Hacktool.rootkit "orans.sys" and "WS2.spybot.worm"

[simeon]

Norton detected (but cannot remove) "hacktool.rootkit C:\windows\system32\orans.sys" and "WS2.spybot.worm "C:\ismo.exe"

Also - the spybot worm has changed around a bit - used to be this file called "nbudp64.exe" which had cropped up in the HJT report.

Have gone through cleanup, Norton, adaware (with custom settings), spybot, CW shredder 2.15, Spy sweeper, spyware blaster, Ewido, Kapersky, winsockxp fix and now feel its time to unleash HJT reports.

Please help. Attached are the HJT report and Kapersky result - although kapersky found loads of stuff I was not offered the chance to remove it all - strange...

Yes I have read the other posts etc... I need someone to look at my HJT report. Please Realblackstuff, help me out like you did the others! :grinthumb

 

[RealBlackStuff]

I would not have any objections, BUT, where the f... are those logs?

 

[simeon]

ooops - here they are:

Sorry - I realised why I could not attach hijack this file.

Apologies - here it is this time!

Please help Realblackstuff!

 

[RealBlackStuff]

That KAV file is useless.

Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
wordpad.exe
rmctrl.exe
msdos.pif
nbupd64.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
wordpad.exe
msdos.pif
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [MSDOS Security Service] msdos.pif
O4 - HKLM\..\RunServices: [MSDOS Security Service] msdos.pif
O4 - HKCU\..\Run: [MSDOS Security Service] msdos.pif
O4 - HKCU\..\Run: [Windows Update 64] nbupd64.exe
O4 - HKCU\..\RunServices: [MSDOS Security Service] msdos.pif
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126728404611
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: wordpad - Unknown owner - C:\WINDOWS\wordpad.exe
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.

HJT does nothing for Rootkits. See this:
http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N

 

[simeon]

Thanks but...

I proceeded to do what you wrote but the processes you described were not there! So I could not end them. However, nbup64.exe is still in the hijack this log. Could you recheck this log to make sure I should definately be seeing these processes? I have obviously restarted since so perhaps they won't be there this time.

Attached is the latest HJT Log.


For the hacktool.rootkit ("orans.sys" in system 32 folder) you said to useTrend micro (the url you left) but it found nothing (i disabled system restore for the scan too) - and the file is still there in system 32 and Norton keeps finding it unable to delete it.

Please help.

 

[RealBlackStuff]

You need to get rid of these, as per method of my previous message

O4 - HKCU\..\Run: [MSDOS Security Service] msdos.pif
O4 - HKCU\..\Run: [Windows Update 64] nbupd64.exe
O4 - HKCU\..\RunServices: [MSDOS Security Service] msdos.pif