RealBlackStuff
Posts: 6,450 +3
Go here first and download and run the sysclean package.
http://www.trendmicro.com/download/dcs.asp You will also need the latest pattern file for the Sysclean programme. You can get it HERE. Read the instructions carefully in the .txt file HERE.
There is a program available that can show if you have a Rootkit problem.
It can be downloaded here: Rootkit Revealer Important Rename RootKitRevealer.exe to nailsetter.exe. The reason for this is that some rootkit trojans can detect this program and hide themselves from it.
Please download AproposFix from HERE and save it to your desktop. Extract it but don`t run it yet.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html
Open the aproposfix folder on your desktop and doubleclick RunThis.bat and follow the prompts.
When the tool is finished, please reboot back into normal mode and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
There is also this tool available, known as the Gromozon removal tool. that can help to eliminate certain types of rootkit known as the Gromozon rootkit.
Run the Gromozon tool.
It may not run at all and if it does run, it may tell the user that the infection is not present on the machine.
At this point the user must choose to continue with the scan.
Prevx tool will reboot the machine and run its cleaning process.
As an interesting aside: it seems that ONLY people who run NAV/NORTON/SYMANTEC bloatware seem to be HIT by this!
To set things straight:
HiJackThis does NOTHING for or against a Hacktool.Rootkit infection! It can ONLY reveal SOME of the symptoms!
HJT does NOT show: remon.sys, orans.sys, msdirectx.sys and whatever else these files might be called.
If you DO run a Hijackthis scan however,
first put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!. Important: Rename HijackThis.exe to HijackThis1991.exe this is because some new malware can hide from HijackThis.exe.
Look for any or all of these files:
They can be in either \WINDOWS\ or \WINNT\.
Running processes:
C:\WINDOWS\javapanel.exe
C:\WINDOWS\taskcntr.exe
C:\WINDOWS\System32\xpjava.exe
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
To get rid of them:
Boot in Safe Mode, see how here.
(ME/XP only) Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
javapanel.exe
taskcntr.exe
xpjava.exe
sysmanager.exe
Next, click Start/Run and type services.msc and click OK. Look for the service:
javapanel.exe
taskcntr.exe
xpjava.exe
sysmanager.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.
Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
C:\WINDOWS\javapanel.exe
C:\WINDOWS\taskcntr.exe
C:\WINDOWS\System32\xpjava.exe
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.
When done, from between the above dotted lines, delete the highlighted bold files.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
(XP only) Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal.
(ME/XP only) When all OK, switch System Restore back on.
http://www.trendmicro.com/download/dcs.asp You will also need the latest pattern file for the Sysclean programme. You can get it HERE. Read the instructions carefully in the .txt file HERE.
There is a program available that can show if you have a Rootkit problem.
It can be downloaded here: Rootkit Revealer Important Rename RootKitRevealer.exe to nailsetter.exe. The reason for this is that some rootkit trojans can detect this program and hide themselves from it.
Please download AproposFix from HERE and save it to your desktop. Extract it but don`t run it yet.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html
Open the aproposfix folder on your desktop and doubleclick RunThis.bat and follow the prompts.
When the tool is finished, please reboot back into normal mode and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
There is also this tool available, known as the Gromozon removal tool. that can help to eliminate certain types of rootkit known as the Gromozon rootkit.
Run the Gromozon tool.
It may not run at all and if it does run, it may tell the user that the infection is not present on the machine.
At this point the user must choose to continue with the scan.
Prevx tool will reboot the machine and run its cleaning process.
As an interesting aside: it seems that ONLY people who run NAV/NORTON/SYMANTEC bloatware seem to be HIT by this!
To set things straight:
HiJackThis does NOTHING for or against a Hacktool.Rootkit infection! It can ONLY reveal SOME of the symptoms!
HJT does NOT show: remon.sys, orans.sys, msdirectx.sys and whatever else these files might be called.
If you DO run a Hijackthis scan however,
first put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!. Important: Rename HijackThis.exe to HijackThis1991.exe this is because some new malware can hide from HijackThis.exe.
Look for any or all of these files:
They can be in either \WINDOWS\ or \WINNT\.
Running processes:
C:\WINDOWS\javapanel.exe
C:\WINDOWS\taskcntr.exe
C:\WINDOWS\System32\xpjava.exe
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
To get rid of them:
Boot in Safe Mode, see how here.
(ME/XP only) Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
javapanel.exe
taskcntr.exe
xpjava.exe
sysmanager.exe
Next, click Start/Run and type services.msc and click OK. Look for the service:
javapanel.exe
taskcntr.exe
xpjava.exe
sysmanager.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.
Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
C:\WINDOWS\javapanel.exe
C:\WINDOWS\taskcntr.exe
C:\WINDOWS\System32\xpjava.exe
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.
When done, from between the above dotted lines, delete the highlighted bold files.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
(XP only) Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal.
(ME/XP only) When all OK, switch System Restore back on.
