Hacktool.rootkit and remon.sys

By Geron
Sep 21, 2005
  1. I have never used HJT before so I am abit afraid to delete the wrong files.

    After having read alot of threads here it seams like there is alot of different versions of this Hacktool.Rootkit pice of *#& :evil: #!

    Well, here is a HJT log. I hope any of you guys could help me out on this. :)

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Go and have your PC scanned with this first!
    Wincore = Worm SDBOT.BHE and is very bad for your PC's health, see this:

    C:\Documents and Settings\HEM\Skrivbord\hijackthis\HijackThis.exe
    Next, put HijackThis in e.g C:\Program Files\HJT and NOT on the Desktop/Skrivbord!.

    Boot in Safe Mode, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
    Click the Processes tab, select the process (if there) and click End Process for:

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [Configuration Loader] wincore.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] wincore.exe
    O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal.
  3. Geron

    Geron TS Rookie Topic Starter

    Thanks for taking your time on this.

    I will do what you say and post another hjt file here, so that awesome people like you can corect me if I have mised somthing out. :D

    Thanks again! /Geron
  4. btkurians

    btkurians TS Rookie

    Hacktool.Rootkit.... Please Help!

    My Colleague's laptop has remon.sys file in his System32 directory, which Norton AV reports that, infected by Hacktool.rootkit. The Internet Explorer does not open any sites & his messages are not going thru Outlook Express. I tried to fix the 'unknown owner' entries thru HJT. But this did not solve the problem. I noticed taskcntr.exe in the processes tab of taskmanager. When I clicked to stop, the Norton AV alert came fot the Hacktool.rootkit. & went into a loop. I could not find the file C:\windows\taskcntr.exe as indicated in the HJT report. I am confused what to do. Please Help...

    HJT scan report is attached.

    Please advice.

    Attached Files:

  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503


    these ara the baddies:
    O4 - HKLM\..\Run: [Quick Time Video Codec] qtime32.exe
    O4 - HKLM\..\RunServices: [Quick Time Video Codec] qtime32.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O23 - Service: Video Card Clock Rate Manager (Actmovie) - Unknown owner - C:\WINDOWS\security\java\rsvsp.exe (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
    O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
  6. Mahzer

    Mahzer TS Rookie

    Definatley have seen the taskcntr myself.. Tricky lil **** to get rid of.. specially since it incorporates itself into windows.
    But followed some of the advise on here on how to "contain" the problem. spybot definately helps alot. And have noticed that my blackice stops the server. Aside from that.. I am still at a loss myself.. from what I have gathered so far. the best way to totally get rid of the problem is just to totally format.
    if anyone has any ideas above that.. let me know please. :)
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    If an HJT-log says (for BAD files):
    O4 - HKLM\..\Run: ... you stop the Process (Ctrl-Alt-Del)
    O4 - HKLM\..\RunServices: ... you stop the Process AND the Service (services.msc)
    These Runservices are repeated under:
    O23 - Service: ...
    All 3 types need to be 'fixed' with HJT.
    Then delete the files concerned.

    No need to reformat.
  8. btkurians

    btkurians TS Rookie

    Thank You Very Much. But remon.sys still exists

    Thank you guys. The procedure you suggested has worked & the bad entries were deleted :) Now the laptop can open websites. However I have noticed that the "remon.sys" still exists in the System32 directory & is still infected by Hacktool.rootkit. (As per Norton AV) Is there any hope to remove this menace?

    Please advice
    Thank you once again

    Attached the latest HJT Scan Report
  9. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    I can't find enough info about these:
    O23 - Service: SalesLogix Server (SalesLogix Server Service) - Best Software, Inc. - C:\Program Files\SalesLogix\SLXServer.exe

    O23 - Service: SalesLogix SpeedSearch (SlxSearch) - Best Software, Inc. - C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe

    If you don't know them, uninstall/delete.

    And for rootkit go here, HJT can NOT help you:
  10. btkurians

    btkurians TS Rookie

    Thanks for the advice.
    The link mentioned (SLXServer.exe & SLXSearchService.exe) are known to me & are required.

    I was checking on my desktop & found entries like
    O10 - Hijacked Internet access by New.Net
    Are they troublesome? Please advice

    HJT scan report is attached
    Please help

    Thanks in advance
  11. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  12. paulymazz

    paulymazz TS Rookie

    Hacktool.rootkit infection. Need help!

    I am a recent victim of a link on AIM that gave me a hacktool.rootkit virus. I'm pretty new with virus removal so I would greatly appreciate any help possible! Norton's will not remove and I am not clear as how to proceed with removal. Thanks in advance for any help available.
    log file below:
  13. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503


    Follow these instructions EXACTLY and put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.
    Read: How to remove Begin2Search/Coolwebsearch and Other Nasties

    While there, fix all your R0, R1, O16 as wellas the other items indicated in that post!
    And follow the lockx.exe-specific instructions from this post:

    My advise: get rid of all those AIM and Yahoo toolbars and STOP using IE.
  14. paulymazz

    paulymazz TS Rookie

    Thank you so much for your time and advice! I have read your suggested links and I feel much more comfortable with what needs to be done. I will follow your advice for cleaning and re post my HJT file when done. Again, thank you so much for taking time to help and provide good counsel.

    also, thanks for the advice on not using AOL and yahoo toolbars, and I dont use IE either. I'm a firefox supporter.
  15. addman8

    addman8 TS Rookie


    I am also experiencing the remon.sys hacktool rootkit.

    I attached my HJT log...any thoughts??
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions.

    Then, go HERE and follow the instructions in the order they are given.

    Open a new thread in this forum and post a fresh HJT log, only after doing the above.

    Regards Howard :wave: :wave:
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...