Can´t remove Hacktool.Rootkit

Status
Not open for further replies.
J

Jesper Skoglund

Hi my computor is infected by Hacktool.Rootkit. and Norton can´t remove or quarantined it. so I would like som help. I'am swedish and not very great att english so I would like a simple help.
I also attach my hjt log file .
 

Attachments

  • hijackthis.txt
    5.6 KB · Views: 45
STOP using Internet Explorer! Get Firefox instead!

C:\Documents and Settings\Jesper\Lokala inställningar\Temp\Temporär katalog 3 för hijackthis.zip\HijackThis.exe
Put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.

Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

Next, click Start/Run and type services.msc and click OK. Look for the service:
coderxt.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, open Windows Task Manager.
On Windows 95/98/ME, press CTRL+ALT+DELETE.
On Windows NT/2000/XP, press CTRL+SHIFT+ESC.
Click the Processes tab, select the process (if there), click End Process for:
coderxt.exe
BHR3.5.exe

Next, try to UNinstall anything to do with (not delete yet!):
C:\Program\Zamaan's Software\Browser Hijack Retaliator 3.5\BHR3.5.exe

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [System Service] coderxt.exe
O4 - HKLM\..\Run: [BHR3.5] C:\Program\Zamaan's Software\Browser Hijack Retaliator 3.5\BHR3.5.exe
O4 - HKLM\..\RunServices: [System Service] coderxt.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.
 
Hi! again here is my log after deleting, I diden´t do as ju told me I think I solve it before you did answer. Is it clear now. Please be so.
Tanks for all help.
 

Attachments

  • hijackthis.txt
    5.5 KB · Views: 7
Can´t remove Hacktool.Rootkit PLEASE HELP ME

Hi, I Have The Same Problem With Remon. Sys...
Please Help Me..
I Attach The File...what Should I Do?????'
Thanks!!!!
 

Attachments

  • HijackThis.txt
    7 KB · Views: 9
You run AVG and Avast Antivirus together, not a good idea. Uninstall the one you like least (they are equally good, but I suggest you keep AVG).

Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
sysmanager.exe
E.exe
SXDRRNN.exe
YDBKFYPZGZ.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
sysmanager.exe
E.exe
SXDRRNN.exe
YDBKFYPZGZ.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 90.0.0.1:8080
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
Fix ALL your O16 - DPF: entries
Unless New Skies Satellites N.V., 8000 Gainsford Ct, Bristow, VA 20136, USA is your ISP, FIX this O17:
O17 - HKLM\System\CCS\Services\Tcpip\..\{C74F903C-FFC5-40CE-9478-C1F5C9AB0B63}: NameServer = 66.178.2.16,66.178.2.25
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: E - Sysinternals - www.sysinternals.com - C:\DOCUME~1\DR541E~1.BRA\CONFIG~1\Temp\E.exe
O23 - Service: SXDRRNN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\DR541E~1.BRA\CONFIG~1\Temp\SXDRRNN.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
O23 - Service: YDBKFYPZGZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\DR541E~1.BRA\CONFIG~1\Temp\YDBKFYPZGZ.exe
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.

Rootkit:
http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N
 
I have the same problem with Remon.sys ... Need help! thanks in advance..
I cannot attached the file.. :confused:
but anyway, here it is....

Logfile of HijackThis v1.99.1

Double posting is not really appreciated, see answer to your other post.
 
A little help

My computer been infected by hacktool rootkit too. I've been reading the previous entries here but I haven't start doing anything.
Where should I start? I read in a url sent by a fren saying that infected computer need to find "xpjava.exe" and delete it. Many later feedback to the entry that they found the file, deleted it and now the virus is gone.
What's the HJT files for?
I'm confused where should I start cleaning.
 
Thanz for the two links. I've done the TrendMicro and Ewido scan.
Both detected infected files. I deleted all the files in Ewido quarantine but Norton still pop-up the Hacktool.Rootkit notification.

I'm looking at this now...
How to remove Begin2Search/Coolwebsearch and Other Nasties

Any attachment should I attach here for further help?
 
I've been looking at the replies here and noticed that a HJT log file is provided to check whether it's clean. The problem is I've no idea what program is HijackThis and so I didn't know how to get a HJT log file in .TXT for further comments.

Hacktool.Rootkit seems to be still around as Norton still pop-up with notification though TrendMicro and Ewido done the scanning. I hope it's not so serious.
 
RealBlackStuff, can u help me out here.... NAV keep showing me Hacktool.Rootkit Virus on C:\Windows\system32\remon.sys, i could not get rid of it!! :mad:

Here is my HiJackThis Log:
 
Hi RealBlackStuff

Like the others above, Hacktook.Rootkit has infected my PC under system32\remon.sys and i cannot remove it..plz help me remove it

thanks a lot for your help

Here's my log file:
 
Thank you RealBlackStuff... i was able to remove hacktool.rootkit virus successfully from my PC after quite a hard time... Thanks again..
 
it came back

I run TrendMicro and Ewido several time and 3 hours before I shut down my computer yesterday, I didn't get any Norton notification on Hacktool.Rootkit anymore.
But it came back again this morning. Previously I get a notification per minute, now I get 2 notification per minute. I run TrendMicro and Ewido but found no infected files.
I enclosed my hijackthis log file. Thanz for all the help.
 
As an addition, I'm using Spy Sweeper but I noticed that the infected files are mostly from Spy Sweeper folder. Should I delete this program? If yes, what program should I download as replacement?
Beside I found this 180searchassistant and Folder Guard Pro XP in Program Files, I've got no idea where it came from. Infected files also found mostly in Folder Guard Pro XP. What should I do with this two...delete?
 
nicolekwt

Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
ALL the xxx.exe entries under Running Processes
ALL the xxx.exe entries in the O4 - HKLM group (that were not already under Running Processes)

Next, click Start/Control Panel/Add/Remove Programs. If there, UNinstall anything to do with:
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\ISTbar\istbarcm.dll
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\SideFind\sidefind.dll
C:\Program Files\Folder Guard Pro XP\FGuard32.dll

Next, click on Start/Run and type in (followed by press Enter):
regsvr32 /u C:\WINDOWS\nem220.dll
regsvr32 /u C:\Program Files\SideFind\sidefind.dll
regsvr32 /u C:\Program Files\SideFind\sfbho.dll
regsvr32 /u C:\WINDOWS\System32\msbe.dll
regsvr32 /u C:\Program Files\Folder Guard Pro XP\FGuard32.dll

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
Running processes:
C:\WINDOWS\System32\xpjava.exe
C:\WINDOWS\TEMP\fGCdZb6.exe
C:\WINDOWS\TEMP\sais.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hq1.permanis.com.my:8383/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sisoftware.net/?location=licence_pro_use&dir=licence
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\salmhook.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [N1damP4iD] C:\WINDOWS\vkuobbq.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B6A084E0-BF8F-101C-AED5-00608CF525A5} (TX - ButtonBar Control) - http://hq1.permanis.com.my:8383/tx.cab
Unless your ISP is NETBLK-JARING in Kuala Lumpur, fix these O17s:
O17 - HKLM\System\CCS\Services\Tcpip\..\{5763A405-D23E-49D5-9A17-A45506547171}: NameServer = 192.228.128.20 192.228.128.18
O17 - HKLM\System\CS1\Services\Tcpip\..\{5763A405-D23E-49D5-9A17-A45506547171}: NameServer = 192.228.128.20 192.228.128.18
O20 - Winlogon Notify: FolderGuard - C:\Program Files\Folder Guard Pro XP\FGuard32.dll
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.

Stop using that crappy Internet Explorer except for Windows updates. Go to www.getfirefox.com

And now go and install XP/SP2.

And be more selective where you surf!
 
Status
Not open for further replies.

Similar threads

Cal Jeffrey
PlayStation 5 users can now use pointers to help friends find hidden loot
Replies
2
Views
168
Disiw
D
RobertoW4
Can´t log out of my Twitter Account on Chrome
Replies
2
Views
2K
RobertoW4
RobertoW4
Cal Jeffrey
You can now use your Android device as a webcam in Windows 11
Replies
3
Views
217
Cal Jeffrey
Cal Jeffrey

Latest posts

Back