Hi my computor is infected by Hacktool.Rootkit. and Norton can´t remove or quarantined it. so i would like som help. I'am swedish and not very great att english so i would like a simple help.
I also attach my hjt log file .

Attached Files

hijackthis.txt (5.6 KB, 45 views)

Can´t anyone help me have read other instruction but don´t understand. plese help!

It's Sunday!

I assume that you've read some of the other rootkit posts.
Did you try this yet?
http://www.trendmicro-middleeast.com...WORM_SDBOT.CBC

Then run this:
Trendmicro scanner for ALL browsers:
http://uk.trendmicro-europe.com/cons...all_launch.php

Then post a new log, please

STOP using Internet Explorer! Get Firefox instead!

C:\Documents and Settings\Jesper\Lokala inställningar\Temp\Temporär katalog 3 för hijackthis.zip\HijackThis.exe
Put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.

Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

Next, click Start/Run and type services.msc and click OK. Look for the service:
coderxt.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, open Windows Task Manager.
On Windows 95/98/ME, press CTRL+ALT+DELETE.
On Windows NT/2000/XP, press CTRL+SHIFT+ESC.
Click the Processes tab, select the process (if there), click End Process for:
coderxt.exe
BHR3.5.exe

Next, try to UNinstall anything to do with (not delete yet!):
C:\Program\Zamaan's Software\Browser Hijack Retaliator 3.5\BHR3.5.exe

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
........................................................................... ........................
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [System Service] coderxt.exe
O4 - HKLM\..\Run: [BHR3.5] C:\Program\Zamaan's Software\Browser Hijack Retaliator 3.5\BHR3.5.exe
O4 - HKLM\..\RunServices: [System Service] coderxt.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe (file missing)
........................................................................... ........................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.

Hi! again here is my log after deleting, I diden´t do as ju told me i think i solve it before you did answer. Is it clear now. Please be so.
Tanks for all help.

Attached Files

hijackthis.txt (5.5 KB, 7 views)

If you know it better, why do you still ask?
Everything bad I told you is still there.
Not MM problem, YOUR problem!

Hi, I Have The Same Problem With Remon. Sys...
Please Help Me..
I Attach The File...what Should I Do?????'
Thanks!!!!

Attached Files

HijackThis.txt (7.0 KB, 8 views)

You run AVG and Avast Antivirus together, not a good idea. Uninstall the one you like least (they are equally good, but I suggest you keep AVG).

Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
sysmanager.exe
E.exe
SXDRRNN.exe
YDBKFYPZGZ.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
sysmanager.exe
E.exe
SXDRRNN.exe
YDBKFYPZGZ.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
........................................................................... ........................
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 90.0.0.1:8080
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
Fix ALL your O16 - DPF: entries
Unless New Skies Satellites N.V., 8000 Gainsford Ct, Bristow, VA 20136, USA is your ISP, FIX this O17:
O17 - HKLM\System\CCS\Services\Tcpip\..\{C74F903C-FFC5-40CE-9478-C1F5C9AB0B63}: NameServer = 66.178.2.16,66.178.2.25
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: E - Sysinternals - www.sysinternals.com - C:\DOCUME~1\DR541E~1.BRA\CONFIG~1\Temp\E.exe
O23 - Service: SXDRRNN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\DR541E~1.BRA\CONFIG~1\Temp\SXDRRNN.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
O23 - Service: YDBKFYPZGZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\DR541E~1.BRA\CONFIG~1\Temp\YDBKFYPZGZ.exe
........................................................................... ........................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.

Rootkit:
http://www.trendmicro-middleeast.com...TROJ_ROOTKIT.N

I have the same problem with Remon.sys ... Need help! thanks in advance..
I cannot attached the file..
but anyway, here it is....

Logfile of HijackThis v1.99.1

Double posting is not really appreciated, see answer to your other post.

My computer been infected by hacktool rootkit too. I've been reading the previous entries here but I haven't start doing anything.
Where should I start? I read in a url sent by a fren saying that infected computer need to find "xpjava.exe" and delete it. Many later feedback to the entry that they found the file, deleted it and now the virus is gone.
What's the HJT files for?
I'm confused where should I start cleaning.

Go here first:
Rootkit:
http://www.trendmicro-middleeast.com...TROJ_ROOTKIT.N

Then go here as well:
How to remove Trojans and its ilk!

Thanz for the two links. I've done the TrendMicro and Ewido scan.
Both detected infected files. I deleted all the files in Ewido quarantine but Norton still pop-up the Hacktool.Rootkit notification.

I'm looking at this now...
How to remove Begin2Search/Coolwebsearch and Other Nasties

Any attachment should I attach here for further help?

I've been looking at the replies here and noticed that a HJT log file is provided to check whether it's clean. The problem is I've no idea what program is HijackThis and so I didn't know how to get a HJT log file in .TXT for further comments.

Hacktool.Rootkit seems to be still around as Norton still pop-up with notification though TrendMicro and Ewido done the scanning. I hope it's not so serious.

Read all about HJT and get it from here:
http://www.tomcoyote.org/hjt/

Run it, hen see How to post your Hijackthis log-files as an attachment.

RealBlackStuff, can u help me out here.... NAV keep showing me Hacktool.Rootkit Virus on C:\Windows\system32\remon.sys, i could not get rid of it!!

Here is my HiJackThis Log:

Attached Files

mjay.txt (15.5 KB, 3 views)

Hi RealBlackStuff

Like the others above, Hacktook.Rootkit has infected my PC under system32\remon.sys and i cannot remove it..plz help me remove it

thanks a lot for your help

Here's my log file:

Attached Files

hijackthis.txt (4.3 KB, 3 views)

Thank you RealBlackStuff... i was able to remove hacktool.rootkit virus successfully from my PC after quite a hard time... Thanks again..

I run TrendMicro and Ewido several time and 3 hours before I shut down my computer yesterday, I didn't get any Norton notification on Hacktool.Rootkit anymore.
But it came back again this morning. Previously I get a notification per minute, now I get 2 notification per minute. I run TrendMicro and Ewido but found no infected files.
I enclosed my hijackthis log file. Thanz for all the help.

Attached Files

hijackthis.txt (6.3 KB, 4 views)

As an addition, I'm using Spy Sweeper but I noticed that the infected files are mostly from Spy Sweeper folder. Should I delete this program? If yes, what program should I download as replacement?
Beside I found this 180searchassistant and Folder Guard Pro XP in Program Files, I've got no idea where it came from. Infected files also found mostly in Folder Guard Pro XP. What should I do with this two...delete?