Remove HackTool.Rootkit

Have you tried booting into safe mode and scanning for the virus from there?  That should prevent a lot of the services & startup events from running..  It should allow you to fix the issue...

to run safe mode just keep clicking F8 when the computer loads until the menu pops up, scroll down the safe mode and hit enter....

you need to disable Automated System Restore and boot into safe mode then try to delete it.  If that doesn't work, I would drop a new hard drive in the system and reload.  Often times there are companion viruses that check to see if a service that is launched by a virus is running, and if it isn't, it copies the virus back.

You will also want to run an antiroot-kit prior to your Windows-based AV.  Sophos makes a good free one:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

You can fix these lines below in Hijackthis, a lot of nasties cna now hide from the hijackthis scan.
O4 - HKLM\..\Run: [Ijomatumoyesi] rundll32.exe "C:\WINDOWS\avasarevegub.dll",Startup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
 

Or just run ComboFix and show us the log to make sure no bad files is left behind after CF first run.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run, re-download and rename before saving to your desktop)

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

AnilKumarSharma,
Excuse me if I missed something... but where on earth did you get those Hijackthis entries that you want the asker to fix?

I don't see them in his log?
By the way CWShredder hasn't been updated for a long time.

Hi,

Please use the following attached tool: Rootkit Revealer from sysinternals:

RootkitRevealer.exe

Sorry for misunderstanding, this was just a sample to show how to use and find, catch and fix the particular problem. This is not the one that author had attach with this.
This is a peculiar example of fixing the problem due this virus that is demonstrated with some help that may lead the author to fix and try the similar strategy. As rightly commented that each and every infection is different in each system but this particular rootkit is same  which is HackTool.Rootkit for which a sample removal is explained.

Vee_Mod and rpggamergirl

The disabling of safe mode is recommended by Symantec for this root kit. please see the details for this from symantac

Please note that these are the part of removal instruction. If we hide it from the author may be he get the same from the symantac for the removal specific instructIon.  This is important as the author is using symantac and XP system (check the tags - Tags:  Windows XP Pro SP3, Symantec EndPoint Protection 11 Build 5)

http://securityresponse1.symantec.com/sarc/sarc.nsf/html/hacktool.rootkit.html

removal instructions

The presence of Hacktool.Rootkit implies that the security of the system has been compromised. The system should be restored from known clean backup copies or patched to restore security.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

   1. Disable System Restore (Windows Me/XP).
   2. Update the virus definitions.
   3. Run a full system scan and delete all the files detected.

For specific details on each of these steps, read the following instructions.....(so on)

AnilKumarSharma,
Your cut and paste information from Symantec does nothing to convince me the advice should be followed.

If you will take the time to actually read the article linked above, you will learn why they make that recommendation - if you are using one of THEIR products - THEIR product renders System Restore unusable.

The advice offered to you above seems pretty reasonable. If you don't have a solid personal knowledge of anti-malware processes and procedures, you really shouldn't be posting in the anti-malware Zones.

Yes, rpggamergirl , read your article and your comment that
"
You might say, "but Symantec suggests to turn it off before running a scan?"  Well they are wrong to suggest that!... but let's be fair and look at it from their own perspective.
"
Still there are lot of things that is not looked upon specially your doubt wrt the pc user. It is expected to have backup for critical data in first place. and there are lot of things in parellel to this. With this I am with symantec.

younghv,
 It is not about me or you. It is about the author who posted this question. He has Symantec antivirus installed and I think it is not a good idea to go against the suggestions of the symantec one is using their product.

AnilKumarSharma,
It is very obvious that you have very little experience is this kind of situation, so I encourage you to do what I do ... pay attention to those who know what they're talking about.

The recommendation to run ComboFix is exactly right for two reasons.
First and foremost, it is known to correct this exact problem.
Second, ComboFix will create a new "Restore Point" that will at least allow the Asker to re-boot the system in case something goes wrong.

I have been following the advice of "rpggamergirl" in this and many other Forums for a lot of years and she gives some of the best advice to be found anywhere. As a multiple MS MVP nominee, she has earned the respect and gratitude of thousands of people all over the world.

Looking at your profile, I see that you have only just started trying to answer questions here on EE. Please take my comments in the manner intended and improve upon the advice you are offering.

AnilKumarSharma,

Symantec always advise to disable System restore when the system is infected with hacktool.rootkit or with other viruses.
Symantec's advice to disable System Restore before the scan also makes sense(for them), but for the users perspective it doesn't.
There are two sides here(antivirus side and user side) and both sides has valid reasons.

I will try and explain it to you as simply as I can.


From the antivirus viewpoint:

If an antivirus finds any infected files in the System volume Information folder they CAN NOT delete them.
The scan obviously takes longer than scanning without that folder, there's also that chance that the scan will hang while scanning that folder.

So for Symantec, there is really no reason to keep those restore points, they have no reason to scan that folder, it is a waste of effort and resources because if they find viruses in there they can't do anything to delete them, can't disinfect them, so why bother scanning that folder?
They feel right to advise the user to disable it rightaway, it's a job to be done just in case the user will later on decided to use those restore points and reinfect the system.

Can you see why it makes more sense for Symantec to suggest disabling System Restore?



BUT... from the users' viewpoint:

Viruses in the System restore are dormant(that's a fact)they are harmless and not a threat while in that folder so it's okay to leave them there until after the cleanup.
When the system is clean(except for the restore points) then you can flush those restore points and create a new clean one quick and easy.

So, for the user, it won't make sense to get rid of the restore points prior to cleanup because as I've stated in the article while removing viruses, some things could go wrong.
If the cleanup won't go smoothly the situation can change from bad to worse, the system can get very unstable that you may need to go back and use one of those restore points and START all over again with the cleanup and a better strategy.
Hence, it's better to have a possibly infected restore point than none, you see, with restore points, you can start from square one and start cleaning again but if you have no restore point you have no choice but to reformat.

It is really a plain and simple logic.

If it is not clear and want to discuss it further please ask a Mod to open a private thread so we can continue it there.

younghv,
   Thanks for recalling my VERY little experience of arround 20 years in this IT field and the registered member of expert exchange for arround 7 years. It keep me on my foot to learn more and more as I am always a student when it comes to learning and eager to learn. I appreciate your comments.

rpggamergirl,
   Thanks for the reply. Your explanation and article are simple and clear (as your correctly said plain and simple logic) and I understand your point. I am feeling proud  to have discussion with a Sage.
My comments are not against your thought but another view.  I am expecting that all facts should be presented to the reader with pros and cons along with EE advice (like you are Sage in EE, so naturally your comments will help a great to EE community and its members)  and then let user decide what should they think is best. As it is another question that till when it("When the system is clean(except for the restore points))" will hold true.
I do not think there is any point of furhter discussion as I clearly understand your explanation and Mod are in no mood to get my point for whatsoever reason.

Wow, all these posts going back and forth are extrememly hard to see what is actually recomended.  I have the comptuer in my office now and setup the user with a spare.  I'll get a post update as soon as I've had a chance to try something new.

ehess:
Please look at the advice here: http:#a26281618

I booted into Safe mode to try to run an SEP scan and I can't.  The services aren't started.  I also have already ran through the entire article from Symantec and it DID not remove the virus.  

I have had combofix running now for almost 30 minutes and all I have is a blue command prompt looking window that is 100% blank.  I did see a message that ComboFix was disabling dcomshare.dll (C:\Windows\dcomshare.dll) but that's all the activity I've seen.  I will let it run now for the rest of the day if that's what it takes.

Not much for news, but I hope combo fix gives generates the logs as intended to so I can post them here.

Two days have passed and the bug still hasn't been fixed.  I understand that this is a technical fourm and that offering accurate technical advice is the primary goal.  I would like to also think that offering advice based on passed experience is also a goal.  If the infected computer is a business computer and two days of unsuccessful troublshooting takes it out of production for that period of time; I refer to my first post.  Hunting and eliminating bugs successfully can be very time consuming.  Often times it is faster and safer to drop in a new drive and relod.  take the infected drive to a sand box PC and get the data that you need off of it and sneaker net the data back to the reloaded PC.

I am at that point.  I still have had no results from combofix, just sits there with the blank blue screen.  I will order a replacement drive, wipe & rebuild.  

>>>>I still have had no results from combofix, just sits there with the blank blue screen.  

ehess:  try and what younghv recommends and hopes that it will solve your problem instead of going to order a replacement drive, wipe & build.  

younghv :-
            It is not always that all locks can be open through one key.

If still problem is not resolved and if you still like to gear up to resolve the issue then I am sure you can do this :)

Sounds like the ComboFix scan hangs... the scan doesn't take that long, so something is wrong there somehow.
Was that a fresh download of ComboFix?

ehess:
You're in good hands and I'll /unsubscribe to let these fine folks finish up.
Fingers crossed that this works out w/o a reinstall.

After looking at the latest repsonses, I decided the virus was likely blocking Combofix from running.  I booted into safe mode and have had it running now for 10 minutes or so with activity that I can see.  It's creating the logs now and I did see the infected file was deleted by Combofix.  This is progress, but until it's done I can't completely say it's all good.  

I restarted the ComboFix scan in Safe Mode after the first time it ran, it hung after restarting (installed the recovery console).  I do have the log and attached it to this post.  
ComboFix-Log.txt

I ran the instructions rpggamergirl left in the last post and have the logs from all three scans.  I didn't find any action items after running the scans.  I did create the script and drag it to the ComboFix before it ran.  Here are the logs.  I did see the RootKit Revealer say Rootkit was found and same with CMER.  I fought disabling SEP as a scan was enabled and it wouldn't disable even after waiting for it to complete. I couldn't see it running, nor could I find the process to kill it.  I had disabled all of the SEP services, killed the shield process, with still no change when I started the ComboFix scan.  You will see it was enabled in the log.  
ComboFix-Log-afterScriptUsed.txt
GMER-Log.log
RootkitReveal-log.txt

I have been working on this issue.  

Starting tomorrow I don't have internet access for 4 days..... other Experts are still here to continue on.

I am not satisfied the OS is not damaged and believe the system is better off completely wiped and reloaded.  Thanks for the responses and advice on tools to remove it, but at this point I will not put it back on my network without completely wiping and starting over.