Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


hacktool.rootkit removal - boot.sys

Posted on 2008-11-11
Medium Priority
Last Modified: 2013-11-22
I've got a laptop that was infested with spyware and trojans. I've managed to clean up a good bit of it to where I can actually work on it. SAV 10.1 picks up HACKTOOL.ROOTKIT in file boot.sys. I can't seem to get rid of it. I've found several solutions on this site, but I'm having issues carrying them out as for whatever reason the internet does not function properly and I am not allowed to get to certain sites like Trend Micro, etc.

Are the browsing issues related to the spyware infections and if so how can I fix it? When I try to go to certain sites (like Trend Micro) IE will automatically redirect me to some b/s site that's in no way related. It's even affected my ability to update tools like Adaware with the latest def files.

Furthermore, I took the recommendation of another post and downloaded\ran RootkitRevealer from Sysinternals\Microsoft - It picks up a few registry keys, but errors out before it can scan the system drive ("error mounting volume").

So what's the best way to proceed - and please don't just recommend a reinstall of Windows - that's a last resort.

Question by:Haze0830
LVL 20

Expert Comment

ID: 22934691
It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.


Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.
LVL 27

Expert Comment

ID: 22935130
Have you tried to log in under Safe Mode? If not you may try that and then run your antimalware tools.
You may have some luck logging in under a different profile. That may allow you to get to the necessary web sites for malware/virus removal tools.
malwarebytes is a good utility and free.
The initial download is only about 2.5M. Perhaps you could copy it to a thumb drive, etc. and then install and run that (Safe Mode).

Author Comment

ID: 22935267
Already tried Safe Mode - no dice.

I'll post the HJT log.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 47

Expert Comment

ID: 22937058

It's possible that the nasties are adding entries in the Hosts file to block security sites.
Check the Hosts file, if it is, then delete the corresponding entries to unblock them.
You can find the Hosts file in this locations:(Hosts is hidden so show hidden files and folders first)

Then try and download the scanners that has been suggested already.

Author Comment

ID: 22939420
I thought of the hosts file too, but when I checked it out everything was fine.

Here is the log from HJT.


Author Comment

ID: 22939572
Alright...so I went here:  http://hijackthis.de/index.php?langselect=english#anl

...to analyze the log but it doesn't return any results. wth?
LVL 20

Expert Comment

ID: 22939698
The analyzer does not pick everything up, and HJT does not "see" everything.

These 2 items are bad...

O21 - SSODL: Artaksap - {C3AB9FF1-26C8-491C-9E06-F5D5D8D398D5} - C:\WINDOWS\system32\biociole.dll
O21 - SSODL: Cpyamnet - {393E68BC-7090-4A44-B51E-C7AD85178075} - C:\WINDOWS\system32\conefurl.dll

Can't find much on them yet, probably new variants.

They can be fixed with HJT, and the files should be deleted.

Reboot and see if that helps.

I would advise MBAM as David Howard had suggested also.

Author Comment

ID: 22940024
No, I mean like the analyzer wouldn't return ANYTHING.
LVL 20

Expert Comment

ID: 22940388
Oh, NOTHING? Weird....I don't use it so don't know much about it.

Author Comment

ID: 22940598

Well, I fix those two entries...still not working properly. Won't even let me install the tools I need to clean it or that have been recommended. I can't get to sites (like Trend Micro) to use the online scan engines. I can't even get it to do anything in safe mode. Symantec keeps finding viruses at startup even after I've run full system scans 3x and removed whatever has been found.

I think I'm about ready to call this one.
LVL 20

Accepted Solution

IndiGenus earned 2000 total points
ID: 22940901
Probably has tdssserv rootkit present, and/or Bagle.

This is what I would try next before giving up. Follow the instructions below to run combofix, but when you download combofix, rename it BEFORE downloading it. This is important. If you cannot download it on this PC you may have to on another and copy it over on a flash drive.

Download ComboFix from either of these links to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

4. Double click on combofix.exe & follow the prompts.
NOTE: As part of the process combofix will now install the recovery console if required. It is recommended to do so in case of any major issues. This is not a requirement.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.


Author Closing Comment

ID: 31515730
LVL 20

Expert Comment

ID: 22990223
You're welcome. Sometimes combofix leaves entries that may still need to be dealt with. Post the cf log and I'll take a look. If not then you should uninstall cf and it's associated files/folders.

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.


Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question