TechSpot

Hacktool.Rootkit in Sys32/Remon.sys file

By ggb
Sep 20, 2005
  1. This want identified by Norton during a system scan. I have tried to delete the file in Safe mode but it reappears nor will Norten remove it. I am hoping that someone will persue my HJT log file and see where/what I can remove.
    Or, suggest how I can do this via other methods in Windows 2000 Pro?

    Thanks.

    ggb
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    How about posting a proper HJT log?
     
  3. ggb

    ggb TS Rookie Topic Starter

    Ooops!

    Thought that I did that. Sorry 'bout that!
    Try this one please.

    ggb
     

    Attached Files:

  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Boot in Safe Mode, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
    Click the Processes tab, select the process (if there) and click End Process for:
    taskcntr.exe
    zrnsw.exe
    PowerReg Scheduler.exe

    Next, click Start/Control Panel/Add/Remove Programs. If there, UNinstall anything to do with:
    Spyware Doctor, it's a rubbish program

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    taskcntr.exe
    zrnsw.exe
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    O4 - HKLM\..\RunServices: [vqwa] zrnsw.exe
    O4 - Startup: PowerReg Scheduler.exe
    FIX all your O16 - DPF: entries
    O23 - Service: TASKESV - Unknown - C:\WINNT\taskcntr.exe
    ...................................................................................................
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal.

    Rootkit:
    http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N
     
  5. ggb

    ggb TS Rookie Topic Starter

    Re: Hacktool.Toolkit

    Thanks RealBlackStuff. Appreciated!
    I will follow yur instructions and let yu know if there is a problem. Interesting that yu describe Spyware Doctor as rubbish. I always thought that it was doing Ok but what do I know????

    Cheers.

    ggb

    As a side-note, I ran Norton last night after updating it and removing all of the internet temp files. It found nothing this time so I went to c:/winnt/system32 and the remon.sys file was still there but contained 0 kb now. I was even able to rename it remonsys.old without a
    problem and I have not found any working conflicts as a result. Go figure ????
     
  6. BrentzJohnson

    BrentzJohnson TS Rookie

    I have the same problem remon.sys

    gidday. I have been trying to get rid off this hacktool.rootkit and following the iceweasel thread.
    I throught I got rid of it a couple of times but seems to re-install when open ie but only when online again using firefox. I wonder if realblackstuff can review my hjt log.

    much appreciated.

    BZJ
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...