hacktool.rootkit removal - boot.sys

I've got a laptop that was infested with spyware and trojans. I've managed to clean up a good bit of it to where I can actually work on it. SAV 10.1 picks up HACKTOOL.ROOTKIT in file boot.sys. I can't seem to get rid of it. I've found several solutions on this site, but I'm having issues carrying them out as for whatever reason the internet does not function properly and I am not allowed to get to certain sites like Trend Micro, etc.

Are the browsing issues related to the spyware infections and if so how can I fix it? When I try to go to certain sites (like Trend Micro) IE will automatically redirect me to some b/s site that's in no way related. It's even affected my ability to update tools like Adaware with the latest def files.

Furthermore, I took the recommendation of another post and downloaded\ran RootkitRevealer from Sysinternals\Microsoft - It picks up a few registry keys, but errors out before it can scan the system drive ("error mounting volume").

So what's the best way to proceed - and please don't just recommend a reinstall of Windows - that's a last resort.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.


Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.
Have you tried to log in under Safe Mode? If not you may try that and then run your antimalware tools.
You may have some luck logging in under a different profile. That may allow you to get to the necessary web sites for malware/virus removal tools.
malwarebytes is a good utility and free.
The initial download is only about 2.5M. Perhaps you could copy it to a thumb drive, etc. and then install and run that (Safe Mode).
Haze0830Author Commented:
Already tried Safe Mode - no dice.

I'll post the HJT log.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!


It's possible that the nasties are adding entries in the Hosts file to block security sites.
Check the Hosts file, if it is, then delete the corresponding entries to unblock them.
You can find the Hosts file in this locations:(Hosts is hidden so show hidden files and folders first)

Then try and download the scanners that has been suggested already.
Haze0830Author Commented:
I thought of the hosts file too, but when I checked it out everything was fine.

Here is the log from HJT.

Haze0830Author Commented:
Alright...so I went here:  http://hijackthis.de/index.php?langselect=english#anl

...to analyze the log but it doesn't return any results. wth?
The analyzer does not pick everything up, and HJT does not "see" everything.

These 2 items are bad...

O21 - SSODL: Artaksap - {C3AB9FF1-26C8-491C-9E06-F5D5D8D398D5} - C:\WINDOWS\system32\biociole.dll
O21 - SSODL: Cpyamnet - {393E68BC-7090-4A44-B51E-C7AD85178075} - C:\WINDOWS\system32\conefurl.dll

Can't find much on them yet, probably new variants.

They can be fixed with HJT, and the files should be deleted.

Reboot and see if that helps.

I would advise MBAM as David Howard had suggested also.
Haze0830Author Commented:
No, I mean like the analyzer wouldn't return ANYTHING.
Oh, NOTHING? Weird....I don't use it so don't know much about it.
Haze0830Author Commented:

Well, I fix those two entries...still not working properly. Won't even let me install the tools I need to clean it or that have been recommended. I can't get to sites (like Trend Micro) to use the online scan engines. I can't even get it to do anything in safe mode. Symantec keeps finding viruses at startup even after I've run full system scans 3x and removed whatever has been found.

I think I'm about ready to call this one.
Probably has tdssserv rootkit present, and/or Bagle.

This is what I would try next before giving up. Follow the instructions below to run combofix, but when you download combofix, rename it BEFORE downloading it. This is important. If you cannot download it on this PC you may have to on another and copy it over on a flash drive.

Download ComboFix from either of these links to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

4. Double click on combofix.exe & follow the prompts.
NOTE: As part of the process combofix will now install the recovery console if required. It is recommended to do so in case of any major issues. This is not a requirement.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Haze0830Author Commented:
You're welcome. Sometimes combofix leaves entries that may still need to be dealt with. Post the cf log and I'll take a look. If not then you should uninstall cf and it's associated files/folders.

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.