Hacktool.rootkit took over my friend's laptop!

[IceWeasel]

I've been browsing these forums for a good portion of the night, and it appears that this trojan requires quite a bit of work to get rid of...

The laptop in question has no internet connectivity and is getting an error from Norton Anti-virus saying "remon.sys" has a virus. I downloaded the Trend Micro Sysclean package and ran it, but I'm not really sure what that accomplished.

I've attached the HJT.txt to this thread, hopefully you guys can help us out!

P.S. Since the virus has shut down the internet on that pc, we've resulted to downloading files on my desktop then using a USB key to transfer them.

 

[RealBlackStuff]

Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
javapanel.exe
taskcntr.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
javapanel.exe
taskcntr.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127080913453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127095786640
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.

Also go here for Rootkit, once the laptop can access the web again:
http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N

 

[IceWeasel]

we can't seem to find the c:\windows\javapanal.exe file
or c:\windows\taskcntr.exe

currently trying out the rest of the steps

 

[IceWeasel]

n/m i figured out what i hadnt done

 

[disintegrator]

Same Prob

I've been struggling with this virus for a few days now (rootkit affecting remon on my laptop). I followed your steps, booting up in safe mode, switch off restore, show all files. When I bring up Windows Task Manager I don't see javapanel.exe or taskcntr.exe. I do however see taskmgr.exe (is it the same?)

 

[Vigilante]

taskmgr.exe is the very Task Manager you are looking at, lol

Well if you "figured out what i hadn't done", and deleted those files, they wouldn't be running anymore when you went into Safe Mode.

If you've been searching around here, surely you've come across these two threads:
https://www.techspot.com/vb/topic27710.html
https://www.techspot.com/vb/topic17297.html

They may have some specifics not related to you. But they have a lot of general cleanup advice that would be good to do just the same.
I would say to STAY in Safe Mode until verified clean. Note also that you can go in to Safe Mode with Networking, and be able to go online to download things and what not, even post here.
But if you can't go online, check in Device Manager (control panel - system - hardware - device manager) that your network controller is in good order. And is not disabled or has an exclamation or question mark on it.

If the NIC is fine, you may have LSP problems, refer to this site: http://www.cexx.org/lspfix.htm
and download this fix from there: http://members.shaw.ca/techcd/WinsockXPFix.exe.

When that runs, it will want to restart. When it does, be sure to press F8 and go right back in to Safe Mode with Networking, and see if Internet works.

You might also download Rootkitrevealer from here: http://www.sysinternals.com/utilities/rootkitrevealer.html (also some good reading in there).
It will help track down any last files in the system that need deleting.

Lastly, doublecheck Hijackthis for those services, or new services with different names. Sometimes HJT can't remove them and you have to do it manually in the registry.
Anyhoo, the guys around here are pretty sharp, if you have some more patience, we'll get it out!
So run updated scans with your various tools:

Adaware
Spybot Search and Destroy
Hijackthis
CrapCleaner
Rootkitrevealer
free online virus scann from "housecall.trendmicro.com"
Post a new HJT log after you've cleaned house a bit.

good luck