Hacktool.Rootkit Virus

[MuNKyonline]

I dont know if this will be of any help to anyone but I had to remove an annoying hacktool virus from a customers computer recently and nothing I did would remove it. It blocked Internet Explorer and Outlook Express from connecting to the internet.

It created a hidden service called taskcntr.exe and a file called resmon.sys. You could delete the file but it just instantly came back again. The service wasnt running in safemode so I enabled network support and could update their virus definitions and spybot/adaware.

The customer didnt want the PC wiped and reinstalled. So in the end I decided not to remove it! I got around it by disabling the service in the admin tools - so it was not active and I renamed the resmon.sys file so it couldnt be used either.

After I rebooted the Internet and Outlook Express worked as normal! Dont know if anyone could apply this to a problem they're having 'cos I couldn't find anything on the net that would actually get rid of it! Especially the Norton Anti-virus which did it's usual trick of finding the virus but not being able to do anything with it!

[kgun]

The customer didnt want the PC wiped and reinstalled. So in the end I decided not to remove it! I got around it by disabling the service in the admin tools - so it was not active and I renamed the resmon.sys file so it couldnt be used either.

That should be good enough.


What about
1. Taking backup.
2. Reset the computer to an earlier configuration?

Had he been attcked if he had used StartUp Guard v1.0? It is free.

http://www.acelogix.com/download.html

More advanced:
http://www.abtrusion.com/

[ADAM Web Design]

What about using KillBox to get rid of it?

And on a side note, I seriously don't get why you run into so many issues with NAV. I run into the odd one here and there with it, but there hasn't been anything in the last 6 months across any of the networks I'm in charge of that it's caught and hasn't killed.

McCrappy, on the other hand...well, that's another story.

[valk97_goose]

I know your problem...

I have been advised that "the rootkit revealer" program (FREE) from Sysinternals.com will remove any trace of this virus.

URL: http://www.sysinternals.com/utilitie...trevealer.html

Regards,
Bruce...

[Lee Deeming]

I don't think Norton AV has ever been able to remove a virus for me. I tell a lie; once.

[redcircle]

Quote:

Originally Posted by Lee Deeming

I don't think Norton AV has ever been able to remove a virus for me. I tell a lie; once.

see what avast does with it

Avast Home edition - http://www.avast.com

[khurramali]

i stick with Norton Antivirus Corporate Edition which i install as a client and Unmanaged system

it is small, effective and does not integrate with internet explorer etc.

The home and professional editions are big with lots of option, if internet explorer crashes or gets infected with spyware etc, norton is useless.

Use Mozilla Firefox with Norton Antivirus Corporate edition or AVAST Free Edition for Home Use.

[MuNKyonline]

On my home PC I use AVG free, Microsoft Antispyware, Spybot, Adaware and Firefox. I dont get anything on that!

Anything that I have got in the past, virus-wise AVG has removed!

Havent really used Killbox much before Adam, what sort of things is it good for getting rid of?

Cheers for the link valk97_goose, i'll keep a copy of that incase I ever come across it again =)

[ADAM Web Design]

MuNKy: It's good for the precise issue you're talking about (i.e. killing a file that Windows doesn't want to let go of.) I don't think it can do anything else, but I've only ever needed and used it for that purpose, and it's worked the 3 or 4 times I've had to resort to it.

khurramali makes a good point about the Corporate Edition of Symantec AV. It does tend to run lighter than NAV does.

[MuNKyonline]

I didnt even know that symantec made any other antivirus products. Might look into that.

I did use spybots file shredder to kill files which it does do quite nicely, except for when there's some other hidden prog putting it straight back again lol.

[kgun]

is very fast to take backup that should already be there.

Then when you take your lunch, you can reset the computer.

Advice:
Then install intrusion software that I mentioned in my post above if it is not already installed.

Tried this?
http://www.bitdefender.com/site/Buy/packs/

Scan online, you may be surprised.

[MuNKyonline]

I know it would have been a good idea for a backup kgun but it was a customers PC and they hadnt done one.

I didnt want to use restore also incase it stopped some of their applications from working.

Also I would scan online if I didn't use Firefox =)

[ccole1968]

The best way to get at things like this is to use Hijackthis. Once you learn how to use it, it will be your best friend!

And then see HERE

[MuNKyonline]

I know how to use HijackThis. Unfortunately it doesn't solve everything all the time. Thanks for that link though, if i get it again on a pc =)

[ccole1968]

I didn't mean "you" in the specific sense. I meant it in a general sense. Once someone learns how to use it, it will be your best friend. No offense intended.

[MuNKyonline]

No i know u weren't being offensive, I hate these text based conversations sometimes as it's easy to misinterpret what/how someone is saying something. No offence taken =)

[ccole1968]

What really sucks is when you are one of the unfortunate few who are trying to attack a brand new piece of spyware or a brand new virus and there is absolutely no information on the net about it until a few days later when you check the net again. I've been in that situation a few times and it sucks.

[kgun]

unless it is necessary.

1. Have you checked your browser configuration?
Kw:
Tools + Internet Options + Security
Tools + Internet Options + Advanced

Much can be blocked by using the right options (e.g. prompt instead of accept).

2. What about your firewall settings? Do you use a firewall logfile?

[MuNKyonline]

Yeah I get that sometimes ccole1968. It is a right pain!

My browser configuration has nothing to do with it kgun as it was a customers PC. Plus I personally use Firefox so I hardly get anything on my PC anyway =)

[ccole1968]

One little tool I've found pretty useful (and FREE!) is Spyware Blaster by Javacool Software. It adds all kinds of security settings to IE that keep out a lot of spyware. It works for Firefox too. It's great for prevention.

[MuNKyonline]

Yeah I did use that for a bit, found that it didnt really make much difference. Have you had a lot of luck with it then?

At current I find that MS-Antispyware does a good job on its own. Providing you set it up correctly and dont block anything that your system needs then it's pretty helpful.

The Spybot Teatimer application is an alternative if you dont have MS-Antispyware.

[ccole1968]

Like any other tool, it's not 100% effective on its own. But, it will prevent a lot of stuff from getting in by virtue of the security settings in IE. One of the BIG advantages of it is that it doesn't need to be running to work! I like that about it. There's no overhead with respect to system resources and for the performance hit (0) and the price ($0), it's a pretty good tool. I've also tried using one of the modified HOSTS files that are available to be downloaded on the net. They are also effective, but not to be used in an Active Directory domain. For the home user, they're great. The modified HOSTS file speeds up browsing and stops quite a few ads from showing up in the browser. It's actually kind of funny. Try changing your hosts file to the one found HERE. Then browse MSN.COM. There are a lot of "Page cannot be displayed" where ads normally show up. It's not only effective at blocking spyware, but it also blocks the ads while browsing, making the browsing experience much quicker.

[ccole1968]

Incidently, modifying the HOSTS file is great for SOOOOOOO many different things. Like, for example, if you happen to come across another brand new virus or piece of spyware, and you can see it trying to connect to some server somewhere. you can use the HOSTS file to stop it from "calling home" while you are working on the system. Check the firewall logs or capture some ethernet packets to find out what hosts you need to block access to. The HOSTS file has so many great uses!

[MuNKyonline]

Right soundz good. What do you have to put in the host file to make it block things then? I dont fully understand how this works.

[ccole1968]

The hosts file is queried BEFORE DNS servers and has more authority on the computer. So, any entry that is put into the hosts file will be the "final word", so to speak. 127.0.0.1 is your local machine. So, for example, if you want to block google.com, you would add the following line to your hosts file...

127.0.0.1 google.com

So, whenever google.com is requested on that computer, the computer FIRST checks the hosts file, sees the entry for google.com and directs the request to the local computer (which, obviously, isn't google.com) so you get a "page cannot be displayed" because the real google.com is never contacted. (You may also have to add a separate line for www.google.com, ftp.google.com, mail.google.com) It never hurts to be extra cautious. So, if you see that some piece of spyware or virus is calling home and you know the domain name, you can use the hosts file to point all calls to their domain right back to your own machine. The real spyware domain is never contacted, making removal much easier in some cases. The hosts file that is distributed by the website I mentioned above contains a huge list of known spyware and advertising companies' domains. So, when you replace your hosts file with that one, your computer is no longer capable of communication with any domain on that list. If you browse a website (try msn.com because it's always FULL of ads) that has ads on it, each ad is sent (usually) to it's own domain for the graphic. If that domain is in your hosts file, the space where the graphic is supposed to be usually has a "page cannot be displayed" inside of it because that domain was redirected to your computer instead of the real domain. You can use the hosts file to redirect ANY domain to ANY IP address. I use it all the time for when I switch webhosting companies or setup a new domain. I don't have to wait for DNS to propegate throughout the world. I just set an entry in my hosts file to point the correct domain to the correct IP address and I can work on moving my website from one webhost to another. When I have everything setup correctly on the new webhost, I remove the entry from my hosts file and update the nameservers. The hosts file is pretty useful for many things. Have a look at the page where that hosts file is downloaded, it has lots of information.

[ccole1968]

Another point to note is that sometimes spyware or viruses will modify the hosts file to prevent you from contacting symantec, trend micro, f-secure, and a whole lot of other useful domains. In some cases, when spyware strikes, simply removing those entries is enough to gain entry to those websites again so that you can clean that system.