TechSpot

Hacktool.rootkit "orans.sys" and "WS2.spybot.worm"

By simeon
Sep 20, 2005
  1. Norton detected (but cannot remove) "hacktool.rootkit C:\windows\system32\orans.sys" and "WS2.spybot.worm "C:\ismo.exe"

    Also - the spybot worm has changed around a bit - used to be this file called "nbudp64.exe" which had cropped up in the HJT report.

    Have gone through cleanup, Norton, adaware (with custom settings), spybot, CW shredder 2.15, Spy sweeper, spyware blaster, Ewido, Kapersky, winsockxp fix and now feel its time to unleash HJT reports.

    Please help. Attached are the HJT report and Kapersky result - although kapersky found loads of stuff I was not offered the chance to remove it all - strange...

    Yes I have read the other posts etc... I need someone to look at my HJT report. Please Realblackstuff, help me out like you did the others! :grinthumb
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    I would not have any objections, BUT, where the f... are those logs?
     
  3. simeon

    simeon TS Rookie Topic Starter

    ooops - here they are:

    Sorry - I realised why I could not attach hijack this file.

    Apologies - here it is this time!

    Please help Realblackstuff!
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    That KAV file is useless.

    Boot in Safe Mode, see how here.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
    Click the Processes tab, select the process (if there) and click End Process for:
    wordpad.exe
    rmctrl.exe
    msdos.pif
    nbupd64.exe

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    wordpad.exe
    msdos.pif
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
    O4 - HKLM\..\Run: [MSDOS Security Service] msdos.pif
    O4 - HKLM\..\RunServices: [MSDOS Security Service] msdos.pif
    O4 - HKCU\..\Run: [MSDOS Security Service] msdos.pif
    O4 - HKCU\..\Run: [Windows Update 64] nbupd64.exe
    O4 - HKCU\..\RunServices: [MSDOS Security Service] msdos.pif
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126728404611
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: wordpad - Unknown owner - C:\WINDOWS\wordpad.exe
    ...................................................................................................
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    XP only: Delete ALL files from C:\WINDOWS\Prefetch.
    Boot normal. When all OK, switch System Restore back on.

    HJT does nothing for Rootkits. See this:
    http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N
     
  5. simeon

    simeon TS Rookie Topic Starter

    Thanks but...

    I proceeded to do what you wrote but the processes you described were not there! So I could not end them. However, nbup64.exe is still in the hijack this log. Could you recheck this log to make sure I should definately be seeing these processes? I have obviously restarted since so perhaps they won't be there this time.

    Attached is the latest HJT Log.


    For the hacktool.rootkit ("orans.sys" in system 32 folder) you said to useTrend micro (the url you left) but it found nothing (i disabled system restore for the scan too) - and the file is still there in system 32 and Norton keeps finding it unable to delete it.

    Please help.
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    You need to get rid of these, as per method of my previous message

    O4 - HKCU\..\Run: [MSDOS Security Service] msdos.pif
    O4 - HKCU\..\Run: [Windows Update 64] nbupd64.exe
    O4 - HKCU\..\RunServices: [MSDOS Security Service] msdos.pif
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...