Results 1 to 7 of 7

Thread: hidn rootkit prevents spybotsd.exe creation on install

  1. #1
    Junior Member
    Join Date
    Jun 2006
    Posts
    1

    Default hidn rootkit prevents spybotsd.exe creation on install

    i just removed what seems to be a rootkit from my system.
    the rootkit is composed of 3 files
    C:\Documents and Settings\<account>\Application Data\hidn\hidn.exe
    C:\Documents and Settings\<account>\Application Data\hidn\hidn1.exe
    C:\Documents and Settings\<account>\Application Data\hidn\m_hook.sys
    no hits for hidn.exe or hidn1.exe on google
    m_hook.sys however is listed as part of a rootkit with the files hidires.exe and hidires1.exe
    obviously this is a new variant

    this is how it seems to work, from the fight i just had with it:

    m_hook.sys is the actual rootkit
    hidn.exe deletes regedit, spybotsd.exe (and prevents creation on install), hides hidn1.exe from the tasklist, and makes it's folder invisible (even when hidden and system files are visible)
    hidn1.exe hides hidn.exe from the tasklist and explorer

    occassionally firefox psuedo-crashes (crash window, but keeps working 100% unless you click ok on the crash window), which i believe is the rootkit trying to contact home.

    i have hidn.exe and m_hook.sys archived for analysis unfortuneately hidn1.exe was irreperably mangled while i ripped it from my system. I'll be sending what i have to trend micro (my fave virus/trojan/worm/etc scanner). If Safer Networking would like a copy to analyze PM me. I will only give this to people with moderator access, to prevent misuse.

    If Spybot seems to fully install for you without problem, but wont execute, see if spybotsd.exe exists. if it doesn't this could be your problem.

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,606
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    Jan 2007
    Posts
    1

    Default solution to get rid of virus

    In my case, a manual delete of the directory & corresponding files:
    # %UserProfile%\Anwendungsdaten\hidn\hidn.exe - Kopie des Wurms
    # %UserProfile%\Anwendungsdaten\hidn\m_hook.sys - Trojan.Rootserv
    did not help directly, and a heavier infection lead to the rpoblem, that I was not able anymore to install firewall, antivirus, etc... as mentioned...

    Neither the registry-entries could get deleted at first sight...

    To be able to delete the registry entries, I had to (as root)
    - disallow the access to these entries for the user System
    - reboot the system
    - access the registry and change/delete the entries as I liked...

    in another case, another entry, was locked by a chain of access rights from a user "creator/owner". the solution here was to delete this user right (as admin again) and delete it via "erweitert/extended" and uncheck the box of heredated rights.

    Hope this helps for future users.

  4. #4
    Junior Member
    Join Date
    Jan 2007
    Posts
    2

    Default Help for removing..

    Hi everyone,
    tnx a lot for this post, i have the same problem. how can i remove these items from system..?

    i'm tryed to find a way without a solution, even if i install spybot on another machine then compress the folder and decompress on my system, the exe files are destroied...

    how can i "disallow the access to these entries for the user System"...?

    tnx
    Chya

    ps. i had problem also installing nod antivirus..
    Last edited by Chya42; 2007-01-08 at 12:48.

  5. #5
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Welcome to the forum Chya42
    Im assuming you have the files listed above ? or is it just that SpyBot wont run ?

    Please go here and follow instructions.
    http://forums.spybot.info/showthread.php?t=288
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  6. #6
    Junior Member
    Join Date
    Jan 2007
    Posts
    2

    Default Yes, same registry entries

    Thanks for the "welcome" LonnyRJones
    and forgive me if i posted here..
    I apologize to Corscaria too..

    i found these entries in the registry

    hidn.exe
    m_hook.sys

    and a supposed i'm infected too by the same rootkit, but i don't know how remove these entries and the files too without help from spybot.
    i tried to remove the entries manually but they still there again.

    am i allowed to keep replying here or it's better open another post..?

    tnx
    Chya

  7. #7
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    Quote Originally Posted by Chya42 View Post
    am i allowed to keep replying here or it's better open another post..?
    Chya:

    By referring to the instructions for posting in the Malware Removal forum, I believe that Lonny was suggesting that open a new post in that forum.

    Quote Originally Posted by LonnyRJones View Post
    Please go here and follow instructions.
    http://forums.spybot.info/showthread.php?t=288
    The thread referenced above ("BEFORE you POST" -Preliminary Steps) contains the instructions for running preliminary scans, producing logs and posting in Malware Removal forum. After completing those steps, start a new thread (topic) in the following forum (making sure to include the HijackThis and online scan logs produced from the instructions above):

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •