Author Topic: hacktool.rootkit & remon.sys (Read 6742 times)

kiki · « **on:** November 16, 2005, 02:43:35 PM »

i am having a problem with these....... hacktool.rootkit & the file remon.sys that comes back always. i tried almost everything and i cant fix my pc. i have not local network or internet.
please help me. i dont know much of these things but i will try to follow instuctions if you know something about this problem

Die Hard · « **Reply #1 on:** November 16, 2005, 03:48:12 PM »

kiki , hello and welcome

First , download HiJack This :
http://www.thespykiller.co.uk/files/HJTsetup.exe

This will download HiJack This to your computer, choose "Save" and navigate to the folder where it´s saved and doubleclick upon it.
This is a complete installer that installs Hijackthis onto the computer to C:\Program Files\HijackThis and makes an entry in the start menu & allows you to have a shortcut on desktop as well.

then.......
Doubleclick the HJT icon on your desktop, hit "Do a system scan and save logfile". Save the logfile and a txt-file will be produced.. Copy that one and paste it here and we´ll have a look at it.

Since you have no internet, use a connected computer to download the file and put it on a floppy or CD .

Also , at the same time, get this tool that will mend your internet, "LSPFix":
http://www.greyknight17.com/spy/KillBox.exe
Install it on your broken system, but do nothing with it yet,not until you have posted a HiJack This log.

regards

Die Hard

kiki · « **Reply #2 on:** November 16, 2005, 04:12:10 PM »

i hope you can help me here is the hjt file
i have also killbox.exe i am waiting for instuctions

[attachment deleted by admin]

kiki · « **Reply #3 on:** November 16, 2005, 04:56:02 PM »

Logfile of HijackThis v1.99.1
Scan saved at 7:17:36 PM, on 11/16/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATMsg.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\nvideogui.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgentNT.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\EBRR.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\System32\PDesk\PDesk.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\HTJ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.otenet.gr/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN for Windows 2000\atmsg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATMsg.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Nvidia Graphic Displacement (nvideoGUI) - Unknown owner - C:\WINNT\nvideogui.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Epson Printer Status Agent (StatusAgent) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgentNT.exe
O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINNT\construct.exe (file missing)

Die Hard · « **Reply #4 on:** November 16, 2005, 07:29:27 PM »

kiki

There seems to have been an error with the download link, you where supposed to have downloaded "LSPFix". But in fact ,this turned out to be very good, when we will need Killbox.

Now let´s try this:

Click on (windowskey+R) and type Services.msc>OK and in the window that opens,scroll down until you find Windows Stability Route (WSR)
Doubleclick upon it and in the new window click the scrollbar at "Startup type" and set it to "Disabled". Click the Stop button , Apply and close.

Then run HiJack This and put a checkmark next to :
O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINNT\construct.exe (file missing)
Press "Fix checked" and answer "Yes" to the prompt.

Now open Killbox, by Option ^ Explicit, and checkmark "Delete on reboot".
In the field "Full path of file to delete" paste this first:
C:\WINNT\construct.exe
then click "no" when prompted if you want to reboot.
Then paste this filepath:
C:\Windows\System32\remon.sys
Now,let the system reboot. If it doesn´t by itself, do it manually.

After reboot, go immediately to Trend Micro´s online scanner and let it remove whatever it finds:
TrendMicro

Please,save the log and post it here together with a new HiJack This log.

regards

Die Hard

kiki · « **Reply #5 on:** November 17, 2005, 06:52:10 AM »

i did all this but the file remon.sys is still there, plus there are some more files, named eraseme_11256.exe set_up21266.exe and some more with names eraseme or setup and different numbers.here is the hjt log.... but i dont have internet yet and i cant scan with trendmicro. can i download it and then install it on the other pc tha is broken?

Logfile of HijackThis v1.99.1
Scan saved at 9:58:43 AM, on 11/17/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATMsg.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\nvideogui.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgentNT.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\EBRR.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\HTJ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.otenet.gr/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN for Windows 2000\atmsg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATMsg.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Nvidia Graphic Displacement (nvideoGUI) - Unknown owner - C:\WINNT\nvideogui.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Epson Printer Status Agent (StatusAgent) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgentNT.exe

Die Hard · « **Reply #6 on:** November 17, 2005, 08:37:31 AM »

kiki

Please go here and download Ewido Security Suit:
http://download.ewido.net/ewido-signatures-full-20051116.exe
It´s a complete installer, supplied with the latest definitions designed to be used in situations like this.
You need to burn it to a CD, when it´s 4,3Mb in length.

At the same time, download and add to the CD also the "WinsockFix" : http://www.tacktech.com/pub/winsockfix/WinsockFix.zip

A quick guide to Ewido Security Suit is found here:
http://www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf

1. Install ewido security suite
2. Reboot your computer to Safe Mode. You do this by rebooting and during the startup process tap the F8-key repetedly until a screen appears where you navigate with the arrow keys. Choose "Safe Mode" and hit "Enter".

Once in safe mode, go on with this:
3. Launch ewido, there should be an icon on your desktop double-click it.
4. The program will now go to the main screen
5. Click on scanner
6. Click on Complete System Scan and the scan will begin.

7. On the first alert, a window will open prompting you to take action. Checkmark "Remove" and "Perform action on all detections".
Screenshot: http://i18.photobucket.com/albums/b123/DieHard53/EWIDO2.jpg

8. Once the scan has completed, there will be a button located on the bottom of the screen named Save report
9. Click Save report.
10.Save the report .txt file to your desktop.
11.Now close Ewido security suite and reboot normally.
12.Run the "WinsockFix" and follow the prompts on the screen.
13.Try your internet connection.
14.Copy the Ewido report (to the CD) and post it here for review.

regards

Die Hard

kiki · « **Reply #7 on:** November 17, 2005, 10:51:46 AM »

here is the report---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         1:53:03 PM, 11/17/2005
+ Report-Checksum:      B32836E9

+ Scan result:

   C:\WINNT\nvideogui.exe -> Backdoor.SdBot.aad : Cleaned with backup
   C:\WINNT\system32\eraseme_11256.exe -> Backdoor.SdBot.aad : Cleaned with backup
   C:\WINNT\system32\eraseme_86674.exe -> Backdoor.SdBot.aad : Cleaned with backup
   C:\WINNT\system32\setup_21266.exe -> Backdoor.SdBot.aad : Cleaned with backup
   C:\WINNT\system32\setup_70850.exe -> Backdoor.SdBot.aad : Cleaned with backup

::Report End

kiki · « **Reply #8 on:** November 17, 2005, 10:53:36 AM »

remon.sys file is still there......................

Die Hard · « **Reply #9 on:** November 17, 2005, 11:35:57 AM »

kiki

That seems to have taken care of one infection

Now we have to deal with the evil rootkit.

Please go here and download F-Secure´s Blacklight
http://www.f-secure.com/blacklight/try.shtml

All information needed is supplied on the homepage:
http://www.f-secure.com/blacklight/help/

If possible, run the tool in safe mode.
Before you start the cleaning, disable the restore points just to make sure no baddies are hidden there , displaying their nasty noses once we´re through

Disable restore point
Create a restore point

If you need any help along the way, please come back and ask.

Die Hard

kiki · « **Reply #10 on:** November 17, 2005, 11:49:28 AM »

please tell me how to disable this...

kiki · « **Reply #11 on:** November 17, 2005, 12:38:39 PM »

i have windows 2000 how to do this?

Paddy · « **Reply #12 on:** November 17, 2005, 01:20:14 PM »

Hello,kiki see if this helps ..

1. Close all open programs.
2. Right-click My Computer on the Windows desktop, and then click Properties.
3. Click the Performance tab.
4. Click File System.
5. Click the Troubleshooting tab.
6. Check Disable System Restore, click OK, and then click Close.
7. Click Yes to restart. This disables the System Restore feature and will purge the contents of the _RESTORE folder when the system is restarted.
8. After cleaning the infected files, repeat steps 1 through 7, except in step 6, uncheck Disable System Restore.

Screen shots ..

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?OpenDocument&src=sec_doc_nam

then follow the rest of the steps Die Hard has given you ..

numbnuts..

kiki · « **Reply #13 on:** November 17, 2005, 02:50:20 PM »

there is nothing like that on my pc.
it has advanced after hardware and there performance options, enviroment variables, startup and recovery

Die Hard · « **Reply #14 on:** November 17, 2005, 07:29:56 PM »

kiki

Sorry, my bad. I didn´t look at the top of your log closely enough to see that it is a Win2K system.
Win2K doesn´t have the system restore.

Please go on with the "Blacklight" tool

regards

Die Hard

LandzDown Forum

News: