Yesterday my Norton Antivirus displayed a message on startup saying that it has detected a file called 27611.sys in the Windows\system32 folder that contains a Hacktool.Rootkit which it cannot repair or quarantine. I tried to do a full system scan but Norton didn't find anything. Deleting the file also didn't help.

I emptied all the temp folders as suggested on this forum, as well as installed the Ewido and asquared Anti-Trojan programs but their scans either in normal or safe mode didn't come up with anything.

Since I never used HijackThis before I just scanned the system and saved the log which I am posting here. I would be very grateful if someone would help me with my problem. The Virus alert always shows up on system startup.

asquared Guard reported funny behaviour of the Windows messenger exe file. Alhtough I read on some other forums that this is probably a false alert they recommended renaming the folder and file until the problem is resolved. That is why the file is missing in the Log.

Attached Files

hijackthis2.txt (7.1 KB, 2 views)

Hi there Vulic , welcome to PCHF.

I see a couple of things wrong in youre log but could you first let F-Secure BlackLight Beta scan youre pc?

Its pretty good against rootkits and because its a beta (but stable) its free for now , after that report if it found anything and post a new hjt log please.

Thank you very much for your very fast answer and your welcome.

I used the Blacklight program but it didn't find anything on my system. I guess that the HJT log probably didn't change but I am posting a new one just in case.

Once again thank you very much for your quick response.

Attached Files

hijackthis3.txt (7.0 KB, 1 views)

First download Ccleaner

Before using Hijack This Can you please do this for me:


Show hidden files and folders:


For XP:

1.On the Tools menu in Windows Explorer, click Folder Options.
2.Click the View tab.
3.Under Hidden files and folders, click Show hidden files and folders.
4.If you see a warning message, click Yes.
5.Click Apply.
6.Click OK.


Then disable system restore to prevent re-infection.
(if you have/use it.)
(you can turn it back on when youre pc is clean).


How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.



Then click Start>Run and type in: services.msc
Click OK
In the Services window find: (one by one)

ISDSMM
Local Security Authority Server
MSGSERVICE
Sound Sservice Driver


Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK


Then boot in safemode (hit f8 when booting up)

Open HJT and click config > misc tools > ?delete an NT service?
Copy and past: (one by one)

Sysinternals
LSA Server
MSGSERVICE
Sound Service

Click OK.



and then fix these with Hijackthis:


And delete the files/folders in bold , after that run Ccleaner.

Reboot and post a new HJT log please.

Well I did everything until the part "boot in safe mode".

However, when I started HJT in safe mode there were no entries of the four you told me to delete. I tried booting in normal mode again and tried a scan, and there were still no trace of them. Also, Norton does not give out any more Virus Alerts and everything seems stable and OK. *prepares to jump for joy* :-)

Do I need to go through the other steps as well and run Ccleaner and try and find and delete the files/folders you mentioned, or is there something else I should do. I have attached the safe-mode HJT log to this post, and will attach the "normal mode" log with the next post.

Once again I greatly appreciate your help!!!

The normal mode log.

Do you mean that when you where doing this part:


that you got an error that they werent present in the registry? Thats normal and sort of means it worked.

Please follow the rest of the fix also and ofcourse minus the entry's/files that are already gone. Not much left though , only these: