Help with removal of hacktool.rootkit

Hi

My laptop is infected with hacktool.rootkit. It says there is a file "orans.sys" in my windows/system32 folder but i cannot see it even after i turn on "show all files and folders, including hidden systems".

It also keeps directing me to this website:

http://217.170.4.137/_vti_bin/index.html

Here is my HJT scan log.

I did an Ad Aware scan, Spybot scan, Crap Cleaner and Kaspersky scan (which reported i had 6 virus and 374 infected files). I also installed Windows Updates and Windows XP Service Pack 2.

Please help.

That website belongs to: WINDONET-NL in the Netherlands.

For Rootkit (not visible in your log!) go here:
http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N

Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
restore.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
restore.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
Fix ALL your O16 - DPF: entries
O23 - Service: restore - Unknown owner - C:\WINDOWS\restore.exe
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.

Hi! Thanks for the quick response. I followed your instructions, but I did not come across the line:
O23 - Service: restore - Unknown owner - C:\WINDOWS\restore.exe,
so i could not "fix" it.

After that, I did another Ewidos scan, and deleted all the viruses found, and I did another Kaspersky scan after that. I attach the Kaspersky scan as an attachment.

The problem now is that Kaspersky still found the C:\WINDOWS\restore.exe file! The file is still there! And also, it still found backdoors and trojans on my computer.

What should I do?

When done, from between the above dotted lines, delete the highlighted bold files.
Didn't I tell you to delete restore.exe?

The files that Kaspersky found are lurking, waiting to be activated. So let Kaspersky fix them!

To fix Trojans, see How to remove Trojans and its ilk!

hi, i have the same problem...here is the log from hjt..please help me....file which keeps causing the problem is remon.sys in system32 dir.

habaan
nothing wrong with your log.
If you have a rootkit problem, follow the link for Rootkit (not visible in your log!):
http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N

That's odd, this thread was in my subscribed threads list, but it doesn't look like I said anything here! Weird. Unless I made a post that got deleted?
What's up with that?

Actually, i am experiencing the same problem with the same file, remon.sys.
I searched for remon.sys over the registry and i found several tracks of it, so i deleted them. After i restarted the computer, it keeps on coming back. I also have this expl0re.exe running on my task manager.

This viruses causes my system to crash
Pls help.

Have you guys used sysinternals rootkitrevealer?? Download from http://www.sysinternals.com/utilities/rootkitrevealer.html

Once you identify the bad files, boot to recovery console and delete them. The files may be hidden so you have to use the command attrib to take off system and hidden attributes.

For example, say your virus is "c:\windows\system32\virus.exe"

When you enter Recovery Console, you start at the prompt as such. Type what is in bold.

C:\Windows> cd system32
C:\Windows\System32> attrib -H virus.exe
C:\Windows\System32> attrib -S virus.exe
C:\Windows\System32> attrib -R virus.exe
C:\Windows\System32> del virus.exe

After you type the last line it will just skip one line (like a space). If any command doesn't work, or says file is missing or can't find, etc, move on the next file.

Note that in Recovery Console, you can NOT edit anything outside the "Windows" folder. So you can't delete a file if it is in just "C:\virus.exe".

Once your files are deleted, go back in to Safe Mode and double check that traces of it are gone from registry, and that rootkitrevealer turns up clean.

problem solved!
.....
it was that sysmanager.exe in my log...after i fixed it with HJT remon.sys never came back...
..anyway thank you for brief help

Oops, I missed that, sorry. :blush:

What did you do with that file? I also have that one here.

i deleted the sysmanager.exe process by HJT program....but best is post your log from HJT here.

Hi guys, Im having the same problem with System32\Remon.sys

heres my HJT
thanks for any help

Check out this line bro.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe


and go here for nail.exe
http://securityresponse.symantec.com/avcenter/venc/data/adware.aurora.html


Hope that helps

Thanks man, but my hjt log was actually on my first post ^^^

Thanks, im pretty sure I cleared the nail.exe one up, but I still need help with the remon.sys rootkit, everything i tried which im sure wasnt much, didnt do anything.

if you guys could find it on my hjt that would be great.

I have the same problem with remon.sys, I deleted it in DOS mode but when I entered windows it was running again. Here is my HJT log, can you please help ? I'm getting crazy !!!


Logfile of HijackThis v1.99.1
deleted

volodos
see How to post your Hijackthis log-files as an attachment.

NoCorndogs

First follow my post How to remove Aurora/Nailfix

Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
javapanel.exe
nail.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
javapanel.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
This is a server from Best Buy, need to be 'fixed'.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.