** If you are using Windows XP turn off system restore.
1. First off, when the virus hit us Symantec was not able to detect it
or delete it. So our first step was to uninstall Symantec and install
Kaspersky Antivirus. You can Google it and find the free personal
edition trial. Install it and update it on your PC.
2. UNPLUG YOUR NETWORK CABLE and reboot into SAFE MODE WITH NETWORKING.
Yes, with networking... without a cable. Trust me.
3. Delete all of the contents of every TEMP folder you can find
(C:\Windows\Temp or C:\Documents and Settings\%username&\local
settings\temp AND temporary internet files)... there are a bunch of
them. Then, do a search on your PC for these files (do an advanced
search that looks at hidden files and folders as well): remon.sys,
orans.sys, sysmanager, and eraseme*. Delete all of these that you find.
4. Next, open the device manager. Select view -- show hidden devices.
Under non-plug and play devices search for ORANS or REMON. If they
exist, right click on them and select UNINSTALL. Decline a reboot for
now. Also, check your System Services in the control panel and delete
any occurrance of NETINFO or REMON or ORANS.
5. Open the registry. Search for all occurrance of REMON, ORANS,
SYSMANAGER, ERASEME*. Delete the entire key that they are found in. If
you get an access denied error right click on the key and select
permissions -- give all users full control and then delete it. For
Win2K users you will have to use regedt32.exe to change the
permissions.
6. Run Spybot Search and Destroy.
7. Reboot BACK INTO SAFE MODE WITH NETWORKING (NO NETWORK CABLE).
Verify that the things you have done in the steps above have not reset
themselves. If your registry is clean and the files remain gone and the
device manager plug and play devices are still gone, it is safe to boot
back into normal mode with networking. If not, repeat the steps above.
8. Run Windows update. Update EVERYTHING.
That should be it. We haven't had any reinfections and the process
above worked for us every time.
>We just had a round of infections with Hacktool.Rootkit and we found a
>way to clean them from our PC's. Since I looked for hours for decent
>solutions on Google Groups and didn't find anything I thought I'd share
>the solution that worked for us.
>
>** If you are using Windows XP turn off system restore.
>
>1. First off, when the virus hit us Symantec was not able to detect it
>or delete it. So our first step was to uninstall Symantec and install
>Kaspersky Antivirus. You can Google it and find the free personal
>edition trial. Install it and update it on your PC.
Here's another way to get a on-demand scan by the KAV scan engine.
It will automatically update the defs before starting the scanner:
http://www.claymania.com/KASFX.EXE
Art
- After log on to the system, the Symantec anti-virus displayed in the
system tray for a few seconds and then disappeared.
- On the PC (Win 2K professional), when I do start > run > cmd. The
DOS prompt screen just displayed for one second and closed
automatically.
- At Administrative Tool > Event Viewer, It showed a error message
"Hacktool virus ..."
Anymore advice to kill the virus is apprecated. :)
Thanks.
I think I have the same virus because I found REMON, ORANS, SYSMANAGER,
ERASEME* in the Registry (step 4). It was deleted successfully.
Basically I followed your steps clolsely from step 1 to step 6.
The main findings are as follows:
Step 31/2, I still use Symantec antivirus to scan and found
C:\WINNT\System32\winsass.exe. It was quarantined successful.
Step 4: stated in the 2nd paragraph of this posting.
I stopped at step 7 last night (at home). I will continue the battle
with this virus tonight or tomorrow.
Is step 8 (Windows Update) important? I am using a 56K modem which is
too slow to do windows update. Do you have any idea whether we can
download all the Windows patches, in a file(s). Then copy this file(s)
to my home PC, then doing a "offline" windows update. My home PC is
Win2K prof SP4.
What anti-virus software are u using? still Kaspersky Antivirus?
I have downloaded the trial version. However, I do not know how to
update the virus definitions. I do not quite understand the
instructions to update the virus definitions.
Thanks.
As far as updating Kaspersky virus definitions - there is a Settings
tab in the program. When you open that up there will be a link for
configuring updates. You can either manually download and install them
from a folder or directly from the internet. Either way works fine.
Regarding windows update... here is the specific patch you need for
Win2KSP4: KB835732.
Please remember to follow the instructions above exactly. Do not boot
back to normal mode until it says so. Everything should be done in safe
mode with networking. good luck!