Hacktool.Rootkit Strikes Back

[evilfantasy]

It sounds like the updates did their job.

It is suggested to submit a fresh Hijackthis log so someone can go over it and make sure all of the entries are actually gone.

[wissamyoussif]

yes, evilfantasy, I agree and I'm real sorry but up till now I couldn't get the HJT report because I have no electricity these days (it's Baghdad, another story) and I'll post these reports as soon as I can, but do I still need the Autorun.inf folder in my flash drive, and will it do me good everytime I plug it in an affected pc?
thanks

[evilfantasy]

No the autorun can be deleted. You will either need to disinfect the flash drive or reinfect every computer you plug it in to.

Or reformat it.

[wissamyoussif]

At last, electricity is back and my machines are alive again, and here are the HJT reports for both of them, and sorry again for being so late. I hope they're as good as they look. Thanks Broni, evilfantasy, CBMatt, patio, and everyone who've helped me recover my machines as well as those who just viewed my post.
But, again, are you recommending me to reformat my thumb drive just to get rid of the dummy Autorun.inf folder? And would you advise me to any place where I can learn more of Flash_Disinfector?

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

you recommending me to reformat my thumb drive just to get rid of the dummy  Autorun.inf folder?

No, it sounded as if you didn't want to use the flash disinfector. So I mentioned that a reformat would be the next alternative. Without doing one or the other you will be infecting everything you plug it in to. Maybe I misunderstood what you had said.

Welcome back

[wissamyoussif]

...and welcome to you, evilfantasy, since you're online now I want to use Flash_Disinfector if it protects my thumb drive and pc's from being really infected, and as I understand it's the job that the program is doing, am I right and is there any more details that I can get of it?

[evilfantasy]

You can Google Flash Disinfector, but the information I gave in the instructions is probably more then you will easily find in a search. Most of the time the directions are for a link to download it and to plug it in when prompted. The author of the tool sUBs is one of the most respected members of the malware fighting community. He doesn't release much information on his tools. If he did then the bad guys would quickly figure out a way to exploit their use in removal and they would not be as effective.

Do you know what these are?
That One.exe
xstart.exe
RealClip.exe
If so then the logs look fine. Although the 1.99 version of HijackThis is the old version and the use of the new 2.02 version are suggested.

Both machines Java is out of date.

Your Java is out of date leaving your system vulnerable.
Older versions of Java have vulnerabilities that malware can use to infect your system.

Go to >> http://java.sun.com/javase/downloads/index.jsp

On the Sun Java page scroll to the 4th download Java Runtime Environment (JRE) 6 Update 4 to install the new version.

Next go to add/remove programs and remove all older versions.

Then go to C:\Program Files\Java and delete the old folders.

Be sure to keep jre1.6.0_04



Cleanup:

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u

then hit Enter.

[/LIST]The above procedure will:

• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

-

This is a good time to clear your infected system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and click Next.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Next to System Restore click Clean up...

This will remove all restore points except the new one you just created.


Let us know how everything went.

[wissamyoussif]

Thanks, again, evilfantasy. That One.exe is a code name for Hijack This (said that before: someone tipped that rootkits may hide themselves from HJT and suggested renaming it; and I'm considering dowloading a fresh copy of it); xstart looks familiar but forgot what it was (I think it was a system tray manager, it's uninstalled, but the registry value seems still hiding so I've manually deleted it using Regseeker and everything went just fine); and RealClip is a clipboard enhancer that works for me.
I've done all fixes suggested by you, and it all went as planned, and here's the HJT reports.

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Everything looks fine now.


This is a good time to clear your infected system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and click Next.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Next to System Restore click Clean up...

This will remove all restore points except the new one you just created.

Here are some great tools to help you keep from getting infected again.

Spybot Search & Destroy - A safe and effective spyware scanner.
* Official Spybot Tutorial
* Spybot FAQ

AVG Anti-Spyware Free Edition - Very reliable with a high detection rate.
* AVG Anti-Spyware User Manual

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* SpywareBlaster Tutorial

Comodo BOClean - Stops trojans and many more malicious attacks.

Use a Firewall - It can not be stressed enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over.
* Click here for a list of free firewalls.
* Why would I consider a third party firewall?

UPDATE UPDATE UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer.
* Help with Windows updates

Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Let us know if anything else comes up.