Can´t remove Hacktool.Rootkit

By Jesper Skoglund
Aug 28, 2005
Topic Status:
Not open for further replies.
  1. Hi my computor is infected by Hacktool.Rootkit. and Norton can´t remove or quarantined it. so i would like som help. I'am swedish and not very great att english so i would like a simple help.
    I also attach my hjt log file .

    Attached Files:

  2. Jesper Skoglund

    Jesper Skoglund Newcomer, in training Topic Starter

    Can´t anyone help me have read other instruction but don´t understand. plese help!
  3. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  4. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  5. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    STOP using Internet Explorer! Get Firefox instead!

    C:\Documents and Settings\Jesper\Lokala inställningar\Temp\Temporär katalog 3 för hijackthis.zip\HijackThis.exe
    Put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.


    Next, click Start/Run and type services.msc and click OK. Look for the service:
    coderxt.exe
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, open Windows Task Manager.
    On Windows 95/98/ME, press CTRL+ALT+DELETE.
    On Windows NT/2000/XP, press CTRL+SHIFT+ESC.
    Click the Processes tab, select the process (if there), click End Process for:
    coderxt.exe
    BHR3.5.exe

    Next, try to UNinstall anything to do with (not delete yet!):
    C:\Program\Zamaan's Software\Browser Hijack Retaliator 3.5\BHR3.5.exe

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O4 - HKLM\..\Run: [System Service] coderxt.exe
    O4 - HKLM\..\Run: [BHR3.5] C:\Program\Zamaan's Software\Browser Hijack Retaliator 3.5\BHR3.5.exe
    O4 - HKLM\..\RunServices: [System Service] coderxt.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe (file missing)
    ...................................................................................................
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.
  6. Jesper Skoglund

    Jesper Skoglund Newcomer, in training Topic Starter

    Hi! again here is my log after deleting, I diden´t do as ju told me i think i solve it before you did answer. Is it clear now. Please be so.
    Tanks for all help.

    Attached Files:

  7. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    If you know it better, why do you still ask?
    Everything bad I told you is still there.
    Not MM problem, YOUR problem!
  8. magui_2310

    magui_2310 Newcomer, in training

    Can´t remove Hacktool.Rootkit PLEASE HELP ME

    Hi, I Have The Same Problem With Remon. Sys...
    Please Help Me..
    I Attach The File...what Should I Do?????'
    Thanks!!!!

    Attached Files:

  9. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    You run AVG and Avast Antivirus together, not a good idea. Uninstall the one you like least (they are equally good, but I suggest you keep AVG).

    Boot in Safe Mode, see how here.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
    Click the Processes tab, select the process (if there) and click End Process for:
    sysmanager.exe
    E.exe
    SXDRRNN.exe
    YDBKFYPZGZ.exe

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    sysmanager.exe
    E.exe
    SXDRRNN.exe
    YDBKFYPZGZ.exe
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 90.0.0.1:8080
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    Fix ALL your O16 - DPF: entries
    Unless New Skies Satellites N.V., 8000 Gainsford Ct, Bristow, VA 20136, USA is your ISP, FIX this O17:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C74F903C-FFC5-40CE-9478-C1F5C9AB0B63}: NameServer = 66.178.2.16,66.178.2.25
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: E - Sysinternals - www.sysinternals.com - C:\DOCUME~1\DR541E~1.BRA\CONFIG~1\Temp\E.exe
    O23 - Service: SXDRRNN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\DR541E~1.BRA\CONFIG~1\Temp\SXDRRNN.exe
    O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
    O23 - Service: YDBKFYPZGZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\DR541E~1.BRA\CONFIG~1\Temp\YDBKFYPZGZ.exe
    ...................................................................................................
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    XP only: Delete ALL files from C:\WINDOWS\Prefetch.
    Boot normal. When all OK, switch System Restore back on.

    Rootkit:
    http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N
  10. morpeous03

    morpeous03 Newcomer, in training

    I have the same problem with Remon.sys ... Need help! thanks in advance..
    I cannot attached the file.. :confused:
    but anyway, here it is....

    Logfile of HijackThis v1.99.1

    Double posting is not really appreciated, see answer to your other post.
  11. nicolekwt

    nicolekwt Newcomer, in training

    A little help

    My computer been infected by hacktool rootkit too. I've been reading the previous entries here but I haven't start doing anything.
    Where should I start? I read in a url sent by a fren saying that infected computer need to find "xpjava.exe" and delete it. Many later feedback to the entry that they found the file, deleted it and now the virus is gone.
    What's the HJT files for?
    I'm confused where should I start cleaning.
  12. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  13. nicolekwt

    nicolekwt Newcomer, in training

    Thanz for the two links. I've done the TrendMicro and Ewido scan.
    Both detected infected files. I deleted all the files in Ewido quarantine but Norton still pop-up the Hacktool.Rootkit notification.

    I'm looking at this now...
    How to remove Begin2Search/Coolwebsearch and Other Nasties

    Any attachment should I attach here for further help?
     
  14. nicolekwt

    nicolekwt Newcomer, in training

    I've been looking at the replies here and noticed that a HJT log file is provided to check whether it's clean. The problem is I've no idea what program is HijackThis and so I didn't know how to get a HJT log file in .TXT for further comments.

    Hacktool.Rootkit seems to be still around as Norton still pop-up with notification though TrendMicro and Ewido done the scanning. I hope it's not so serious.
  15. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  16. mj4y

    mj4y Newcomer, in training

    RealBlackStuff, can u help me out here.... NAV keep showing me Hacktool.Rootkit Virus on C:\Windows\system32\remon.sys, i could not get rid of it!! :mad:

    Here is my HiJackThis Log:
  17. SquarePegs

    SquarePegs Newcomer, in training

    Hi RealBlackStuff

    Like the others above, Hacktook.Rootkit has infected my PC under system32\remon.sys and i cannot remove it..plz help me remove it

    thanks a lot for your help

    Here's my log file:
  18. indu

    indu Newcomer, in training

    Thank you RealBlackStuff... i was able to remove hacktool.rootkit virus successfully from my PC after quite a hard time... Thanks again..
  19. nicolekwt

    nicolekwt Newcomer, in training

    it came back

    I run TrendMicro and Ewido several time and 3 hours before I shut down my computer yesterday, I didn't get any Norton notification on Hacktool.Rootkit anymore.
    But it came back again this morning. Previously I get a notification per minute, now I get 2 notification per minute. I run TrendMicro and Ewido but found no infected files.
    I enclosed my hijackthis log file. Thanz for all the help.
  20. nicolekwt

    nicolekwt Newcomer, in training

    As an addition, I'm using Spy Sweeper but I noticed that the infected files are mostly from Spy Sweeper folder. Should I delete this program? If yes, what program should I download as replacement?
    Beside I found this 180searchassistant and Folder Guard Pro XP in Program Files, I've got no idea where it came from. Infected files also found mostly in Folder Guard Pro XP. What should I do with this two...delete?
  21. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  22. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    SquarePegs

    Follow these instructions EXACTLY
    How to remove Begin2Search/Coolwebsearch and Other Nasties

    Stop the Process (ctrl-alt-del) and the Service (services.msc) for
    O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe

    Delete that taskcntr.exe

    Install XP/SP2.

    Then post a new log.
  23. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    nicolekwt

    Boot in Safe Mode, see how here.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
    Click the Processes tab, select the process (if there) and click End Process for:
    ALL the xxx.exe entries under Running Processes
    ALL the xxx.exe entries in the O4 - HKLM group (that were not already under Running Processes)

    Next, click Start/Control Panel/Add/Remove Programs. If there, UNinstall anything to do with:
    C:\Program Files\ISTsvc\istsvc.exe
    C:\Program Files\ISTbar\istbarcm.dll
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\Program Files\Media Access\MediaAccK.exe
    C:\Program Files\Media Gateway\MediaGateway.exe
    C:\Program Files\SurfAccuracy\SAcc.exe
    C:\Program Files\SideFind\sidefind.dll
    C:\Program Files\Folder Guard Pro XP\FGuard32.dll

    Next, click on Start/Run and type in (followed by press Enter):
    regsvr32 /u C:\WINDOWS\nem220.dll
    regsvr32 /u C:\Program Files\SideFind\sidefind.dll
    regsvr32 /u C:\Program Files\SideFind\sfbho.dll
    regsvr32 /u C:\WINDOWS\System32\msbe.dll
    regsvr32 /u C:\Program Files\Folder Guard Pro XP\FGuard32.dll

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    Running processes:
    C:\WINDOWS\System32\xpjava.exe
    C:\WINDOWS\TEMP\fGCdZb6.exe
    C:\WINDOWS\TEMP\sais.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hq1.permanis.com.my:8383/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sisoftware.net/?location=licence_pro_use&dir=licence
    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
    O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\salmhook.dll (file missing)
    O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [N1damP4iD] C:\WINDOWS\vkuobbq.exe
    O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {B6A084E0-BF8F-101C-AED5-00608CF525A5} (TX - ButtonBar Control) - http://hq1.permanis.com.my:8383/tx.cab
    Unless your ISP is NETBLK-JARING in Kuala Lumpur, fix these O17s:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5763A405-D23E-49D5-9A17-A45506547171}: NameServer = 192.228.128.20 192.228.128.18
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5763A405-D23E-49D5-9A17-A45506547171}: NameServer = 192.228.128.20 192.228.128.18
    O20 - Winlogon Notify: FolderGuard - C:\Program Files\Folder Guard Pro XP\FGuard32.dll
    ...................................................................................................
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Delete ALL files from C:\WINDOWS\Prefetch.
    Boot normal. When all OK, switch System Restore back on.

    Stop using that crappy Internet Explorer except for Windows updates. Go to www.getfirefox.com

    And now go and install XP/SP2.

    And be more selective where you surf!
  24. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.