Welcome to the TechSpot OpenBoards. Please read the FAQ if you have any questions. Login to participate.
|
|||||||
Hacktool.rootkit "orans.sys" and "WS2.spybot.worm"
 |
|
|
|
Thread Tools |
|
#1
09-20-2005
|
|||
|
|||
|
Hacktool.rootkit "orans.sys" and "WS2.spybot.worm"
Norton detected (but cannot remove) "hacktool.rootkit C:\windows\system32\orans.sys" and "WS2.spybot.worm "C:\ismo.exe"
Also - the spybot worm has changed around a bit - used to be this file called "nbudp64.exe" which had cropped up in the HJT report. Have gone through cleanup, Norton, adaware (with custom settings), spybot, CW shredder 2.15, Spy sweeper, spyware blaster, Ewido, Kapersky, winsockxp fix and now feel its time to unleash HJT reports. Please help. Attached are the HJT report and Kapersky result - although kapersky found loads of stuff I was not offered the chance to remove it all - strange... Yes I have read the other posts etc... I need someone to look at my HJT report. Please Realblackstuff, help me out like you did the others!  Last edited by simeon; 09-20-2005 at 06:25 AM.. |
|
#2
09-20-2005
|
|||
|
|||
|
I would not have any objections, BUT, where the f... are those logs?
|
|
|
#4
09-20-2005
|
|||
|
|||
|
That KAV file is useless.
Boot in Safe Mode, see how here. Switch System restore OFF, see how here. In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here. Next, open Windows Task Manager by pressing CTRL+ALT+DELETE. Click the Processes tab, select the process (if there) and click End Process for: wordpad.exe rmctrl.exe msdos.pif nbupd64.exe Next, click Start/Run and type services.msc and click OK. Look for the service: wordpad.exe msdos.pif Doubleclick it, click Stop if it's running, and change the Startup type to Disabled. Next, run a HJT scan and (if still there) place a tick-mark in the little square before: ........................................................................... ........................ O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe O4 - HKLM\..\Run: [MSDOS Security Service] msdos.pif O4 - HKLM\..\RunServices: [MSDOS Security Service] msdos.pif O4 - HKCU\..\Run: [MSDOS Security Service] msdos.pif O4 - HKCU\..\Run: [Windows Update 64] nbupd64.exe O4 - HKCU\..\RunServices: [MSDOS Security Service] msdos.pif O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126728404611 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: wordpad - Unknown owner - C:\WINDOWS\wordpad.exe ........................................................................... ........................ Now click on the Fix Checked button in HJT. Exit HJT. When done, from between the above dotted lines, delete the highlighted bold files. Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp Repeat this for ALL [usernames]. Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files. Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY). XP only: Delete ALL files from C:\WINDOWS\Prefetch. Boot normal. When all OK, switch System Restore back on. HJT does nothing for Rootkits. See this: http://www.trendmicro-middleeast.com...TROJ_ROOTKIT.N |
|
#5
09-21-2005
|
|||
|
|||
|
Thanks but...
I proceeded to do what you wrote but the processes you described were not there! So I could not end them. However, nbup64.exe is still in the hijack this log. Could you recheck this log to make sure I should definately be seeing these processes? I have obviously restarted since so perhaps they won't be there this time.
Attached is the latest HJT Log. For the hacktool.rootkit ("orans.sys" in system 32 folder) you said to useTrend micro (the url you left) but it found nothing (i disabled system restore for the scan too) - and the file is still there in system 32 and Norton keeps finding it unable to delete it. Please help. |
|
#6
09-21-2005
|
|||
|
|||
|
You need to get rid of these, as per method of my previous message
O4 - HKCU\..\Run: [MSDOS Security Service] msdos.pif O4 - HKCU\..\Run: [Windows Update 64] nbupd64.exe O4 - HKCU\..\RunServices: [MSDOS Security Service] msdos.pif |
|
| Thread Tools | |
|
|
| Similar Topics | ||||
| Topic | Category | Replies | Last Post | |
| Which cpu should i buy? | Processors, Chipsets and Motherboards | 32 | 01-18-2006 06:14 AM | |
| AMD Athlon 64 Core Explanation | Processors, Chipsets and Motherboards | 3 | 07-23-2005 03:41 PM | |
| VIA Announces Chipset Support for AMD Dual-Core Technology | News and Links from Around the Web | 0 | 04-22-2005 03:01 AM | |
| AMD enter's the GPU market! | The Meeting Spot - Chat & Socialize | 14 | 04-15-2005 03:09 PM | |
| AMD Gets Microsoft's Support for 64-bit Chips | News and Links from Around the Web | 7 | 05-10-2002 12:06 PM | |
All times are GMT -4. The time now is 07:44 AM.