecting my new computer by doing this.

 

Any advice on what files to avoid transferring just to be safe?  Any advice on how to handle peripherals that may or may not be compromised?

 

I scanned my external hard drive (WD Sync) and Norton didn't find any infected files on it.  My other peripherals include an iPod and 3 flash drives.

Just bought a new computer (running Windows Vista home premium).

 

My old computer (running Windows XP professional) is infected with Hacktool.Rootkit.  I've tried the Norton fix but to no avail.  Rather than dance around it or do "brain surgery" on the computer, I plan to wipe the old computer clean by reformatting the hard drive, and reinstalling operating system and necessary software - I figure I'll have a local computer repair shop do that for me so it gets done right.

 

However, before that, I'd like to transfer some files (pictures, iTunes music library, various documents - MS Word, Excel, Publisher, Adobe PDF, etc.) from the old computer to the new one using my external hard drive.  Of course, I want to be sure that I don't end up infecting my new computer by doing this.

 

Any advice on what files to avoid transferring just to be safe?  Any advice on how to handle peripherals that may or may not be compromised?

 

I scanned my external hard drive (WD Sync) and Norton didn't find any infected files on it.  My other peripherals include an iPod and 3 flash drives.

chasethedog -

 

Right now I would not transfer anything from the old system or any files from the peripherals to the new system until ALL the rootkits are removed from the old system and the peripherals.  When Norton scanned the WD Sync files did it uncompress the files to the original format (a Word document file say) or just look at the uncompressed encrypted file itself?  (WD Sync does encrypt the files also.)  If you are not sure, don't transfer any of them.

 

Unfortunately, the time to backup files is not after you find your system compromised.

 

If you want help in cleaning your old system so you can safely move the files, there are those here that are very knowledgeable about this and more than willing to help.  If you are worried about the "surgery" aspect of this, the only times I have seen this not go smoothly is where the users became impatient and did things on their own.

Hacktool.Rootkit comprises a set of programs and scripts that work together to allow attackers to break into a system. If Hacktool.Rootkit is detected on a system, it is very likely that an attacker has gained complete control of that system. All files that are detected as Hacktool.Rootkit should be deleted. Infected systems may need to be restored from backups or patched to restore security.

Rootkits first appeared on the UNIX operating system. Administrator/Superuser accounts on UNIX systems are called root. Rootkits are kits of programs that are designed to gain root access on a system. The term rootkit now refers to any set of tools that can be used to gain unauthorized access to a system.

 

 

Occasionally a rootkit may use legitimate programs or operating system files to carry out part of an attack. These files are not detected as Hacktool.Rootkit.

______________________________________________________________

 

Have you followed the Removal Instructions (below)?

 

 

Removal Instructions for Hacktool.Rootkit: http://www.symantec.com/security_response/writeup.jsp?docid=2002-011710-0057-99&tabid=3.

 

Hi chasethedog,

 

Welcome to Norton Community!

 

First of all, let us know which Norton program(name and version) do you have in your new computer. Run LiveUpdate repeatedly until you see the message "No more updates..." and then run a full system scan. This is to make sure that your new computer is free from viruses. 

 

Now, go ahead and transfer the files from your old computer to the external harddrive(to a specific folder if possible).Attach the external drive to your new computer. When this removable drive appears under My Computer section, right-click on it and select the option to run a Norton scan. Check the scan results and if it detects any threats, fix/remove those threats.

 

For your old computer, if you have created any system restore points in it using Windows, better try restoring it than going for a complete clean wipe. 

 

Yogesh

Hi Chasethedog

 

I would suggest that, on your old pc, you run Root repeal and GMER scans (SCANS ONLY, NO FIXING) and attach the logs here ("Add Attachments" below the "post" button). That way we can see what rootkits and other little buggers you have on your pc, and then we will be able to give you the best possible advice. Personally, I would take the old pc's HDD, put it in the new one, and boot in safe mode, then transfer the files over and do a manula scan with Norton (or whateva AV u have on the new one) by going start - run - type: nav32.exe /L (my memory is failing me here, that command might be wrong) and let it do a full scan. Problem = I cant gurantee that those rootkits you have won't be active in safe mode. I just don't know. But, in my opinion, what I have said would be the safest way of doing it. Also would suggest scanning your ext. HDD in safemode (also NAV32.exe /L (can't remember commands for specific drives etc.)

 

Good luck

 

Matt

Ok, I remember the command! navw32.exe /L

 

Matt

 

PS space between .exe and /L

Please, folks:

 

The user only wanted to know whether or not to transfer files.  That has been answered and assistance offered.  Since the user has already stated that the repair advice by Symantec did not work, we can assume that the same scans will not work either.  Should he require further assistance, he will ask.

 

Realistically speaking, the only scan really required is the GMER.

Thanks for the replies everyone!  Sounds like I'm right to be concerned about transferring any files from my old computer to my new one, until I get the Hacktool.Rootkit issue fully taken care of.  I am interested in getting help.  Anyone willing to walk me through it step by step?  I did begin an on-line chat on the problem with the Norton techs in India.  Apparently, they have the ability to take control of the computer remotely to help with this as well.  What would you folks recommend?  Info & instructions from the forum community members (like yourselves), or trying to work with the Norton techs?

 

Here are some of the details from the infected computer:

 

  • Dell Dimension 2400
  • Windows XP Professional
  • running low on hard drive space (only 1.7GB free of 40GB total)
  • Norton Internet Security 2009 installed and running
  • Full scans flag the Hacktool.Rootkit virus and various tracking cookies.
  • I select the "fix" option for the tracking cookies, and it eliminates those
  • There's no fix option for the Hacktool.Rootkit - I clicked "Get Help" and followed the instructions on the Norton website, but to no avail - these steps included, turning off Windows System Restore, rebooting computer in Safe Mode, running full scan, reversing steps on system restore.  This didn't resolve the issue, and from what forum members have said, I'm guessing I have to run some other kind of scan to find and delete specific files.

 

Advice on next steps?

 

P.S. - My new computer is clean, and is also running Norton Internet Security 2009.  Any chance I can use my new computer to check and clean my peripherals (WD Sync external hard drive, 3 small flash drives, iPod, Sony Walkman MP3 player) - or should I be 100% careful, and not even plug these into my new computer - i.e., clean the old computer and then use it to check/clean these peripherals.

 

[edit: Changed font for better viewing.]

Message Edited by shannons on 07-04-2009 01:46 PM

Chasethedog:

 

Please provide a GMER log so we can see exactly what we are dealing with.

 

http://www.gmer.net/ 

Here's what I got when I ran the gmer software.  Let me know if I should attach any of my peripherals and run gmer again to diagnose them.

 

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-09 23:58:31
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code            F7648F92                                 ZwCreateDirectoryObject
Code            F7648D47                                 ZwCreateFile
Code            F76490E2                                 ZwCreateKey
Code            F764924A                                 ZwCreateSection
Code            F7649D62                                 ZwEnumerateKey
Code            F76499FB                                 ZwEnumerateValueKey
Code            F764A5D5                                 ZwLoadDriver
Code            F764903A                                 ZwOpenDirectoryObject
Code            F7648ED8                                 ZwOpenFile
Code            F76491A2                                 ZwOpenKey
Code            F764930A                                 ZwOpenSection
Code            F76493B2                                 ZwOpenSymbolicLinkObject
Code            F764A6B8                                 ZwQueryDirectoryFile
Code            F7649680                                 ZwQueryDirectoryObject
Code            F764A091                                 ZwQueryValueKey
Code            F7648E12                                 IoCreateFile
Code            F7648E88                                 IoCreateStreamFileObject
Code            F7648D46                                 NtCreateFile
Code            F7649249                                 NtCreateSection
Code            F7648ED7                                 NtOpenFile
Code            F764A6B7                                 NtQueryDirectoryFile
Code            F7648FE4                                 ZwCreateDirectoryObject
Code            F7648DA5                                 ZwCreateFile
Code            F7649140                                 ZwCreateKey
Code            F76492A8                                 ZwCreateSection
Code            F7649EF6                                 ZwEnumerateKey
Code            F7649BA9                                 ZwEnumerateValueKey
Code            F764A643                                 ZwLoadDriver
Code            F764908C                                 ZwOpenDirectoryObject
Code            F7648F33                                 ZwOpenFile
Code            F76491F4                                 ZwOpenKey
Code            F764935C                                 ZwOpenSection
Code            F7649404                                 ZwOpenSymbolicLinkObject
Code            F764A764                                 ZwQueryDirectoryFile
Code            F764983A                                 ZwQueryDirectoryObject
Code            F764A212                                 ZwQueryValueKey

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                 SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\Tcp                SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\Udp                SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\RawIp              SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0  ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass1  ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)

---- EOF - GMER 1.0.15 ----

Chasethedog:

 

Did you run the GMER with all of the boxes checked?  There isn't enough of it there to show a rootkit infection. Are you still getting the warning?  NIS2009 has the definitions now to remove this infection. 

Sorry...  I didn't scan it properly the first time with GMER.  I just did it again the right way and here's what I got. GMER said it did find rootkits.  Are the red lines of text the problem areas?  I'll wait for your instructions on next step, but should I also attach my peripherals (iPod, Sony MP3 player, 3 flash drives, WD Sync external hard drive), and run GMER on them somehow?

 

**ACTUALLY - what is below is just a portion of the GMER log - the Norton forum text editor said my posting was over 20,000 characters long, so I deleted some lines of the log that didn't seem to indicate anything unusual.

 

---- System - GMER 1.0.15 ----

SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)  ZwDeleteKey [0xB10142C0]
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)  ZwDeleteValueKey [0xB1014820]
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)  ZwSetValueKey [0xB1014A70]
SSDT            8A1A3978                                                                                    ZwSuspendProcess
SSDT            8A459630                                                                                    ZwSuspendThread
SSDT            \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys                                          ZwTerminateProcess [0xB0E9F660]

---- Kernel code sections - GMER 1.0.15 ----

.text           ntoskrnl.exe!_abnormal_termination + 450                                                    804E2AAC 8 Bytes  JMP AF0C3B61
PAGE            ntoskrnl.exe!ZwOpenKey + 7                                                                  80568D60 1 Byte  [F5]
PAGE            ntoskrnl.exe!ZwCreateKey + 7                                                                80570664 1 Byte  [57]
?               SYMEFA.SYS                                                                                  The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                    SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0                                                     ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass1                                                     ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                   SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device          \Driver\ujypmcpx \Device\SAMPLEDEV35                                                        F7648416

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                   SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                 SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device                                                                                                      mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device                                                                                                      AF052D20

AttachedDevice                                                                                              fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device                                                                                                      Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module          wpsxbayy.sys (*** hidden *** )                                                              F7647000-F7650000 (36864 bytes)                                         

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start                                       1
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type                                        1
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath                                   \systemroot\system32\drivers\TDSSmqlt.sys
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group                                       file system
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules                                    
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv                            \systemroot\system32\drivers\TDSSmqlt.sys
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl                               \systemroot\system32\TDSSofxh.dll
Reg             HKLM\SYSTEM\ControlSet002\Control\Lsa@Authentication Packages                               msv1_0?C:\WINDOWS\system32\cbXQgGwv?
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Lsa@Authentication Packages                           msv1_0?C:\WINDOWS\system32\cbXQgGwv?

---- Files - GMER 1.0.15 ----

File            C:\WINDOWS\SYSTEM32\DRIVERS\wpsxbayy.sys                                                    25088 bytes executable                                                    <-- ROOTKIT !!!

---- Services - GMER 1.0.15 ----

Service         C:\WINDOWS\system32\drivers\wpsxbayy.sys                                                    [BOOT] ujypmcpx                                                           <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

chasethedog -

 

Please rum GMER again and this time save the log file as ctd.log.  Attach this file to a post here by using the Add Attachments link just below the orange Post button.  Please do not edit out any of the log file(s).

 

Posting.png

Thanks for your patience.  The log file is attached.

Hi Chasethedog:

 

Now we have something to work with.  Quads will be along later due to time zone differences, and he will help you remove the rootkit.

 

 

Hi

 

I am working on yours, your registry entries and files don't seem to match but that's ok a bit more of a challenge.

 

Quads 

Hi 

 

Now  (read carefully) If you have Spybot S&D uninstall it.

 

Also during the restarts with Avenger if Your PC has a Startup repair center like with HP and Toshiba tell it to start Normally if it kicks in.

 

1. Download Avenger to your desktop,

 

Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/

Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop 

 

2. Click to run "Avenger.exe"  (right click "Run as Administrator" if using Vista)

 

3. In the "Input script here:" copy and paste the script between the lines


Drivers to disable:

TDSSserv.sys

ujypmcpx 

 

Drivers to delete:

TDSSserv.sys

ujypmcpx 

 

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\WINDOWS\SYSTEM32\DRIVERS\wpsxbayy.sys

 

Registry keys to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\TDSSserv.sys 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet011\Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\TDSSserv.sys


Here is a screenshot (script updated since shot)

 

Avenger.jpg

 

Make sure the "Automatically disable any rootkits found" is NOT selected

 

4. Click "Execute"

 

You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.

Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.

 

5. Restart the PC again, then see if you can install  Update and run Malwarebytes

 

Quads 

Quads et al.,

Sorry for the delay in responding.  Summer vacation interrupted my follow up.  I just followed your instructions - downloaded and ran Avenger with the script from your message.  Attached is the Avenger log that resulted.  First couple lines says no rootkits found??  Looks like it successfully disabled 1 driver and deleted 1 driver, 1 file, and 1 registry key, but it failed to disable or delete a bunch of others that were in your script.

 

After the computer restarted fully, Norton's autoprotect warning came up saying that a Hacktool.rootkit virus was still detected.  Should I run a full Norton virus scan to confirm that the Hacktool.rootkit is still there? 

 

What should my next step be?  Re-run GMER and send you the new log file?

Hi Chasethedog:

 

The next instruction to follow is to download, install, update and do a full system scan with Malwarebytes.  The rootkit is broken, but the pieces must be removed.  There are always extra files in the scripts to cover all the bases.  Many of them will show failed if the file does not exist.  It does get the ones we want.

 

Disable system restore.

 

http://www.malwarebytes.org 

Message Edited by delphinium on 07-28-2009 04:46 PM