Help with removal of hacktool.rootkit

[eyzia]

Hi

My laptop is infected with hacktool.rootkit. It says there is a file "orans.sys" in my windows/system32 folder but I cannot see it even after I turn on "show all files and folders, including hidden systems".

It also keeps directing me to this website:

http://217.170.4.137/_vti_bin/index.html

Here is my HJT scan log.

I did an Ad Aware scan, Spybot scan, Crap Cleaner and Kaspersky scan (which reported I had 6 virus and 374 infected files). I also installed Windows Updates and Windows XP Service Pack 2.

Please help.

 

[RealBlackStuff]

That website belongs to: WINDONET-NL in the Netherlands.

For Rootkit (not visible in your log!) go here:
http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N

Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
restore.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
restore.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
Fix ALL your O16 - DPF: entries
O23 - Service: restore - Unknown owner - C:\WINDOWS\restore.exe
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.

 

[eyzia]

Hi! Thanks for the quick response. I followed your instructions, but I did not come across the line:
O23 - Service: restore - Unknown owner - C:\WINDOWS\restore.exe,
so i could not "fix" it.

After that, I did another Ewidos scan, and deleted all the viruses found, and I did another Kaspersky scan after that. I attach the Kaspersky scan as an attachment.

The problem now is that Kaspersky still found the C:\WINDOWS\restore.exe file! The file is still there! And also, it still found backdoors and trojans on my computer.

What should I do?

 

[RealBlackStuff]

When done, from between the above dotted lines, delete the highlighted bold files.
Didn't I tell you to delete restore.exe?

The files that Kaspersky found are lurking, waiting to be activated. So let Kaspersky fix them!

To fix Trojans, see How to remove Trojans and its ilk!

 

[habaan]

Hi, I have the same problem...here is the log from hjt..please help me....file which keeps causing the problem is remon.sys in system32 dir.

 

[RealBlackStuff]

habaan
nothing wrong with your log.
If you have a rootkit problem, follow the link for Rootkit (not visible in your log!):
http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N

 

[Vigilante]

That's odd, this thread was in my subscribed threads list, but it doesn't look like I said anything here! Weird. Unless I made a post that got deleted?
What's up with that?

 

[Jekkoy]

hi, I have the same problem...here is the log from hjt..please help me....file which keeps causing the problem is remon.sys in system32 dir.

Actually, I am experiencing the same problem with the same file, remon.sys.
I searched for remon.sys over the registry and I found several tracks of it, so I deleted them. After I restarted the computer, it keeps on coming back. I also have this expl0re.exe running on my task manager.

This viruses causes my system to crash
Pls help.

 

[Vigilante]

Have you guys used sysinternals rootkitrevealer?? Download from http://www.sysinternals.com/utilities/rootkitrevealer.html

Once you identify the bad files, boot to recovery console and delete them. The files may be hidden so you have to use the command attrib to take off system and hidden attributes.

For example, say your virus is "c:\windows\system32\virus.exe"

When you enter Recovery Console, you start at the prompt as such. Type what is in bold.

C:\Windows> cd system32
C:\Windows\System32> attrib -H virus.exe
C:\Windows\System32> attrib -S virus.exe
C:\Windows\System32> attrib -R virus.exe
C:\Windows\System32> del virus.exe

After you type the last line it will just skip one line (like a space). If any command doesn't work, or says file is missing or can't find, etc, move on the next file.

Note that in Recovery Console, you can NOT edit anything outside the "Windows" folder. So you can't delete a file if it is in just "C:\virus.exe".

Once your files are deleted, go back in to Safe Mode and double check that traces of it are gone from registry, and that rootkitrevealer turns up clean.

 

[habaan]

problem solved!
.....
it was that sysmanager.exe in my log...after i fixed it with HJT remon.sys never came back...
..anyway thank you for brief help

 

[RealBlackStuff]

Oops, I missed that, sorry.

 

[Jekkoy]

problem solved!
.....
it was that sysmanager.exe in my log...after i fixed it with HJT remon.sys never came back...
..anyway thank you for brief help

What did you do with that file? I also have that one here.

 

[habaan]

i deleted the sysmanager.exe process by HJT program....but best is post your log from HJT here.

 

[NoCorndogs]

Hi guys, Im having the same problem with System32\Remon.sys

heres my HJT
thanks for any help

 

[Jekkoy]

Hi guys, Im having the same problem with System32\Remon.sys

heres my HJT
thanks for any help

Check out this line bro.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe


and go here for nail.exe
http://securityresponse.symantec.com/avcenter/venc/data/adware.aurora.html


Hope that helps

 

[Jekkoy]

i deleted the sysmanager.exe process by HJT program....but best is post your log from HJT here.

Thanks man, but my hjt log was actually on my first post ^^^

 

[NoCorndogs]

Check out this line bro.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe


and go here for nail.exe
http://securityresponse.symantec.com/avcenter/venc/data/adware.aurora.html


Hope that helps

Thanks, im pretty sure I cleared the nail.exe one up, but I still need help with the remon.sys rootkit, everything i tried which im sure wasnt much, didnt do anything.

if you guys could find it on my hjt that would be great.

 

[volodos]

I have the same problem with remon.sys, I deleted it in DOS mode but when I entered windows it was running again. Here is my HJT log, can you please help ? I'm getting crazy !!!


Logfile of HijackThis v1.99.1
deleted

 

[RealBlackStuff]

volodos
see How to post your Hijackthis log-files as an attachment.

 

[RealBlackStuff]

NoCorndogs

First follow my post How to remove Aurora/Nailfix

Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
javapanel.exe
nail.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
javapanel.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
This is a server from Best Buy, need to be 'fixed'.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.

 

[volodos]

remon.sys

I have the same problem with remon.sys, I deleted it in DOS mode but when I entered windows it was running again. Here is my HJT log, can you please help ? I'm getting crazy !!!

 

[patou]

same problem here

I am also having problemswith remon.sys that is detected has a hacktool.rootkit
and everytime it is detected it removes all the hidden shares on the machine.
it also creates 2 lines in the registry AutoShareServer and AutoShareWks wich I delete everytime.
I tried different software to remove the problem with no good result
hjt does not detect anything significant.

I tried in recup mode to change the attrib of remon.sys but I cannot find it anywhere.

I have read most of the post here and I cannot find any of the files listed in the post. any help would be appreciated.

 

[Jekkoy]

as for the remon.sys, i think i've already get rid of it by deleting sysmanager.exe and remon.sys on the Registry and on C:\windows folder

You should also stop it's system process. Open msconfig > Services and look for Windows System Manager. Uncheck that process, restart your pc in safe mode, and delete sysmanager.exe and remon.sys which is located at C:\windows\system32 (Make sure that all of the protected operating system files are shown. Tools > Folder Options > View )

 

[Jekkoy]

patou

O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINNT\taskcntr.exe

-remove all the registry entries of taskcntr.exe
-stop its process [ Open msconfig > services and uncheck, TASKEV
-restart your computer in safe mode, :delete that file (located at C:\winnt)
-you might wanna check out sysmanager.exe and remon.sys if there are some entries on the registy.


check out if you got these files. i dont trust them>

taskcntr.exe -
sysmanager.exe - look closely on the task manager, you will see this running on and off.
remon.sys
iexpl0re.exe

 

[Jekkoy]

patou

O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINNT\taskcntr.exe

-remove all the registry entries of taskcntr.exe
-stop its process [ Open msconfig > services and uncheck, TASKEV
-restart your computer in safe mode, :delete that file (located at C:\winnt)
-you might wanna check out sysmanager.exe and remon.sys if there are some entries on the registy.


check out if you got these files. i dont trust them>

taskcntr.exe -
sysmanager.exe - look closely on the task manager, you will see this running on and off.
remon.sys
iexpl0re.exe