Hacktool.Rootkit rofl.sys I can't get rid of it

Status
Not open for further replies.

erose

Posts: 9   +0
VERY frustrated

Hello... I too am new to this forum... and im very extremely frustrated. i am also being plagued by the hacktool.rootkit rofl.sys and ive tried to follow some of the forums i found and an almost 2 hours later im left sitting here pulling my hair because nothing has happened the way it has for everyone else. not to mention i know very little about computers and i need all the help i can get. so i suppose what i plan to do is follow the directions you left for the guy who started this thread.... and im also going to put up my log file once im done..... if i could get some help with this id be REALLYY greatful!!!!
 
ok... ive tried to do what you previously posted and the first one didnt work... i didnt find any of that on my computer... and the link to the second apparently doesnt exist. so im going to put up my log and please tell me if you see anything wrong with it...
 
Hello and welcome to Techspot.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint\Viewpoint Manager

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ViewMgr.exe

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O21 - SSODL: IIDCHFJ0 - {270F6013-4D0E-7038-71D7-6F5264C91BDF} - C:\WINDOWS\System32\Jembij32.dll (file missing)
O21 - SSODL: mtklef - {2D218497-B75C-49DE-1DB1-94D4D1C212EE} - C:\WINDOWS\System32\izczf32.dll (file missing)
O21 - SSODL: mtklefap - {77E062AD-0BE2-4E18-C497-2CD214110322} - C:\WINDOWS\System32\mdhb32.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.


Regards Howard :wave: :wave:
 
didnt work :(

I did everything you told me to do, step by step and when i rebooted the virus alert came up again for the same problem :( is there anything else you can suggest? Once again, im posting a fresh log from HJT. Thanks for your previous help and any help to come
 
Did you go HERE and download and run the sysclean package?

If not, you should do so. Make sure you read the instructions fully.

HJT will do nothing against a rootkit infection.

Regards Howard :)
 
i think it worked

that seemed to have worked!!! :) I ran that program in safemode and when i restarted in Normal mode I got no notice of a virus like I have been... so HOPEFULLY its gone and not just hiding somewhere like it has been for the past month. thanks for all your help!!!
 
*#%(@!

ok. i lied. i just got done reinstalling norton anti virus and updating to service pack 2............... restarted my computer.................. and low and behold was the virus alert again #)(%&@#!!!! I feel completely hopeless right now and i dont understand how it keeps respawining!!... the program you had me run said it was deleted... and this time around when i hit "heal" on my AVG virus scan it actually is able to do it, whereas before it said that access to the file was denied... but like before the message keeps looping. After I hit the 'heal' button and it tells me it was successful... the message pops right back up warning me about the virus. i dont know what to do!!!! :(
 
All I can suggest is you run the sysclean programme again. make sure you turn off system restore first.

You might also want to try this scanner HERE.

There is a programme called unhackme, that claims to be able to remove rootkit infections. I don`t know if it`ll work, but it may be worth a shot. Take a look HERE.

If none of the above work, then maybe you should consider backing up your important data and doing a reformat and reinstall.

Regards Howard :)
 
im back...

ok... im back and i have a new problem, but this time its on my boyfriend's computer and im trying to fix it for him... and i would like to run hijack this and i had a question... i remember when i was working on my computer before that there was a site i was able to go to and type in the file name and things related, of the different things that hijack this found, to determine whether or not it was a good, neutral, or bad thing to have on your computer. I have spent the past hour trying to remember and/or find that site, but im not having any luck with it, but im pretty sure i got it from this forum.... do you know of which site im talking about? or know of one that would do the same thing? it would be really helpful if you could point me in the right direction... thanks!
 
on top of that...

i would still like to know what that site is, but i also decided to post up the logfile for his computer.... :)
 
The online HJT analysers are only meant as a guide. If anyone takes what they say as gospel, they are likely to bugger up their systems.

If you would like to post your boyfriends HJT log file into this thread, I`ll have no problem in taking a look at it for you.


BTW. Did you ever manager to get rid of that rootkit infection and if so, which programme got rid of it?

Regards Howard :)
 
Your boyfriends computer is infected with the SmitFraud trojan.

Go HERE and follow the instructions exactly.

Post a fresh HJT log after doing the above.

Regards Howard :)
 
wow... thanks

wow thanks... that seemed to work perfectly. i was able to get online without being bombarded by a thousand fake "YOU HAVE A VIRUS DOWNLOAD OUR PROGRAM TO GET RID OF IT!" messages... :) AND... the homepage was fixed... i'm realy greatful for all your help! thanks again!

ps. no i never got rid of the rootkit... i think im going to try to reformat but im not looking forward to it at all because this will be my fourth time for various reasons... i'll definetly end up doing it before school starts back up, but as of right now i have no motivation to do so haha. ..oh yeah... and i posted a fresh log for my boyfriends computer :)
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your contol panel and uninstall anything to do with(if there).

AWS/WeatherBug

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Weather.exe

Close task manager.

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\windows\system32\blank.htm

Reboot into normal mode and turn system restore back on.


Regards Howard :)
 
Status
Not open for further replies.
Back