TechSpot

Hacktool.rootkit problem!

By Plaw
Aug 26, 2005
  1. Hacktool.rootkit problem

    Ive tried to follow the instructions already posted. I must not be too comptent or something. Any help/patience is appreciated. It keeps getting put in to norton quarintine I just cant find the file to delete.
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

  3. Plaw

    Plaw TS Rookie Topic Starter

    Still broke

    I tried the trend scan and it came back clean. I get about 2 items in quarantine a second. Here is whats going on.

    Nortons AV is giving me this notification:

    Scan Type: Auto-Protect Scan
    Event: Threat Found!
    Threat: Hacktool.Rootkit
    File: C:\\WINNT\system32\et54fg.sys
    Location: Quarantine
    Computer: Mine
    User: System
    Action Taken: Quarantine succeeded: Access denied
    Date found: Tuesday, August 30, 2005

    I deleted everything in my quarantine at the start of this message and now I have 1071 items in quarantine.

    I have ran Nortons, Ewido, Adware SE Personal, and Trend Micro online scan. All came back saying a clean system. Please Help. Attached is another Hijackthis log
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Go here, read it, then click on the Solution tab
    http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N

    Then do this, just in case some is still there:
    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
    Next, open Windows Task Manager.

    On Windows 95/98/ME, press CTRL+ALT+DELETE.
    On Windows NT/2000/XP, press CTRL+SHIFT+ESC.
    Click the Processes tab, select the process (if there), click End Process for:
    system.exe

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    system.exe
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    O23 - Service: systemboot - Unknown owner - C:\WINNT\system.exe
    ...................................................................................................
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, delete:
    C:\WINNT\system.exe
    C:\WINNT\system32\et54fg.sys (or similar name if it changed)

    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.
     
  5. Plaw

    Plaw TS Rookie Topic Starter

    Many appreciations

    Hey thanks alot. It was that system.exe file. Seems to have done the trick. Now just to keep the kid off the computer. Might be a tougher one.

    Thanks again for your help
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.