General discussion

Locked

Radmin infestation

By BHunsinger ·
Last month we noticed a spike in CPU usage by Task manager on one of our W2K advanced servers.
Discovered some strange files in the root of the boot volume, i.e., lolipop.bat, ...SBSD identified Haxdoor-H present and supposedly removed related files..
We keep getting an item in the system tray called radmin. The associated website does not help at all, and we cant remove it, it just keeps coming back.
It seems to be a piec of freeware that got used to creat a hack. This was not installed locally.
Running Symantic corporate edition 7.6, fully updated.

This conversation is currently closed to new comments.

14 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by BHunsinger In reply to Radmin infestation

here are the names and locations of some of those files: blubb.ini, drk.exe blubb.exe raspp.ini found and deleted
unidentified services up.exe msservice.exe
files in root lollypop.bat aux.exe,
files in root of windows nt folder = blubb.ini earlogs.bat, earlogs.exe, fbort.exe, info.exe install.bat, ramin.exe, raspp.dll, reglocs setit.exe, sysdir.bat, sysdir.exe, dcpsyssrv.bat, dcpsyss.exe, clock.avi

Collapse -

by ippirate In reply to Radmin infestation

It would appear that you have a few possible infectious files still present. Some of the files you have posted are legit at first glance. Posted below are the links to sites describing the possible malicious files these include info.bat,

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.zins.html

http://www.2-spyware.com/remove-info.html

http://www.2-spyware.com/file-install-bat.html

http://securityresponse.symantec.com/avcenter/venc/data/w32.coflop@mm.html

The files sysdir.bat, sysdir.exe, assuming all equal, are legit. Found at link below for MDAC update.

http://support.microsoft.com/default.aspx?scid=kb;en-us;238239

up.exe check here, it may be malicious, I found it on the microsoft site as well
http://search.symantec.com/custom/us/query.html

msservice.exe
C:\WINDOWS\System32\msservice.exe
Kaspersky anti-virus
Trojan.Win32.Agent.b
http://translate.google.com/translate?sourceid=navclient-menuext&hl=en&u=http%3A%2F%2Fwww%2Etrojaner%2Dboard%2Ecom%2Fprintthread%2Ephp%3Ft%3D7952


Few things that I would suggest to start.

Read through the data above, its alot but thus is the life.

Two, Scan the disk remotely from a known clean machine.

Three, Scan with more than just Symantec

Four, Update Symantec to latest release once everything is resolved if you can.

Finally, run through the information above and make what removals you can. Post back out what still comes up and I'll take a look again tomorrow to see where we can go from there.

Sorry couldn't be more help in the immediate.

J

Collapse -

by BHunsinger In reply to

These things had been done already

Collapse -

by razz2 In reply to Radmin infestation

I would add one link to ippirate's list:

http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=40174

Good Luck,

razz

Collapse -

by BHunsinger In reply to

Poster rated this answer.

Collapse -

by sgt_shultz In reply to Radmin infestation

does radmin show up in services. is is a remote control utility that came with nt, if it is the same radmin i know. boy i think that name: haxdoor-h sez it all. but you could check virus encycolpedia at symantec/security response hoax list in hopes it is hoax. when you say you can't remove it what are you doing for removal process. be in safe mode. make sure you are not connected to internet until you have cleaned, rebooted and rescanned a few times. (off internet). you have a firewall on this box? what activity reported? what did lolipop.bat have in it when you looked at it with notepad? after renaming to lolipop.bax
if i had a trojan (remote control agent) on my srver box i would consider repartitioning the hd and reinstalling the os after carefully virus scanning and backing up my data on that box. as an exercise to help me devise or test my disaster recoer plan and because i would have to do back flips to be sure my system was unaldulterated after who knows who had access to my box. how did this virus get by your protection. you must figure this out right away imho so you can plug hole in new installation.

Collapse -

by BHunsinger In reply to

Poster rated this answer.

Collapse -

by zlitocook In reply to Radmin infestation

I would check the back ups for the last year to see if the files are on them, then I would call the FBI to see what they say about the problem. I say this because they can tell if your net work has been hacked, and what you should do next. If your server has files and programs that should not be there some one has put them there. It is vary hard to find things that a good hacker has installed on your servers. If your company is a bank, credit card or other public company there are a ton of new things you have to do if you suspect you network has been hacked. I would promote the bcd to pdc and wipe the drive and reinstall. Then reinstall the known good back ups.
A good server is a bad thing to give to a hacker!

Collapse -

by BHunsinger In reply to

Poster rated this answer.

Collapse -

by d'solve IT In reply to Radmin infestation

Hi,

Have you downloaded the Windows AntiSpyware beta? It's available at microsoft.com - see the first link under Polular Downloads on the home page.

Though this is a beta software, it does a good jonb of cleaning your system (registry entries) and disabling/shutting down illegitimate services nad stopping known spyware/adware.

Once this is done, reboot your system (if you are a bit wary of continuing with beta software, remove the SpyWare) and run a full scan of your system with Symantec.

Good Luck

Back to Networks Forum
14 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums