?
Solved

Remove HackTool.Rootkit

Posted on 2010-01-10
32
Medium Priority
?
1,292 Views
Last Modified: 2013-11-22
HackTool.Rootkit has infected a computer on the network I manage. I ran Symantec EndPoint Protection and setup the scan to delete the infected file, which is...

C:\Windows\System32\Drivers\dumtc.sys

I can delete it and in no less than 1 second it's back. I have a hijack log, please help. I already use AntiMalware's Malware Bytes - the best free software in this world! It's not finding anything and SEP only finds the dumtc.sys but can't seem to remove it.

Hope to have this solved ASAP!  

I have the hijackthis log attached.  Also, I've already tried following this article, no success.
http://www.symantec.com/security_response/writeup.jsp?docid=2002-011710-0057-99&tabid=3



hijackthis-1-.log
0
Comment
Question by:ehess
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 5
  • +5
32 Comments
 
LVL 11

Expert Comment

by:ICaldwell
ID: 26280167
Have you tried booting into safe mode and scanning for the virus from there?  That should prevent a lot of the services & startup events from running..  It should allow you to fix the issue...

to run safe mode just keep clicking F8 when the computer loads until the menu pops up, scroll down the safe mode and hit enter....
0
 
LVL 5

Expert Comment

by:drawlin
ID: 26280175
you need to disable Automated System Restore and boot into safe mode then try to delete it.  If that doesn't work, I would drop a new hard drive in the system and reload.  Often times there are companion viruses that check to see if a service that is launched by a virus is running, and if it isn't, it copies the virus back.
0
 
LVL 8

Expert Comment

by:MagicFarmer
ID: 26280769
You will also want to run an antiroot-kit prior to your Windows-based AV.  Sophos makes a good free one:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26281618

You can fix these lines below in Hijackthis, a lot of nasties cna now hide from the hijackthis scan.
O4 - HKLM\..\Run: [Ijomatumoyesi] rundll32.exe "C:\WINDOWS\avasarevegub.dll",Startup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
 

Or just run ComboFix and show us the log to make sure no bad files is left behind after CF first run.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run, re-download and rename before saving to your desktop)

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26281630
AnilKumarSharma,
Excuse me if I missed something... but where on earth did you get those Hijackthis entries that you want the asker to fix?

I don't see them in his log?
By the way CWShredder hasn't been updated for a long time.
0
 
LVL 7

Expert Comment

by:jhalapradeep
ID: 26281814
Hi,

Please use the following attached tool: Rootkit Revealer from sysinternals:

RootkitRevealer.exe
0
 
LVL 9

Expert Comment

by:AnilKumarSharma
ID: 26283246
Sorry for misunderstanding, this was just a sample to show how to use and find, catch and fix the particular problem. This is not the one that author had attach with this.
This is a peculiar example of fixing the problem due this virus that is demonstrated with some help that may lead the author to fix and try the similar strategy. As rightly commented that each and every infection is different in each system but this particular rootkit is same  which is HackTool.Rootkit for which a sample removal is explained.

Vee_Mod and rpggamergirl

The disabling of safe mode is recommended by Symantec for this root kit. please see the details for this from symantac

Please note that these are the part of removal instruction. If we hide it from the author may be he get the same from the symantac for the removal specific instructIon.  This is important as the author is using symantac and XP system (check the tags - Tags:  Windows XP Pro SP3, Symantec EndPoint Protection 11 Build 5)

http://securityresponse1.symantec.com/sarc/sarc.nsf/html/hacktool.rootkit.html

removal instructions

The presence of Hacktool.Rootkit implies that the security of the system has been compromised. The system should be restored from known clean backup copies or patched to restore security.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

   1. Disable System Restore (Windows Me/XP).
   2. Update the virus definitions.
   3. Run a full system scan and delete all the files detected.

For specific details on each of these steps, read the following instructions.....(so on)
0
 
LVL 38

Expert Comment

by:younghv
ID: 26283362
AnilKumarSharma,
Your cut and paste information from Symantec does nothing to convince me the advice should be followed.

If you will take the time to actually read the article linked above, you will learn why they make that recommendation - if you are using one of THEIR products - THEIR product renders System Restore unusable.

The advice offered to you above seems pretty reasonable. If you don't have a solid personal knowledge of anti-malware processes and procedures, you really shouldn't be posting in the anti-malware Zones.
0
 
LVL 9

Expert Comment

by:AnilKumarSharma
ID: 26283363
Yes, rpggamergirl , read your article and your comment that
"
You might say, "but Symantec suggests to turn it off before running a scan?"  Well they are wrong to suggest that!... but let's be fair and look at it from their own perspective.
"
Still there are lot of things that is not looked upon specially your doubt wrt the pc user. It is expected to have backup for critical data in first place. and there are lot of things in parellel to this. With this I am with symantec.

0
 
LVL 9

Expert Comment

by:AnilKumarSharma
ID: 26283528
younghv,
 It is not about me or you. It is about the author who posted this question. He has Symantec antivirus installed and I think it is not a good idea to go against the suggestions of the symantec one is using their product.
0
 
LVL 38

Expert Comment

by:younghv
ID: 26283625
AnilKumarSharma,
It is very obvious that you have very little experience is this kind of situation, so I encourage you to do what I do ... pay attention to those who know what they're talking about.

The recommendation to run ComboFix is exactly right for two reasons.
First and foremost, it is known to correct this exact problem.
Second, ComboFix will create a new "Restore Point" that will at least allow the Asker to re-boot the system in case something goes wrong.

I have been following the advice of "rpggamergirl" in this and many other Forums for a lot of years and she gives some of the best advice to be found anywhere. As a multiple MS MVP nominee, she has earned the respect and gratitude of thousands of people all over the world.

Looking at your profile, I see that you have only just started trying to answer questions here on EE. Please take my comments in the manner intended and improve upon the advice you are offering.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26289903
AnilKumarSharma,

Symantec always advise to disable System restore when the system is infected with hacktool.rootkit or with other viruses.
Symantec's advice to disable System Restore before the scan also makes sense(for them), but for the users perspective it doesn't.
There are two sides here(antivirus side and user side) and both sides has valid reasons.

I will try and explain it to you as simply as I can.


From the antivirus viewpoint:

If an antivirus finds any infected files in the System volume Information folder they CAN NOT delete them.
The scan obviously takes longer than scanning without that folder, there's also that chance that the scan will hang while scanning that folder.

So for Symantec, there is really no reason to keep those restore points, they have no reason to scan that folder, it is a waste of effort and resources because if they find viruses in there they can't do anything to delete them, can't disinfect them, so why bother scanning that folder?
They feel right to advise the user to disable it rightaway, it's a job to be done just in case the user will later on decided to use those restore points and reinfect the system.

Can you see why it makes more sense for Symantec to suggest disabling System Restore?



BUT... from the users' viewpoint:

Viruses in the System restore are dormant(that's a fact)they are harmless and not a threat while in that folder so it's okay to leave them there until after the cleanup.
When the system is clean(except for the restore points) then you can flush those restore points and create a new clean one quick and easy.

So, for the user, it won't make sense to get rid of the restore points prior to cleanup because as I've stated in the article while removing viruses, some things could go wrong.
If the cleanup won't go smoothly the situation can change from bad to worse, the system can get very unstable that you may need to go back and use one of those restore points and START all over again with the cleanup and a better strategy.
Hence, it's better to have a possibly infected restore point than none, you see, with restore points, you can start from square one and start cleaning again but if you have no restore point you have no choice but to reformat.

It is really a plain and simple logic.

If it is not clear and want to discuss it further please ask a Mod to open a private thread so we can continue it there.


0
 
LVL 9

Expert Comment

by:AnilKumarSharma
ID: 26290627
younghv,
   Thanks for recalling my VERY little experience of arround 20 years in this IT field and the registered member of expert exchange for arround 7 years. It keep me on my foot to learn more and more as I am always a student when it comes to learning and eager to learn. I appreciate your comments.

rpggamergirl,
   Thanks for the reply. Your explanation and article are simple and clear (as your correctly said plain and simple logic) and I understand your point. I am feeling proud  to have discussion with a Sage.
My comments are not against your thought but another view.  I am expecting that all facts should be presented to the reader with pros and cons along with EE advice (like you are Sage in EE, so naturally your comments will help a great to EE community and its members)  and then let user decide what should they think is best. As it is another question that till when it("When the system is clean(except for the restore points))" will hold true.
I do not think there is any point of furhter discussion as I clearly understand your explanation and Mod are in no mood to get my point for whatsoever reason.



0
 
LVL 1

Author Comment

by:ehess
ID: 26293567
Wow, all these posts going back and forth are extrememly hard to see what is actually recomended.  I have the comptuer in my office now and setup the user with a spare.  I'll get a post update as soon as I've had a chance to try something new.
0
 
LVL 38

Expert Comment

by:younghv
ID: 26293890
ehess:
Please look at the advice here: http:#a26281618
0
 
LVL 1

Author Comment

by:ehess
ID: 26297807
I booted into Safe mode to try to run an SEP scan and I can't.  The services aren't started.  I also have already ran through the entire article from Symantec and it DID not remove the virus.  

I have had combofix running now for almost 30 minutes and all I have is a blue command prompt looking window that is 100% blank.  I did see a message that ComboFix was disabling dcomshare.dll (C:\Windows\dcomshare.dll) but that's all the activity I've seen.  I will let it run now for the rest of the day if that's what it takes.

Not much for news, but I hope combo fix gives generates the logs as intended to so I can post them here.
0
 
LVL 5

Expert Comment

by:drawlin
ID: 26299218
Two days have passed and the bug still hasn't been fixed.  I understand that this is a technical fourm and that offering accurate technical advice is the primary goal.  I would like to also think that offering advice based on passed experience is also a goal.  If the infected computer is a business computer and two days of unsuccessful troublshooting takes it out of production for that period of time; I refer to my first post.  Hunting and eliminating bugs successfully can be very time consuming.  Often times it is faster and safer to drop in a new drive and relod.  take the infected drive to a sand box PC and get the data that you need off of it and sneaker net the data back to the reloaded PC.
0
 
LVL 1

Author Comment

by:ehess
ID: 26299333
I am at that point.  I still have had no results from combofix, just sits there with the blank blue screen.  I will order a replacement drive, wipe & rebuild.  
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 300 total points
ID: 26299488
ehess -
I am not the ComboFix Wizard that rpg is, but I do use it almost ever day - and have never known it to run for more than 15-25 minutes ... with the sequential 'Steps' ticking off every few seconds/minutes.

Before giving up entirely, please try to download it again (from the  http://download.bleepingcomputer.com/sUBs/ComboFix.exe link).

This time do a "Save As" before you download it (to your desktop) as something like "CF.exe".

Then try to run it again.

This process will only take a few seconds and might be what works. Remember, there should be only minimal pauses (a few seconds) as ComboFix steps through its processes.  

On very rare occasions, I have had to admit defeat and do the whole format/reinstall process, but I don't think this is one of them (but I've been wrong before).
0
 
LVL 9

Expert Comment

by:AnilKumarSharma
ID: 26299605

>>>>I still have had no results from combofix, just sits there with the blank blue screen.  

ehess:  try and what younghv recommends and hopes that it will solve your problem instead of going to order a replacement drive, wipe & build.  

younghv :-
            It is not always that all locks can be open through one key.

If still problem is not resolved and if you still like to gear up to resolve the issue then I am sure you can do this :)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26299629
Sounds like the ComboFix scan hangs... the scan doesn't take that long, so something is wrong there somehow.
Was that a fresh download of ComboFix?
0
 
LVL 38

Expert Comment

by:younghv
ID: 26299648
ehess:
You're in good hands and I'll /unsubscribe to let these fine folks finish up.
Fingers crossed that this works out w/o a reinstall.
0
 
LVL 1

Author Comment

by:ehess
ID: 26304124
After looking at the latest repsonses, I decided the virus was likely blocking Combofix from running.  I booted into safe mode and have had it running now for 10 minutes or so with activity that I can see.  It's creating the logs now and I did see the infected file was deleted by Combofix.  This is progress, but until it's done I can't completely say it's all good.  
0
 
LVL 1

Author Comment

by:ehess
ID: 26304938
I restarted the ComboFix scan in Safe Mode after the first time it ran, it hung after restarting (installed the recovery console).  I do have the log and attached it to this post.  
ComboFix-Log.txt
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1200 total points
ID: 26310466
Run combofix again using this script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::c:\windows\Cforujufuxuzede.binc:\windows\Ffejitozo.datc:\windows\dcomhare.dll.virc:\windows\system32\fjhdyfhsn.batc:\windows\system32\dcomhare.dll
------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe(inside the folder c:\virus ts)
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.





Also run Gmer in case CF missed something.(or Rookit Revealer as already sugested or Blacklight)
Download the GMER Rootkit Scanner. Unzip it to your Desktop.
http://www.gmer.net/gmer.zip

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
0
 
LVL 1

Author Comment

by:ehess
ID: 26323427
I ran the instructions rpggamergirl left in the last post and have the logs from all three scans.  I didn't find any action items after running the scans.  I did create the script and drag it to the ComboFix before it ran.  Here are the logs.  I did see the RootKit Revealer say Rootkit was found and same with CMER.  I fought disabling SEP as a scan was enabled and it wouldn't disable even after waiting for it to complete. I couldn't see it running, nor could I find the process to kill it.  I had disabled all of the SEP services, killed the shield process, with still no change when I started the ComboFix scan.  You will see it was enabled in the log.  
ComboFix-Log-afterScriptUsed.txt
GMER-Log.log
RootkitReveal-log.txt
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 1200 total points
ID: 26334421
ComboFix did delete those files.

The Gmer and RKR  log flag didn't flag any entries as rootkit apart from detecting as being hidden...

Did you check the Rootkit/Malware tab also if here was any suspicious files?


C:\WINDOWS\dcomhare.dll <-- this file was already renamed in Combofix but it's still there it seems. I don't have much info on this file and what other files/driver that comes with it.

After running Gmer, when you click on the "Process" tab you can then try and kill that process... then on the "Files" tab you can see if you can delete it.
0
 
LVL 1

Author Comment

by:ehess
ID: 26362542
I have been working on this issue.  
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26367620
Starting tomorrow I don't have internet access for 4 days..... other Experts are still here to continue on.
0
 
LVL 1

Author Closing Comment

by:ehess
ID: 31675311
I am not satisfied the OS is not damaged and believe the system is better off completely wiped and reloaded.  Thanks for the responses and advice on tools to remove it, but at this point I will not put it back on my network without completely wiping and starting over.  
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Forget those services on TV trying to sell you software – that’s step one.  Almost all of the software you need should be available for free.  The tricky part is doing the work.  If you are not comfortable performing these steps yourself, contact a …
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question