Hacktool.rootkit and remon.sys
- Thread starter Geron
- Start date
- Status
RealBlackStuff
Posts: 6,450 +3
Go and have your PC scanned with this first!
http://www.trendmicro-middleeast.com/consumer/products/housecall_pre.php
Wincore = Worm SDBOT.BHE and is very bad for your PC's health, see this:
http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=3&VName=WORM_SDBOT.BHE
C:\Documents and Settings\HEM\Skrivbord\hijackthis\HijackThis.exe
Next, put HijackThis in e.g C:\Program Files\HJT and NOT on the Desktop/Skrivbord!.
Boot in Safe Mode, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
mslaugh.exe
wincore.exe
sysmanager.exe
Next, click Start/Run and type services.msc and click OK. Look for the service:
wincore.exe
sysmanager.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.
Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Configuration Loader] wincore.exe
O4 - HKLM\..\RunServices: [Configuration Loader] wincore.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.
When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal.
http://www.trendmicro-middleeast.com/consumer/products/housecall_pre.php
Wincore = Worm SDBOT.BHE and is very bad for your PC's health, see this:
http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=3&VName=WORM_SDBOT.BHE
C:\Documents and Settings\HEM\Skrivbord\hijackthis\HijackThis.exe
Next, put HijackThis in e.g C:\Program Files\HJT and NOT on the Desktop/Skrivbord!.
Boot in Safe Mode, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
mslaugh.exe
wincore.exe
sysmanager.exe
Next, click Start/Run and type services.msc and click OK. Look for the service:
wincore.exe
sysmanager.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.
Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Configuration Loader] wincore.exe
O4 - HKLM\..\RunServices: [Configuration Loader] wincore.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.
When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal.
Hacktool.Rootkit.... Please Help!
My Colleague's laptop has remon.sys file in his System32 directory, which Norton AV reports that, infected by Hacktool.rootkit. The Internet Explorer does not open any sites & his messages are not going thru Outlook Express. I tried to fix the 'unknown owner' entries thru HJT. But this did not solve the problem. I noticed taskcntr.exe in the processes tab of taskmanager. When I clicked to stop, the Norton AV alert came fot the Hacktool.rootkit. & went into a loop. I could not find the file C:\windows\taskcntr.exe as indicated in the HJT report. I am confused what to do. Please Help...
HJT scan report is attached.
Please advice.
My Colleague's laptop has remon.sys file in his System32 directory, which Norton AV reports that, infected by Hacktool.rootkit. The Internet Explorer does not open any sites & his messages are not going thru Outlook Express. I tried to fix the 'unknown owner' entries thru HJT. But this did not solve the problem. I noticed taskcntr.exe in the processes tab of taskmanager. When I clicked to stop, the Norton AV alert came fot the Hacktool.rootkit. & went into a loop. I could not find the file C:\windows\taskcntr.exe as indicated in the HJT report. I am confused what to do. Please Help...
HJT scan report is attached.
Please advice.
RealBlackStuff
Posts: 6,450 +3
btkurians
these ara the baddies:
O4 - HKLM\..\Run: [Quick Time Video Codec] qtime32.exe
O4 - HKLM\..\RunServices: [Quick Time Video Codec] qtime32.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O23 - Service: Video Card Clock Rate Manager (Actmovie) - Unknown owner - C:\WINDOWS\security\java\rsvsp.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
these ara the baddies:
O4 - HKLM\..\Run: [Quick Time Video Codec] qtime32.exe
O4 - HKLM\..\RunServices: [Quick Time Video Codec] qtime32.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O23 - Service: Video Card Clock Rate Manager (Actmovie) - Unknown owner - C:\WINDOWS\security\java\rsvsp.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
Definatley have seen the taskcntr myself.. Tricky lil **** to get rid of.. specially since it incorporates itself into windows.
But followed some of the advise on here on how to "contain" the problem. spybot definately helps alot. And have noticed that my blackice stops the server. Aside from that.. I am still at a loss myself.. from what I have gathered so far. the best way to totally get rid of the problem is just to totally format.
if anyone has any ideas above that.. let me know please.
But followed some of the advise on here on how to "contain" the problem. spybot definately helps alot. And have noticed that my blackice stops the server. Aside from that.. I am still at a loss myself.. from what I have gathered so far. the best way to totally get rid of the problem is just to totally format.
if anyone has any ideas above that.. let me know please.
RealBlackStuff
Posts: 6,450 +3
If an HJT-log says (for BAD files):
O4 - HKLM\..\Run: ... you stop the Process (Ctrl-Alt-Del)
O4 - HKLM\..\RunServices: ... you stop the Process AND the Service (services.msc)
These Runservices are repeated under:
O23 - Service: ...
All 3 types need to be 'fixed' with HJT.
Then delete the files concerned.
No need to reformat.
O4 - HKLM\..\Run: ... you stop the Process (Ctrl-Alt-Del)
O4 - HKLM\..\RunServices: ... you stop the Process AND the Service (services.msc)
These Runservices are repeated under:
O23 - Service: ...
All 3 types need to be 'fixed' with HJT.
Then delete the files concerned.
No need to reformat.
Thank You Very Much. But remon.sys still exists
Thank you guys. The procedure you suggested has worked & the bad entries were deleted Now the laptop can open websites. However I have noticed that the "remon.sys" still exists in the System32 directory & is still infected by Hacktool.rootkit. (As per Norton AV) Is there any hope to remove this menace?
Please advice
Thank you once again
Attached the latest HJT Scan Report
Thank you guys. The procedure you suggested has worked & the bad entries were deleted
Now the laptop can open websites. However I have noticed that the "remon.sys" still exists in the System32 directory & is still infected by Hacktool.rootkit. (As per Norton AV) Is there any hope to remove this menace? Please advice
Thank you once again
Attached the latest HJT Scan Report
RealBlackStuff
Posts: 6,450 +3
I can't find enough info about these:
O23 - Service: SalesLogix Server (SalesLogix Server Service) - Best Software, Inc. - C:\Program Files\SalesLogix\SLXServer.exe
O23 - Service: SalesLogix SpeedSearch (SlxSearch) - Best Software, Inc. - C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe
If you don't know them, uninstall/delete.
And for rootkit go here, HJT can NOT help you:
http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N
O23 - Service: SalesLogix Server (SalesLogix Server Service) - Best Software, Inc. - C:\Program Files\SalesLogix\SLXServer.exe
O23 - Service: SalesLogix SpeedSearch (SlxSearch) - Best Software, Inc. - C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe
If you don't know them, uninstall/delete.
And for rootkit go here, HJT can NOT help you:
http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N
Thanks for the advice.
The link mentioned (SLXServer.exe & SLXSearchService.exe) are known to me & are required.
I was checking on my desktop & found entries like
O10 - Hijacked Internet access by New.Net
Are they troublesome? Please advice
HJT scan report is attached
Please help
Thanks in advance
The link mentioned (SLXServer.exe & SLXSearchService.exe) are known to me & are required.
I was checking on my desktop & found entries like
O10 - Hijacked Internet access by New.Net
Are they troublesome? Please advice
HJT scan report is attached
Please help
Thanks in advance
RealBlackStuff
Posts: 6,450 +3
See the description in my post here: How to remove Begin2Search/Coolwebsearch and Other Nasties
Hacktool.rootkit infection. Need help!
I am a recent victim of a link on AIM that gave me a hacktool.rootkit virus. I'm pretty new with virus removal so I would greatly appreciate any help possible! Norton's will not remove and I am not clear as how to proceed with removal. Thanks in advance for any help available.
log file below:
I am a recent victim of a link on AIM that gave me a hacktool.rootkit virus. I'm pretty new with virus removal so I would greatly appreciate any help possible! Norton's will not remove and I am not clear as how to proceed with removal. Thanks in advance for any help available.
log file below:
RealBlackStuff
Posts: 6,450 +3
paulymazz
C:\DOCUME~1\Owner\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe
Follow these instructions EXACTLY and put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.
Read: How to remove Begin2Search/Coolwebsearch and Other Nasties
While there, fix all your R0, R1, O16 as wellas the other items indicated in that post!
And follow the lockx.exe-specific instructions from this post: https://www.techspot.com/vb/topic33967.html
My advise: get rid of all those AIM and Yahoo toolbars and STOP using IE.
C:\DOCUME~1\Owner\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe
Follow these instructions EXACTLY and put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.
Read: How to remove Begin2Search/Coolwebsearch and Other Nasties
While there, fix all your R0, R1, O16 as wellas the other items indicated in that post!
And follow the lockx.exe-specific instructions from this post: https://www.techspot.com/vb/topic33967.html
My advise: get rid of all those AIM and Yahoo toolbars and STOP using IE.
Thank you so much for your time and advice! I have read your suggested links and I feel much more comfortable with what needs to be done. I will follow your advice for cleaning and re post my HJT file when done. Again, thank you so much for taking time to help and provide good counsel.
also, thanks for the advice on not using AOL and yahoo toolbars, and I dont use IE either. I'm a firefox supporter.
also, thanks for the advice on not using AOL and yahoo toolbars, and I dont use IE either. I'm a firefox supporter.
howard_hopkinso
Posts: 21,238 +17
- Status
Similar threads
Latest posts
-
Upgraded 4K Chromecast with Google TV set to launch soon with improved hardware- hahahanoobs replied
-
Nintendo DMCA lawyers shut down everything Mario on Garry's Mod- Uncle Al replied
-
BlizzGone: Blizzard cancels 2024 convention but promises an eventual return- GodisanAtheist replied
