SOLUTION: Remon.sys Orans.sys Hacktool.Rootkit Sysmanager VIRUS REMOVAL
dustin.garden
way to clean them from our PC's. Since I looked for hours for decent
solutions on Google Groups and didn't find anything I thought I'd share
the solution that worked for us.
** If you are using Windows XP turn off system restore.
1. First off, when the virus hit us Symantec was not able to detect it
or delete it. So our first step was to uninstall Symantec and install
Kaspersky Antivirus. You can Google it and find the free personal
edition trial. Install it and update it on your PC.
2. UNPLUG YOUR NETWORK CABLE and reboot into SAFE MODE WITH NETWORKING.
Yes, with networking... without a cable. Trust me.
3. Delete all of the contents of every TEMP folder you can find
(C:\Windows\Temp or C:\Documents and Settings\%username&\local
settings\temp AND temporary internet files)... there are a bunch of
them. Then, do a search on your PC for these files (do an advanced
search that looks at hidden files and folders as well): remon.sys,
orans.sys, sysmanager, and eraseme*. Delete all of these that you find.
4. Next, open the device manager. Select view -- show hidden devices.
Under non-plug and play devices search for ORANS or REMON. If they
exist, right click on them and select UNINSTALL. Decline a reboot for
now. Also, check your System Services in the control panel and delete
any occurrance of NETINFO or REMON or ORANS.
5. Open the registry. Search for all occurrance of REMON, ORANS,
SYSMANAGER, ERASEME*. Delete the entire key that they are found in. If
you get an access denied error right click on the key and select
permissions -- give all users full control and then delete it. For
Win2K users you will have to use regedt32.exe to change the
permissions.
6. Run Spybot Search and Destroy.
7. Reboot BACK INTO SAFE MODE WITH NETWORKING (NO NETWORK CABLE).
Verify that the things you have done in the steps above have not reset
themselves. If your registry is clean and the files remain gone and the
device manager plug and play devices are still gone, it is safe to boot
back into normal mode with networking. If not, repeat the steps above.
8. Run Windows update. Update EVERYTHING.
That should be it. We haven't had any reinfections and the process
above worked for us every time.
dustin.garden
system scan. When it finishes, click the PROCESS button at the bottom
of the screen to delete the detected items.
Art
<dustin...@gmail.com> wrote:
>We just had a round of infections with Hacktool.Rootkit and we found a
>way to clean them from our PC's. Since I looked for hours for decent
>solutions on Google Groups and didn't find anything I thought I'd share
>the solution that worked for us.
>
>** If you are using Windows XP turn off system restore.
>
>1. First off, when the virus hit us Symantec was not able to detect it
>or delete it. So our first step was to uninstall Symantec and install
>Kaspersky Antivirus. You can Google it and find the free personal
>edition trial. Install it and update it on your PC.
Here's another way to get a on-demand scan by the KAV scan engine.
It will automatically update the defs before starting the scanner:
http://www.claymania.com/KASFX.EXE
Art
Alex...@gmail.com
I got a virus yesterday. Based on the following symptoms, could you let
me know whether it is the same virus attack as yours? The symptoms are
as follows:
- After log on to the system, the Symantec anti-virus displayed in the
system tray for a few seconds and then disappeared.
- On the PC (Win 2K professional), when I do start > run > cmd. The
DOS prompt screen just displayed for one second and closed
automatically.
- At Administrative Tool > Event Viewer, It showed a error message
"Hacktool virus ..."
Anymore advice to kill the virus is apprecated. :)
Thanks.
dustin.garden
or ORANS.SYS in C:\Windows\System32. If it's there, its the same virus
we were experiencing. If not, it sounds like you have something else.
Try to run Symantec in Safe Mode as well. Let me know what you find.
Alex...@gmail.com
It is very nice of you. Thanks a lot.
I think I have the same virus because I found REMON, ORANS, SYSMANAGER,
ERASEME* in the Registry (step 4). It was deleted successfully.
Basically I followed your steps clolsely from step 1 to step 6.
The main findings are as follows:
Step 31/2, I still use Symantec antivirus to scan and found
C:\WINNT\System32\winsass.exe. It was quarantined successful.
Step 4: stated in the 2nd paragraph of this posting.
I stopped at step 7 last night (at home). I will continue the battle
with this virus tonight or tomorrow.
Is step 8 (Windows Update) important? I am using a 56K modem which is
too slow to do windows update. Do you have any idea whether we can
download all the Windows patches, in a file(s). Then copy this file(s)
to my home PC, then doing a "offline" windows update. My home PC is
Win2K prof SP4.
What anti-virus software are u using? still Kaspersky Antivirus?
I have downloaded the trial version. However, I do not know how to
update the virus definitions. I do not quite understand the
instructions to update the virus definitions.
Thanks.
Alex...@gmail.com
In Step 4, you mentioned System Services in the control panel.
Are you refering to Control Panel > Administrative Tool > Services?
Thanks.
dustin.garden
probably find REMON listed there... uninstall it while you are in safe
mode.
As far as updating Kaspersky virus definitions - there is a Settings
tab in the program. When you open that up there will be a link for
configuring updates. You can either manually download and install them
from a folder or directly from the internet. Either way works fine.
Regarding windows update... here is the specific patch you need for
Win2KSP4: KB835732.
Please remember to follow the instructions above exactly. Do not boot
back to normal mode until it says so. Everything should be done in safe
mode with networking. good luck!
Alex...@gmail.com
I have followed your instructions closely. It seems to be effective.
I will monitor my PC for a few days more.
(note: I did not see anything suspicious in the "System Services".
But, I think it doesn't really matters. Thanks.)
dustin.garden
may also not notice anything in the device drivers list either.
Alex...@gmail.com
Just to let you know that my PC has been working fine without the
symptom of infections till now. Hence, you may wish to try this
approach to remove the virus. Good luck!