i have this computer that does not have an internet connection.
But it is infected with Hacktool.Rootkit. Each time i reboot, IE will open itself.
Nortorn Antirus will prompt the virus, each time quoting a different file as infected...

When i restarted again, the viruses came back.....
How to resolve?

Well if I were you I would use a live cd or RkUnhooker/IceSword antirootkit then you could cleanup with antivirus after.

If you are not confident with that give avg antirootkit a run and scan for rootkit. CastleCops (http://www.castlecops.com/f233-Rootkit_Revelations.html) has a forum for removal called Rootkit Revelations.

{QUOTE-> Well if I were you I would use a live cd or RkUnhooker/IceSword antirootkit then you could cleanup with antivirus after.

If you are not confident with that give avg antirootkit a run and scan for rootkit. CastleCops (http://www.castlecops.com/f233-Rootkit_Revelations.html) has a forum for removal called Rootkit Revelations. <-QUOTE}


i just used AVG Free Rootit scanner, but it did not find any problem with it....

Have a look at IceSword (http://www.castlecops.com/t165203-IceSword_Instructions_in_English_Illustrated.html)? I don't think there are instructions for RkU use.
Have you an image backup to solve this problem?

{QUOTE-> Have a look at IceSword (http://www.castlecops.com/t165203-IceSword_Instructions_in_English_Illustrated.html)? I don't think there are instructions for RkU use.
Have you an image backup to solve this problem? <-QUOTE}

i dont hv any backup.....
i dont hv any knowledge of the process to remove.

{QUOTE-> i dont hv any knowledge of the process to remove <-QUOTE}
Then you need a forum like above that can review a log.

Hacktool.Rootkit (http://www.symantec.com/security_response/writeup.jsp?docid=2002-011710-0057-99&tabid=1)

{QUOTE-> Then you need a forum like above that can review a log.

Hacktool.Rootkit (http://www.symantec.com/security_response/writeup.jsp?docid=2002-011710-0057-99&tabid=1) <-QUOTE}

but now Norton does not alert the Hacktools.....
cos i disable system restore...
and terminate some unknown processess...

will it be alright?

{QUOTE-> but now Norton does not alert the Hacktools.....
cos i disable system restore... <-QUOTE}
Yes a detection in your System Volume Information or System Restore folder can be cleaned by disabling system restore. Don't forget to re-enable.

{QUOTE-> will it be alright? <-QUOTE}
What happens after a reboot? RkUnhooker would of helped here with the processes but perhaps Norton has cleaned up.
You could also try a second opinion at eset (http://www.eset.com/onlinescan/) or Kaspersky (http://www.kaspersky.com/virusscanner) online scan.

Unfortunately neither ESET nor Kaspersky online scanners can detect active rootkits.The name of the potential threat talks a lot.

The Symantec "review" tells:
{QUOTE-> If Hacktool.Rootkit is detected on a system, it is very likely that an attacker has gained complete control of that system. <-QUOTE}

{QUOTE-> Hacktool.Rootkit is used to install backdoors on systems. They are made up of a variety of programs and scripts that break into systems and attempt to hide evidence of the intrusion. Attackers use these kits to gain Administrator or Superuser access on vulnerable systems <-QUOTE}

{QUOTE-> The presence of Hacktool.Rootkit implies that the security of the system has been compromised. The system should be restored from known clean backup copies or patched to restore security <-QUOTE}


@bryanjoe
The best for you is to reinstall your Windows operating system with a full format of the hard drive used for the OS.Make a back-up of all necessary documents , take the Windows install CD and follow the procedures . After reinstall , follow basic security rules such as not connecting to internet without firewall , without AV , update Windows as soon as you connect to internet. This (http://www.windowsreinstall.com/) is good site helping users how to reinstall their operating systems . Good luck!

{QUOTE-> Unfortunately neither ESET nor Kaspersky online scanners can detect active rootkits. <-QUOTE}
But that's not why I suggest it, with the nature of this infection you may find some other item introduced to the machine, it would be nice to know,..bryanjoe as HiTech_boy says you would be better to start over as you have no backup image/snapshot - maybe best not to trust this machine.

I would definitely do a low-level format on that drive before installing windows on it. Something like DBAN, it's free and you can burn a iso image to CD, DVD or use floppy, USB drive.
http://dban.sourceforge.net/

actually, this is a 2nd hand computer. I don't have the Win XP CD.
It doesnt have internet connection as well.

:(

{QUOTE-> I would definitely do a low-level format on that drive before installing windows on it. Something like DBAN, it's free and you can burn a iso image to CD, DVD or use floppy, USB drive.
http://dban.sourceforge.net/ <-QUOTE}
What,s the problem with a simple format during OS reinstall?

{QUOTE-> actually, this is a 2nd hand computer. I don't have the Win XP CD.
It doesnt have internet connection as well.

:( <-QUOTE}


Then buy your own Windows XP and use it reinstall the OS . As it is second it is always better to first format it and start new clean session . You never know what was hidden from the previous user and in this case a lot is hidden