Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to remove Hacktool.Rootkit Antivirus from a system

Created: 22 Jul 2009 | 5 comments
Language Translations
Prashant Sinha's picture
0 10 Votes
Login to vote

Hello Friends,

I am very new to these type of forums and this is my first article on any issue.

I am working as software engineer with an estemmed organization . I am currently in US on client side and I faced the  Hacktool.Rootkit  last week , I had to spare my weekend in the removal of this. This virus made my system so slow , that even I can not open a simple notepad in normal mode.

Since , I am here , I could not ask for windows repair as my laptop was configured in India and it was not possible for IT here to provide me everything. Therefore , I had to work hard by self and to remove that. But , the best thing was , I  was getting Internet access in SAFE MODE WITH NETWORKING boot. This helped me alot in trying so many things.

I am currently using SYMANTEC ENDPOINT PROTECTION (corporate virus protection).

This virus comes from an infected file or link ( generally sent by one who's ID has already been attacked once). One more interesting things , I found that , this virus attacks where IE(Internet Explorer) is used at most.

So after googling around for the whole day and trying so many things I came to the following solution , which I think will work for you all as well:

1. First of all restart your system in SAFE MODE and then Turn Off All the System Restores by going through My Computer--> Properties --> System Restore --> Turn Off System Restore for all drives.

2. Make all the folders and sub folders(hidden and unhidden ones) viewable.

3. Check for the C:\Documents & Settings and Check for each of the sub -folders even the hidden ones. Since , this virus is used to hack password , therefore , it generally makes a folder in this directory only.

4. There you will find some suspicious file ,(On my system it was a shield icon on the task bar and a folder like 12343456 something in the C:\Documents & Settings\All Users\Application Data)  which will have a link at the desktop and in the task bar as well. This can be judged by looking which icon is this using in task bar. Delete that folder.

5. Then.run the anti virus on your system.

6. Download the Malwarebytes Anti-Malware from http://malwarebytes.org/  since this virus creates registry entry as well.

7. Then restart the system in normal mode with System Restore off.

8. Execute the Malware Byte and scan the whole system. It is pretty fast and will do all the scanning within few minutes and will ask to remove and repair the infected registries. Allow it.

9. Then execute the Anti-virus on your machine in full mode.

8. Turn the System Restore ON and restart your system.

This is what I used and it worked fine. And my experience says that , this article will help everyone who are active.

Comments 5 CommentsJump to latest comment

bhopps's picture

I would not bother with downloadling from malwarebytes.org if you have the symanetc client.  Just restart the device in safe mode and run the SEP full scan.

+3
Login to vote
Jeremy Dundon's picture

 According to the official Symantec write-up for that threat, "If Hacktool.Rootkit is detected on a system, it is very likely that an attacker has gained complete control of that system"

 Because of this you can never be 100% certain that there is no backdoor on the system and the best course of action is to reinstall the OS or image the machine (after getting the user's data off, of course)

+5
Login to vote
MacGuru's picture

Coincidentally one of my friends just had this... I didn't think of this(re-imaging, was mostly trying to avoid it) when one of my friends had it, so I tried removing it on my own and with a bunch of random programs, and as of now.  It all seems to be working fine, never thought of a backdoor...I'll have to keep an eye on it as of now.

0
Login to vote
Vikram Kumar-SAV to SEP's picture

Why using a diffrent antimalware when SEP is already detecting..update with RapidRelease and run full scan 99% chances are there that other threat files will get detected and deleted.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote