[Solved] HACKERTOOL?

Discussion in 'adware, spyware & hijack cleaning' started by eljay376, Jun 25, 2004.

Thread Status:
Not open for further replies.
  1. eljay376

    eljay376 Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    19
    Hi all,
    I wonder if anyone can help with this one?
    Whilst surfing using the Google search engine, I downloaded a "trial" version of a disk clean-up utility.
    I didn't record the name of the web-site.
    After disconnecting my dial-up modem, my Trend Internet Security program told me that it had denied access to something called HKTL_RDMIN.A and I realised I had obviously had a close encounter with some scumware.
    I've used the Trend virus encyclopaedia without specific success (unless I am searching incorrectly - I'm not exactly on top of this kind of thing!).
    I have located and deleted the Windows file the Trend listed, but am concerned as to whether I am entirely free of this?
    I sort of worked out the it was a HacKTooL, but have not been able to find anything more about checking out the disinfections required to ensure that I am completely free of it.
    Any assistance that anyone can offer would be very much appreciated.
    Regards, eljay
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: HACKERTOOL?

    Hi eljay376, and welcome to Wilders.

    We would have to see a hijackthis log before we can tell if your system is clean or not.

    Please follow ALL the instructions, and each step in this link, carefully:
    HOW TO? Read here about how to post your log!!

    Once you have downloaded HijackThis, create a permanent folder for it on your C: (call the folder whatever you'd like) then unzip Hijackthis.exe into the new folder (do not put it in a Temp folder or desktop).

    Then open Hijackthis and run it by clicking on the Scan button. When the scan has finished, the "Scan" button will then change to a Save Log button. Press the "Save Log" button and save it to a location you can easily find it. Open the saved log and copy and paste the entire contents of the log here in this thread.

    Please do NOT fix anything in Hijackthis by yourself. Most of what it lists will be harmless and even essential. Someone will review your log and reply back with instructions on what needs to be fixed.

    Regards,

    snap
     
  3. eljay376

    eljay376 Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    19
    Re: HACKERTOOL?

    Hi Snap,
    My apologies for the delay, we have a wedding in the family and at the moment it's "all hands to the pumps"!
    Thanks for your interest - here is my log:
    Logfile of HijackThis v1.97.7
    Scan saved at 21:39:07, on 28/06/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SM56HLPR.EXE
    C:\PROGRAM FILES\INVERSE IP INSIGHT\CWCOM\ARMON32.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
    C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - (no file)
    O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
    O4 - HKLM\..\Run: [AccessRampMonitor] "C:\Program Files\Inverse IP InSight\CWCOM\ARMon32.exe"
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: SwTray.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37867.607349537

    Hope this is OK for you, eljay.
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: HACKERTOOL?

    Hi eljay,

    No apologies necessary. Hope you had a good time at the wedding! :D

    We just have a few items left to clean up now.

    Place a check beside the following items in HijackThis.
    Close all windows except HijackThis, and click *Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: (no name) - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - (no file)
    O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - (no file)

    (this is optional but recommended to fix as it is a resource hog and not needed when you startup your computer)
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    (if you did not set these yourself, then fix them too)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    (same with this one, if you did not set it yourself fix it too)
    O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/

    Reboot your computer.

    Empty your Temp folders, IE's Temporary Internet Files, and your Recycle Bin, and read here for steps to follow to help tighten your security and prevent future infection:
    Why did I get infected in the first place?

    Regards,

    snap
     
  5. eljay376

    eljay376 Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    19
    Re: HACKERTOOL?

    Hello again Snap,

    Here I am again still chasing my tail! The wedding is 2 weeks off yet, the problem has been that the bride (my daughter) and groom have had some building work done on their new home, which reduced the garden to a bomb site!

    The after-wedding party is scheduled to be held at their home and the number of invited guests requires that the garden is replaced as they will not all fit comfortably inside.

    That's where I come in . . .

    Anyway thanks for your help - I will apply your recommendations tonight.

    I have my IE settings locked under both SpyBot S&D and SpywareBlaster, which accounts for some of the entries.

    Will post anything of note for others.

    Very much obliged to you, eljay.
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: HACKERTOOL?

    Hi eljay,

    IE settings locked under both SpyBot S&D and SpywareBlaster, then that would explain the 06 lines, and you don't need to fix those.

    Have fun eljay, it sounds like a good time! (can I come too!?)
    :D

    Congratulations to your family, and to the Bride & Groom! :D

    See you when you get back.

    Best regards,

    snap
     
  7. eljay376

    eljay376 Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    19
    Re: HACKERTOOL?

    Hi Snap,

    All done, as suggested - no issues, all is working OK.

    Many thanks once again for taking the time to help me out.

    Regards, eljay.
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: HACKERTOOL?

    Hi eljay,

    I'm glad everything is working well! :)

    I did go back over your first post and realized I may have missed something (or maybe not) but thought I'd check with you about it just to be sure.

    Where you said:
    You wouldn't be referring to the PC Doctor program would you? If it is the PC Doctor that you downloaded a trial version of, and have decided not to use the service, you can try and remove it through the Add/Remove Programs in the Control Panel first, or remove it with Hijackthis as follows:

    Place a check beside the following item in Hijackthis,
    Close all browsers and, and click *Fixed checked:

    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe

    Then reboot into safe mode and delete the 'realtime.exe' file in the Windows folder, then reboot normally.

    Regards,

    snap
     
  9. eljay376

    eljay376 Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    19
    Re: HACKERTOOL?

    Hi Snap,

    Still been hard at it I'm afraid and hadn't come back to the forum until now, when I was quite surprised to hear further from you.

    Thanks for spotting the sitting plant from PC Doctor. I did buy a 7 day stint from there, in the hope of sorting out any orphans, broken links and in fact anything that slows my boot-up down.

    For something like £15.00GBP, it found 44 issues which I asked it to sort out, but none of them provided me with any extra boot speed.

    I wouldn't have spotted that either, as I do run Real Alternative, the version without the "phone home" set-up and would have assumed it to be something to do with that.

    I wish I could recall the name of the site that sent me the HacKerTooL, but I can't.

    I had had a problem with Aladdins Internet CleanUp 3, which had become corrupted and had managed to delete the dowloaded program.

    I had version 4 on order from Amazon, but delivery was constantly being put back.

    So I sought to perhaps have a 30-day trial download of something else, just to tide me over.

    I punched in something like "disk clean up" into my browser and downloaded the first one that appealed to me for a look.

    It would appear that that this was a "sting" put there for the very purpose of catching folk out.

    All I can remember is that its format looked very much like that of "Evidence Eliminator" (What a name! Sounds to me that it would suggest to all and sundry that you had something to hide on your computer, just by installing it).

    It appeared to be a "set-and-forget" thing that once set up could be sorted to run at shut-down or boot up.

    I'm certainly not going looking for it again, whatever it was.

    Your help is much appreciated and congratulations once again for one of the friendliest forums around.

    PS: Only 6 days to the wedding - then some peace and quiet for us all with some holiday away in prospect.

    All the best, eljay.
     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: HACKERTOOL?

    Hi eljay,

    No, we don't want you looking for it again. ;) When you get back from a well-earned vacation, you could look through our Software & Services forum. There are quite a few threads there where members have discussed the various programs for disk & registry cleaning. Or you can start a new thread there with a description of what you are looking for in a such a program, and I am sure you will get helpful replies (and safe links) to several.

    Since everything is working well now with your computer, I will mark this thread solved.

    Have a wonderful time at the wedding, and enjoy your vacation. :)

    Regards,

    snap
     
  11. eljay376

    eljay376 Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    19
    Hi Snap,

    Thank you very kindly. Over . . . and out - for now.

    Regards, eljay
     
Thread Status:
Not open for further replies.