Finally caught up with me all this damn downloading.

Downloaded and ran a file computer made wierd noises than give me the BSOD
Cant use IE it starts a program called winfilse.exe than Norton spams me with inbound attack warnings with *.jpg files. Used all the scanners I can find. Only way system is usable is if I keep terminating winfilse.exe. Deleting it doesnt help it comes right back but I mist do it at a command prompt. Cant view it in Explorer even with Show hidden files option turned on. I must manually change the attribute in command prompt to even see the system32/drivers directory.
Anyone wanna help?

John

Did you try searching and deleting the file in SafeMode?

~Johnny Jones

I've been reading up on this. This little SOB is sticky! It won't even let you reformat to do a fresh install. There are several ways to go about removing it, but it's extremely tedious and uncertain at this point. I'll keep checking into it and see if there is a fix.

~Johnny Jones

hang in there man. I'll ask some computer savvy friends from school.

Try Ultimate Boot Disk, here's a link.

http://www.brothersoft.com/ultimate-boot-disk-11418.html

You should be able to then do some testing or at the very least FDISK your partition so your able to do a fresh install of your OS.

Where you guys finding out this info? I have looked high and low. I actually have the virus that I pulled out of the files that I downloaded. Not sure if any of you guys are able to look at it closer.BTW did I mention I was RAID with very little hard disk space left :( I think maybe that it changed something in the bootsector which is why I heard the wierd noises plus on the first reboot it took forever for BIOS to see the RAID.

Just wondering.........after Linux is there ever a need for Microsoft? Have seriously debated moving over and after years of searching for hacked,cracked,and pirated software plus all the workarounds I gave up. Finally actually purchased XP Pro and Office Pro. I think thats the only software I've ever actually bought. Regardless, I have spent years getting this box just the way I want it and it was very time consuming and not cheap by any means.
6 Raptor 150 GB HD's in RAID 5
2 Raptor 75 GB HD's in RAID 0
2 GeForce 8800 GTX video cards (1 is still brand new in the box, anyone wanna buy 1?)
Intel Core 2 Quad QX9650 CPU
4 GB Corsair Dominator DDR3 memory
Striker Extreme mobo by Asus
2 Samsung Syncmaster 244T 24" monitors
lol did I mention how many nights I spent on the couch after buying all this crap...
Point is even though I've tried hard for years to keep this box stable but it is still runs a Microsoft product. This time may indeed mean reformatting. Maybe this is the straw that broke the camels back.

Maybe this will help me decide.....


Delivery estimate: November 3, 2008

1 "Beginning Ubuntu Linux, Second Edition (Beginning from Novice to Professional)"
Keir Thomas; Paperback; $26.39

Sold by: Amazon.com, LLC


1 "Ubuntu Linux Bible"
William von Hagen; Paperback; $26.39

Sold by: Amazon.com, LLC


John

dont know if you have checked out symantecs site, but they have a fix for it buddy. (i think)
http://securityresponse1.symantec.com/sarc/sarc.nsf/html/hacktool.rootkit.html

Yup.......

removal instructions

The presence of Hacktool.Rootkit implies that the security of the system has been compromised. The system should be restored from known clean backup copies or patched to restore security.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected.

It might as well just say "reformat"
Norton only blocks the attacks, which originate from myself. Wont do anything to remove any of it.
Hacktool isnt a specific virus. It is a generic term which means that several files have been installed giving someone else total control and it does a very good job of hiding itself. There isnt any specific files it installs the term just implies that the system has been deeply compromised.

I recently switched to Ubuntu and absolutely love it. The only problem is is that Linux is still not real good for gaming. Right now, I have most of my harddisk used for Linux and a little 40 gig partition for windows just for my gaming.

The problem with this winfilse.exe is that it has made multiple entries into your registry and every time you think you found it, next reboot brings more. Ghost has a good idea with the boot CD, but that will only allow you to delete the files. Then, you will have multiple registry errors and that could mean the biggest headache of all.

I've been searching and found this (http://greatis.com/unhackme/download.htm) little item. There is a fully functional eval version of UnHack Me at the bottom of that page. From my reading of it, it will delete the files, remove from startup items, and delete the registry keys. This infection isn't really that bad it's just that the rootkit is actually hiding the files from you. Make sure that you RUN regedit and save a copy of the registry before trying this or anything else. Have a good one.

~Johnny Jones

Used it. Did not fix the problem but did lead me to a TON of entries that shouldn't be there. I fix 1, 5 more pop up. What I'm searching for is what is calling for all the entries. Whatever it is hides very well and changes a ton of attributes every second so it's hard to see them. Man, someone sure put alotta thought into this..........

Finally caught up with me all this damn downloading.

Downloaded and ran a file computer made wierd noises than give me the BSOD
Cant use IE it starts a program called winfilse.exe than Norton spams me with inbound attack warnings with *.jpg files. Used all the scanners I can find. Only way system is usable is if I keep terminating winfilse.exe. Deleting it doesnt help it comes right back but I mist do it at a command prompt. Cant view it in Explorer even with Show hidden files option turned on. I must manually change the attribute in command prompt to even see the system32/drivers directory.
Anyone wanna help?

John

John try this NOD32, http://www.eset.com/products/ If it soesnt fild that little stealthy root virus i will be greatly suprised.

Two years ago when the stealth root kit virus were just coming out my company’s servers and many of the laptops got hit and hit bad. Because I own my laptop I had all my personal software installed and we had to use my laptops scanner to find and remove the root kit virus for all the machines.

http://www.virusbtn.com/index Also if you register to this site you can then look up the test results for just about all Scanners based upon platform or whatever. What is realy cool about this site ist that they also maintaine all the past historys of test results for all of the scanners. http://www.virusbtn.com/vb100/archive/results?display=vendors

They are a third party testing outfit and thus are not biased by any affiliations or advertising dollars. If you looka and compare testing results you should get a huge eyeopening.

Hello Castar.

Hope you were fine.

OK, let see, i read your first post and you tell that you have a file called " winfilse.exe " isnt?

and.. located i think... here:

C:\WINDOWS\system32\drivers\winfilse.exe

you didnt note or your Antivirus sw find and quarentine this file?:

Trojan-Downloader.Win32.Bagle.adx

Anyway, i dont use Norton and i dont know if this antivirus quarentine and only prevent, stop... the infection but cant eliminate the virus. But i think thats the case, because with nod32 is the same problem.

I have some issues with some pcs with a similar problem, so im gone to share you the steps i do for clean and erase this and i hope that this solve your problem too.

First download this apps:

i upload all the apps needed in one zip file

donwload from here:


http://rapidshare.com/files/158572909/filesneeded.zip.html



You will find these .exe files:

CCleaner.exe ( CCleaner for registry )
SUPERantispyware.exe ( Antispyware free edition, very userfull)
mbam-setup.exe ( Another kind of malware remover)

I read that norton its still working, so i think you dont have problems like the virus disable your antivirus and redirect your home page of your browser. isnt?
If so, and your pc isnt want to install the files, just change the name of the apps

Example: CCleaner.exe for CCCkleaaneer.exe
you need to do this from the begining and when you finish to install the apps, you have to rename the .exe files from the root directory: ( C:\Program Files )

Note: just if you cant run or install the apps.

If everything installs clean... just dont do these steps.

Now, first clean the Registry with CCleaner.exe in cleaner ( limpiador ) mode and second the "registry" option.

The first one look for cookies, temp files that your system isnt use anymore and cookies.

The second search for registry changes.

restart your pc when Ccleaner ends.

Now install the SuperAntispyware.exe App
Update the database ( this is a free version but very very good one )
when finish the update, Run the app. " Scan Computer " select your drive letter that you want to clean in " Complete scan " mode. When ends of searching and finding malware, you can delete all the malware that the apps finds.

And Finally the same steps with the malwarebytes app, this is the file with the name of: mbam-setup.exe

Restart Again your PC.

And apply a complete scan with your Antivir Software

If i could recomend you some "good" antivirus....
BitDefender
Kaspersky
Nod32

In that Order.


Big Note:

CCleaner manage the registry so its a little bit mmm not dangerous but can make a annoying things to your pc if isnt run correctly. So if you dont want to risk i recomend you to stop the " restore system " Option

you can make this in this route:

right click on "MY PC"
View System Information
Select the menu " Restore System "
Select the box with " "power off Restore system in all units" and click Accept.
The system gone to ask you if you really want to do this.. Confirm and thats it.

After clean all with the apps, you can restore this option Again.

Well i think is all.

I really trust that with this steps you will gone to solve your problem.

Try it. And if dont ... write again and i can give you some other recomendations.

Take Care.

See you soon

I will be alert to your post.

Have a great day.


:)

Yes I found winfilse.exe and deleted it. It only started when IE was ran. I looked in the BHO and didnt see anything. Once the file was deleted IE just hangs........dunno bout that one. I'll read up on what you posted and check that out when I get home.
Norton NEVER saw that file. I still have the original .exe which contains the virus and nothing that has scanned it picks up anything. The only thing any scanners has done is to block the hacktool or the outside attack in the form of a *.jpg.

If i could recomend you some "good" antivirus....
BitDefender
Kaspersky
Nod32
Used all of these none of them saw anything wrong.

Sof ar the only thing that has noticed any trouble is rootkitrevealer and unhackme. They see some problems but aren't able to fix them.


Thanks

That new Google Chrome is pretty kickass. It's quick and secure. Mozilla, of course, quick and secure. IE? Neither quick nor secure. Just to think this whole rootkit headache began with a damn record company trying to protect it's profits. Rootkits weren't created in this instance, but they were definitely made public over it.

~Johnny Jones

Hate windows always have. It always seems to come down to that almighty dollar. Beside, think about it, you have 20 guys working on coding something for a paycheck so someone else can make a buck or you have thousands working on coding something because they can and they love it. The product will work and is feasable and is free... Which product would you rather have?

Hi Again Castar.

Yes, like you say started when IE is started, thats the problem with IE a lot of problems. And i agree with Draco about use other Browsers, My personal
Favorite is Firefox, its not 100% secure, i think isnt exist one, but is the best choise, because New Chrome, i think still have a lot of bugs and issues, and they need more time to give a trust browser.

And well about that Norton Never saw the file, thats what i mean, Actually, Nod32 just detect and blocked, but isnt delete the file, And is annoying because every 2 seconds a notice ballon on the nod icon popup warning about the file, but nod32 never delete this one, so thats why im have to use superantispyware, and CCleaner. and they find the file and deleted. Amazing.. but true. So i hope that you could erase completly the malware.

Anyway, hope you can and if dont, we can check some other choises.

Fencing

Yes I found winfilse.exe and deleted it. It only started when IE was ran. I looked in the BHO and didnt see anything. Once the file was deleted IE just hangs........dunno bout that one. I'll read up on what you posted and check that out when I get home.
Norton NEVER saw that file. I still have the original .exe which contains the virus and nothing that has scanned it picks up anything. The only thing any scanners has done is to block the hacktool or the outside attack in the form of a *.jpg.

If i could recomend you some "good" antivirus....
BitDefender
Kaspersky
Nod32
Used all of these none of them saw anything wrong.

Sof ar the only thing that has noticed any trouble is rootkitrevealer and unhackme. They see some problems but aren't able to fix them.


Thanks

Norton never saw that file " Winfilse.exe" because it is a legitimate windows file management tool, it is a remnant of Windows 95 and NT.

Norton never saw that file " Winfilse.exe" because it is a legitimate windows file management tool, it is a remnant of Windows 95 and NT.

Actually I can manually scan the actual virus.exe and nothing picks it up

And they won't becuse it isnt a virus, as I had mentioned, Microsft develpoped it for use is thierf operating systems. But then hackers found that they could use that file which is located within MS based platforms as way in / "backdoor" to the MS based operating systems. Many security sites in the past told folks to delet it because it was extremyl vulberiable to being exploited by many different hacks...such as what has happenend to your system.