Unable to remove hacktool.rootkit. Please help...

By sumanbolar
Sep 8, 2005
Topic Status:
Not open for further replies.
  1. OK, I seem to be in virus hell.

    NAV says it found Hacktool.rootkit in the following location:
    E:\WINDOWS\system32\orans.sys

    Since then, I've been bombarded with all kinds of junk. It seems to have allowed something called WinFier 2005 to paste itself on my desktop, as well as stuff like sidefind and 180search assistant and all kinds of other junk. I can't seem to be able to remove or quarantine or uninstall ANY of these. HELP :eek:

    Downloaded and ran spysweeper, and it removed a bunch of stuff. Here's my HJT log. Please help. Also, I'd like to know how I can prevent this from happening again.

    Many thanks in advance.
  2. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  3. sumanbolar

    sumanbolar Newcomer, in training Topic Starter

    Oops

    So sorry, I did read all the posts you mentioned before posting my query.

    Not sure why the log didn't upload...

    I scanned with Housecall too.. doesn't seem to have helped though.

    Thanks.

    Attached Files:

    • HJT.txt
      File size:
      9.4 KB
      Views:
      8
  4. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Not only are you supposed to READ all those posts,
    You are also supposed to FOLLOW and DO what it says in those posts!
    When you have done that, post a new log.
  5. sumanbolar

    sumanbolar Newcomer, in training Topic Starter

    Again...

    Hey RealBlack...

    Thanks for your patience. I'm sure you'll need another pint of guinness before you're done with me :)

    Ok. So here's what I did:

    1. Ran the sysclean thing from trendmicro.
    2. Downloaded and ran ewido as per instructions. Scan report attached.
    3. Downloaded spybot, adaware, vx2 plug in, cw shredder, smartkiller, and about buster.
    4. Rebooted in safe mode and ran in this order: aboutbuster, smartkiller, cwshredder, adaware, vx2 plugin, spybot.
    5. Rebooted in safe mode and ran HJT. Followed "fix" instructions as given on "how to remove begin2searcg/coolweb search and other nasties" page
    6. Rebooted in safe mode and ran HJT again. Log attached.

    The computer already "feels" better in terms of speed etc. However, I still seem to have this thing called WinFixer on my desktop and in my programs file. It won't uninstall.

    What now???

    Thanks again for your help and patience.

    S
  6. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  7. sumanbolar

    sumanbolar Newcomer, in training Topic Starter

    I did... but it doesn't appear there.

    I have a shortcut on my desktop. when I right click on the shortcut and look at properties, it says "E:\Program Files\WinFixer 2005\WFX5.exe"

    But I can't find that file in the programs folder, either when I access it using explorer or when I access it using the control panel. However, it appears on my start menu -- and no, I can't find it in the "taskbar and start menu" folder in the control panel.

    It tried launching itself automatically, and a window poppd up that said: "the item WFX5.exe that this shortcut refers to has been changed or moved. Do you want to delete the shortcut?" I clicked on yes, and off went the shortcut. It's still in the programs list on my start menu though.

    It's possible that one of the earlier "cleaning" sessions deleted it, but how do I get it off from my start menu?? I did run the counterspy software, and it found and fixed a few other things, none of them WinFixer... I couldn't believe that there was still gunk on the system after all the anti-spyware/adware stuff I downloaded and ran. How can I prevent this happening? Will something like ZoneAlarm help? Also, I'm wondering why the @$** I have a paid subscription to Norton AV if it can find stuff but not quarantine or delete it???

    I'm horrified.
  8. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Click Start/Run and type in regedit and click OK.
    Click on Edit/Find and type in runonce and click on Find next.
    When found, check the keys Run and/or Runonce, if winfixer found, rightclick/delete it.
    Press F3 for the next Find. Repeat until you come to the end of Registry, then exit Regedit.

    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.[/b]
    Click on Start/Search/FileFinder and search for that winfixer, if found delete it.
  9. sumanbolar

    sumanbolar Newcomer, in training Topic Starter

    RealBlack,

    :grinthumb Thank you ,thank you, thank you. I bow to thy superior knowledge and thy willingness to share it with others.

    WinFixer didn't show up in the registry, but I found it using the search tool (location = E:\documents and settings\all users\start menu\programs). I deleted it and now IT'S GONE... I hope it stays gone...

    It seems like almost immediatey, ewido and spybot keep finding and removing rubbish from my system. How can I prevent the rubbish from getting there in the first place???

    Thanks once again,
    s
  10. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    By using a combination of your brain, common sense and Firefox!
    NEVER use Internet Explorer, except for Windoze updates.

    Do NOT install any toolbar-crap from Google, Yahoo, MSN and whatever. (you have at least 2, they are for IE, so uninstall that junk.

    Use a DECENT antivirus program like the free AVG from http://free.grisoft.com and a (free) software firewall like from http://soho.sygate.com (don't get Zonealarm).
    Do NOT use any crappy resource-hogging bloatware from Symantec/Norton!
  11. sumanbolar

    sumanbolar Newcomer, in training Topic Starter

    Gotcha.

    Have downloaded firefox (takes some getting used to though) and the sygate firewall.

    Thanks once again for all your help. May your tribe increase!

    s
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.