3.10.2008

How to remove Hacktool.Rootkit

0 comments

The concerned users have to update their antivirus Generally speaking, even if its name is intriguing or attractive it does not need to run a doubtful attached file without having made confirm its sending by the sender then it have analyzed with an antivirus up to date.

Before beginning the removal, it is imperative to make sure to have applied the precautionary measures above to prevent any reinfection of the computer by the virus. The users not having an antivirus can use free of charge one on-line free antivirus to seek and eliminate the virus.


Go here first and download and run the sysclean package.
http://www.trendmicro.com/download/dcs.asp You will also need the latest pattern file for the Sysclean programme. You can get it HERE. Read the instructions carefully in the .txt file HERE.

There is a program available that can show if you have a Rootkit problem.
It can be downloaded here: Rootkit Revealer Important Rename RootKitRevealer.exe to nailsetter.exe. The reason for this is that some rootkit trojans can detect this program and hide themselves from it.

Please download AproposFix from HERE and save it to your desktop. Extract it but don`t run it yet.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.

Open the aproposfix folder on your desktop and doubleclick RunThis.bat and follow the prompts.

When the tool is finished, please reboot back into normal mode and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

There is also this tool available, known as the Gromozon removal tool. that can help to eliminate certain types of rootkit known as the Gromozon rootkit.

Run the Gromozon tool.

It may not run at all and if it does run, it may tell the user that the infection is not present on the machine.

At this point the user must choose to continue with the scan.

Prevx tool will reboot the machine and run its cleaning process.

As an interesting aside: it seems that ONLY people who run NAV/NORTON/SYMANTEC bloatware seem to be HIT by this!

To set things straight:
HiJackThis does NOTHING for or against a Hacktool.Rootkit infection! It can ONLY reveal SOME of the symptoms!
HJT does NOT show: remon.sys, orans.sys, msdirectx.sys and whatever else these files might be called.

If you DO run a Hijackthis scan however,
first put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!. Important: Rename HijackThis.exe to HijackThis1991.exe this is because some new malware can hide from HijackThis.exe.

Look for any or all of these files:
They can be in either \WINDOWS\ or \WINNT\.

Running processes:
C:\WINDOWS\javapanel.exe
C:\WINDOWS\taskcntr.exe
C:\WINDOWS\System32\xpjava.exe

O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe

To get rid of them:

Boot in Safe Mode, see how here.
(ME/XP only) Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
javapanel.exe
taskcntr.exe
xpjava.exe
sysmanager.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
javapanel.exe
taskcntr.exe
xpjava.exe
sysmanager.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................... .............................
C:\WINDOWS\javapanel.exe
C:\WINDOWS\taskcntr.exe
C:\WINDOWS\System32\xpjava.exe

O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
...................................................................... .............................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
(XP only) Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal.
(ME/XP only) When all OK, switch System Restore back on.
Digg my article

Source Taken @ http://www.techspot.com

Related articles :

  • Where do Viruses and Trojan Hide?
  • How to avoid phone viruses
  • Scan your Linux-Distro for Root Kits
  • Ways To Stop Computer Malware
  • 10 Tips For Virus Free
  • Top 5 Free Anti Virus
  • How to test your antivirus software functioning properly?
  • Top 7 Best Free Online Scan
  • 12 Top Computer Threats


    Comments

    0 comments to "How to remove Hacktool.Rootkit"

    Post a Comment