hidn rootkit prevents spybotsd.exe creation on install
i just removed what seems to be a rootkit from my system.
the rootkit is composed of 3 files
C:\Documents and Settings\<account>\Application Data\hidn\hidn.exe
C:\Documents and Settings\<account>\Application Data\hidn\hidn1.exe
C:\Documents and Settings\<account>\Application Data\hidn\m_hook.sys
no hits for hidn.exe or hidn1.exe on google
m_hook.sys however is listed as part of a rootkit with the files hidires.exe and hidires1.exe
obviously this is a new variant
this is how it seems to work, from the fight i just had with it:
m_hook.sys is the actual rootkit
hidn.exe deletes regedit, spybotsd.exe (and prevents creation on install), hides hidn1.exe from the tasklist, and makes it's folder invisible (even when hidden and system files are visible)
hidn1.exe hides hidn.exe from the tasklist and explorer
occassionally firefox psuedo-crashes (crash window, but keeps working 100% unless you click ok on the crash window), which i believe is the rootkit trying to contact home.
i have hidn.exe and m_hook.sys archived for analysis unfortuneately hidn1.exe was irreperably mangled while i ripped it from my system. I'll be sending what i have to trend micro (my fave virus/trojan/worm/etc scanner). If Safer Networking would like a copy to analyze PM me. I will only give this to people with moderator access, to prevent misuse.
If Spybot seems to fully install for you without problem, but wont execute, see if spybotsd.exe exists. if it doesn't this could be your problem.
solution to get rid of virus
In my case, a manual delete of the directory & corresponding files:
# %UserProfile%\Anwendungsdaten\hidn\hidn.exe - Kopie des Wurms
# %UserProfile%\Anwendungsdaten\hidn\m_hook.sys - Trojan.Rootserv
did not help directly, and a heavier infection lead to the rpoblem, that I was not able anymore to install firewall, antivirus, etc... as mentioned...
Neither the registry-entries could get deleted at first sight...
To be able to delete the registry entries, I had to (as root)
- disallow the access to these entries for the user System
- reboot the system
- access the registry and change/delete the entries as I liked...
in another case, another entry, was locked by a chain of access rights from a user "creator/owner". the solution here was to delete this user right (as admin again) and delete it via "erweitert/extended" and uncheck the box of heredated rights.
Hope this helps for future users.
Yes, same registry entries
Thanks for the "welcome" LonnyRJones
and forgive me if i posted here..
I apologize to Corscaria too..
i found these entries in the registry
hidn.exe
m_hook.sys
and a supposed i'm infected too by the same rootkit, but i don't know how remove these entries and the files too without help from spybot.
i tried to remove the entries manually but they still there again.
am i allowed to keep replying here or it's better open another post..?
tnx
Chya