Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacktool.Rootkit attached to a file called remon.sys


  • Please log in to reply
1 reply to this topic

#1 lenyc

lenyc

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 20 September 2005 - 02:49 PM

Hi, I found a virus on 2 machines today, and the virus was called hacktool.rootkit. It was attched to a file called remon.sys, and 2 weeks ago it was attached toa file called hpdriver.sys

Can anyone help me out with my issue.

Logfile of HijackThis v1.99.1
Scan saved at 2:57:04 PM, on 9/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
e:\progra~1\allaire\coldfusion\bin\cfserver.exe
e:\progra~1\allaire\coldfusion\bin\cfexec.exe
e:\progra~1\allaire\coldfusion\bin\CFRDSService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
e:\HAHTsite\webapps\bin\hsradmin.exe
e:\HAHTsite\webapps\bin\hscontrol.exe
e:\HAHTsite\webapps\bin\hsredir.exe
e:\HAHTsite\webapps\bin\hsadmsrv.exe
C:\WINNT\System32\cba\pds.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\ntfrs.exe
E:\oracle\ora81\bin\dbsnmp.exe
E:\oracle\ora81\bin\vppdc.exe
E:\oracle\ora81\BIN\TNSLSNR.exe
e:\oracle\ora81\bin\ORACLE.EXE
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\CFUSION\bin\Service_AuthSrvr.exe
C:\CFUSION\bin\Service_AzSrvr.exe
C:\CFUSION\bin\smservauth.exe
C:\CFUSION\bin\smservaz.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\jk_nt_service.exe
E:\j2sdk1.4.0_01\bin\java.exe
C:\Program Files\Pwrchute\ups.exe
C:\Program Files\Dell\SysMgt\Array Manager\VxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
E:\ArcGIS\ArcSDE\ora8iexe\bin\giomgr.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\taskcntr.exe
C:\Program Files\HJT\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MS-DOS Security Service] ms-dos.pif
O4 - HKLM\..\RunServices: [MS-DOS Security Service] ms-dos.pif
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\nutafun4.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ndac.bah.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D08B77A-4AD8-406B-ACCC-E14B0CE276E1}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ndac.bah.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ndac.bah.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cold Fusion Application Server - Allaire - e:\progra~1\allaire\coldfusion\bin\cfserver.exe
O23 - Service: Cold Fusion Executive - Allaire - e:\progra~1\allaire\coldfusion\bin\cfexec.exe
O23 - Service: Cold Fusion RDS - Allaire Corporation - e:\progra~1\allaire\coldfusion\bin\CFRDSService.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ArcSde Service(esri_sde) (esri_sde) - Unknown owner - E:\ArcGIS\ArcSDE\ora8iexe\bin\giomgr.exe
O23 - Service: HAHTsite 5.0 Background (webapps) - HAHT Software, Inc. - e:\HAHTsite\webapps\bin\hsradmin.exe
O23 - Service: HAHTsite 5.0 Controller (webapps) - HAHT Software, Inc. - e:\HAHTsite\webapps\bin\hscontrol.exe
O23 - Service: HAHTsite 5.0 Foreground (webapps) - HAHT Software, Inc. - e:\HAHTsite\webapps\bin\hsredir.exe
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\System32\cba\pds.exe
O23 - Service: MapXBroker Service (MapXBrokerService) - Unknown owner - e:\Program Files\MapInfo\MapXtreme\program\mapxbroker.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: OracleOraHome81Agent - Oracle Corporation - E:\oracle\ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - E:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81CMAdmin - Unknown owner - E:\oracle\ora81\BIN\CMADMIN.EXE
O23 - Service: OracleOraHome81CMan - Unknown owner - E:\oracle\ora81\BIN\CMGW.EXE
O23 - Service: OracleOraHome81DataGatherer - Oracle Corporation - E:\oracle\ora81\bin\vppdc.exe
O23 - Service: OracleOraHome81PagingServer - Unknown owner - E:\oracle\ora81/bin/pagntsrv.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - E:\oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDINO - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SiteMinder Authentication Service (SmServAuth) - Unknown owner - C:\CFUSION\bin\Service_AuthSrvr.exe
O23 - Service: SiteMinder Authorization Service (SmServAz) - Unknown owner - C:\CFUSION\bin\Service_AzSrvr.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINNT\taskcntr.exe
O23 - Service: tomcat - Unknown owner - C:\jk_nt_service.exe
O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
O23 - Service: Disk Management Service (vxsvc) - VERITAS Software Corp. - C:\Program Files\Dell\SysMgt\Array Manager\VxSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:26 PM

Posted 26 September 2005 - 08:41 AM

Hello lenyc and welcome to the BC HijackThis forum. The HijackThis log does not show any problems. It is clean.

Let's try this. Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users