Hacktool.rootkit took over my friend's laptop!

By IceWeasel ยท 5 replies
Sep 19, 2005
  1. I've been browsing these forums for a good portion of the night, and it appears that this trojan requires quite a bit of work to get rid of...

    The laptop in question has no internet connectivity and is getting an error from Norton Anti-virus saying "remon.sys" has a virus. I downloaded the Trend Micro Sysclean package and ran it, but I'm not really sure what that accomplished.

    I've attached the HJT.txt to this thread, hopefully you guys can help us out!

    P.S. Since the virus has shut down the internet on that pc, we've resulted to downloading files on my desktop then using a USB key to transfer them.

    Attached Files:

    • hjt.txt
      File size:
      4.9 KB
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Boot in Safe Mode, see how here.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
    Click the Processes tab, select the process (if there) and click End Process for:

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127080913453
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127095786640
    O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
    O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    XP only: Delete ALL files from C:\WINDOWS\Prefetch.
    Boot normal. When all OK, switch System Restore back on.

    Also go here for Rootkit, once the laptop can access the web again:
  3. IceWeasel

    IceWeasel TS Rookie Topic Starter

    we can't seem to find the c:\windows\javapanal.exe file
    or c:\windows\taskcntr.exe

    currently trying out the rest of the steps
  4. IceWeasel

    IceWeasel TS Rookie Topic Starter

    n/m i figured out what i hadnt done :)
  5. disintegrator

    disintegrator TS Rookie

    Same Prob

    I've been struggling with this virus for a few days now (rootkit affecting remon on my laptop). I followed your steps, booting up in safe mode, switch off restore, show all files. When I bring up Windows Task Manager I don't see javapanel.exe or taskcntr.exe. I do however see taskmgr.exe (is it the same?)
  6. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    taskmgr.exe is the very Task Manager you are looking at, lol

    Well if you "figured out what i hadn't done", and deleted those files, they wouldn't be running anymore when you went into Safe Mode.

    If you've been searching around here, surely you've come across these two threads:

    They may have some specifics not related to you. But they have a lot of general cleanup advice that would be good to do just the same.
    I would say to STAY in Safe Mode until verified clean. Note also that you can go in to Safe Mode with Networking, and be able to go online to download things and what not, even post here.
    But if you can't go online, check in Device Manager (control panel - system - hardware - device manager) that your network controller is in good order. And is not disabled or has an exclamation or question mark on it.

    If the NIC is fine, you may have LSP problems, refer to this site: http://www.cexx.org/lspfix.htm
    and download this fix from there: http://members.shaw.ca/techcd/WinsockXPFix.exe.

    When that runs, it will want to restart. When it does, be sure to press F8 and go right back in to Safe Mode with Networking, and see if Internet works.

    You might also download Rootkitrevealer from here: http://www.sysinternals.com/utilities/rootkitrevealer.html (also some good reading in there).
    It will help track down any last files in the system that need deleting.

    Lastly, doublecheck Hijackthis for those services, or new services with different names. Sometimes HJT can't remove them and you have to do it manually in the registry.
    Anyhoo, the guys around here are pretty sharp, if you have some more patience, we'll get it out!
    So run updated scans with your various tools:

    Spybot Search and Destroy
    free online virus scann from "housecall.trendmicro.com"
    Post a new HJT log after you've cleaned house a bit.

    good luck
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...