TechSpot

Sorry if posted before need help tho !!

By sexydevil.
Sep 19, 2005
  1. Hello btw im new here , and im not so good with computers.

    2 days ago i got this nasty Hacktool.Rootkit in remon.sys

    im have been reading abit in other threads but im not sure how to go about this , in what order and how to know what to remove.

    all help is welcome.
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Boot in Safe Mode, see how here.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
    Click the Processes tab, select the process (if there) and click End Process for:
    DAP.EXE
    Pami.exe
    mwsoemon.exe
    swdoctor.exe
    taskcntr.exe


    Next, click Start/Control Panel/Add/Remove Programs. If there, UNinstall anything to do with:
    C:\Program Files\DAP\DAP.EXE <<==(DownloadAccelleratorPlus = adware/spyware)
    C:\Program Files\MyWebSearch\SrchAstt\1.bin\
    C:\Program Files\Spyware Doctor\swdoctor.exe (not spyware, but lousy program)

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    taskcntr.exe
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [Sprwpsx] C:\Program Files\Oytbcye\Pami.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm414YYSE
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1114505838234
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
    ...................................................................................................
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    XP only: Delete ALL files from C:\WINDOWS\Prefetch.
    Boot normal. When all OK, switch System Restore back on.

    To check the Rootkit:
    http://www.trendmicro-middleeast.co...p?LYstr=VMAINDATA&vNav=1&VName=TROJ_ROOTKIT.N

    You should install SP2 since it will give you a better protection and you are patched for the latest vulnerabilities.

    For a clean, free downloader go to www.stardownloader.com
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...