PDA

View Full Version : hidn rootkit prevents spybotsd.exe creation on install



Corscaria
2006-06-22, 09:04
i just removed what seems to be a rootkit from my system.
the rootkit is composed of 3 files
C:\Documents and Settings\<account>\Application Data\hidn\hidn.exe
C:\Documents and Settings\<account>\Application Data\hidn\hidn1.exe
C:\Documents and Settings\<account>\Application Data\hidn\m_hook.sys
no hits for hidn.exe or hidn1.exe on google
m_hook.sys however is listed as part of a rootkit with the files hidires.exe and hidires1.exe
obviously this is a new variant

this is how it seems to work, from the fight i just had with it:

m_hook.sys is the actual rootkit
hidn.exe deletes regedit, spybotsd.exe (and prevents creation on install), hides hidn1.exe from the tasklist, and makes it's folder invisible (even when hidden and system files are visible)
hidn1.exe hides hidn.exe from the tasklist and explorer

occassionally firefox psuedo-crashes (crash window, but keeps working 100% unless you click ok on the crash window), which i believe is the rootkit trying to contact home.

i have hidn.exe and m_hook.sys archived for analysis unfortuneately hidn1.exe was irreperably mangled while i ripped it from my system. I'll be sending what i have to trend micro (my fave virus/trojan/worm/etc scanner). If Safer Networking would like a copy to analyze PM me. I will only give this to people with moderator access, to prevent misuse.

If Spybot seems to fully install for you without problem, but wont execute, see if spybotsd.exe exists. if it doesn't this could be your problem.

tashi
2006-06-22, 09:40
Hello.

Please see:
http://forums.spybot.info/showthread.php?t=1699

Cheers.

alvaroprudente
2007-01-05, 22:32
In my case, a manual delete of the directory & corresponding files:
# %UserProfile%\Anwendungsdaten\hidn\hidn.exe - Kopie des Wurms
# %UserProfile%\Anwendungsdaten\hidn\m_hook.sys - Trojan.Rootserv
did not help directly, and a heavier infection lead to the rpoblem, that I was not able anymore to install firewall, antivirus, etc... as mentioned...

Neither the registry-entries could get deleted at first sight...

To be able to delete the registry entries, I had to (as root)
- disallow the access to these entries for the user System
- reboot the system
- access the registry and change/delete the entries as I liked...

in another case, another entry, was locked by a chain of access rights from a user "creator/owner". the solution here was to delete this user right (as admin again) and delete it via "erweitert/extended" and uncheck the box of heredated rights.

Hope this helps for future users.

Chya42
2007-01-08, 13:47
Hi everyone,
tnx a lot for this post, i have the same problem. how can i remove these :fear: items from system..?

i'm tryed to find a way without a solution, even if i install spybot on another machine then compress the folder and decompress on my system, the exe files are destroied...

how can i "disallow the access to these entries for the user System"...?

tnx
Chya

ps. i had problem also installing nod antivirus..

LonnyRJones
2007-01-09, 05:52
Welcome to the forum Chya42
Im assuming you have the files listed above ? or is it just that SpyBot wont run ?

Please go here and follow instructions.
http://forums.spybot.info/showthread.php?t=288

Chya42
2007-01-09, 15:53
Thanks for the "welcome" LonnyRJones
and forgive me if i posted here..
I apologize to Corscaria too..

i found these entries in the registry

hidn.exe
m_hook.sys

and a supposed i'm infected too by the same rootkit, but i don't know how remove these entries and the files too without help from spybot.
i tried to remove the entries manually but they still there again.

am i allowed to keep replying here or it's better open another post..?

tnx
Chya

md usa spybot fan
2007-01-09, 16:26
am i allowed to keep replying here or it's better open another post..?
Chya:

By referring to the instructions for posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum, I believe that Lonny was suggesting that open a new post in that forum.



Please go here and follow instructions.
http://forums.spybot.info/showthread.php?t=288
The thread referenced above ("BEFORE you POST" -Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)) contains the instructions for running preliminary scans, producing logs and posting in Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum. After completing those steps, start a new thread (topic) in the following forum (making sure to include the HijackThis and online scan logs produced from the instructions above):
Malware Removal
http://forums.spybot.info/forumdisplay.php?f=22