General discussion
-
CreatorTopic
-
February 10, 2005 at 12:26 pm #2174973
Radmin infestation
Lockedby bhunsinger · about 19 years, 1 month ago
Last month we noticed a spike in CPU usage by Task manager on one of our W2K advanced servers.
Discovered some strange files in the root of the boot volume, i.e., lolipop.bat, …SBSD identified Haxdoor-H present and supposedly removed related files..
We keep getting an item in the system tray called radmin. The associated website does not help at all, and we cant remove it, it just keeps coming back.
It seems to be a piec of freeware that got used to creat a hack. This was not installed locally.
Running Symantic corporate edition 7.6, fully updated.Topic is locked -
CreatorTopic
All Comments
-
AuthorReplies
-
-
February 10, 2005 at 1:45 pm #3338391
Reply To: Radmin infestation
by bhunsinger · about 19 years, 1 month ago
In reply to Radmin infestation
here are the names and locations of some of those files: blubb.ini, drk.exe blubb.exe raspp.ini found and deleted
unidentified services up.exe msservice.exe
files in root lollypop.bat aux.exe,
files in root of windows nt folder = blubb.ini earlogs.bat, earlogs.exe, fbort.exe, info.exe install.bat, ramin.exe, raspp.dll, reglocs setit.exe, sysdir.bat, sysdir.exe, dcpsyssrv.bat, dcpsyss.exe, clock.avi -
February 10, 2005 at 3:17 pm #3338352
Reply To: Radmin infestation
by ippirate · about 19 years, 1 month ago
In reply to Radmin infestation
It would appear that you have a few possible infectious files still present. Some of the files you have posted are legit at first glance. Posted below are the links to sites describing the possible malicious files these include info.bat,
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.zins.html
http://www.2-spyware.com/remove-info.html
http://www.2-spyware.com/file-install-bat.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.coflop@mm.html
The files sysdir.bat, sysdir.exe, assuming all equal, are legit. Found at link below for MDAC update.
http://support.microsoft.com/default.aspx?scid=kb;en-us;238239
up.exe check here, it may be malicious, I found it on the microsoft site as well
http://search.symantec.com/custom/us/query.htmlmsservice.exe
C:\WINDOWS\System32\msservice.exe
Kaspersky anti-virus
Trojan.Win32.Agent.b
http://translate.google.com/translate?sourceid=navclient-menuext&hl=en&u=http%3A%2F%2Fwww%2Etrojaner%2Dboard%2Ecom%2Fprintthread%2Ephp%3Ft%3D7952Few things that I would suggest to start.
Read through the data above, its alot but thus is the life.
Two, Scan the disk remotely from a known clean machine.
Three, Scan with more than just Symantec
Four, Update Symantec to latest release once everything is resolved if you can.
Finally, run through the information above and make what removals you can. Post back out what still comes up and I’ll take a look again tomorrow to see where we can go from there.
Sorry couldn’t be more help in the immediate.
J
-
February 16, 2005 at 10:54 am #3349056
Reply To: Radmin infestation
by bhunsinger · about 19 years, 1 month ago
In reply to Reply To: Radmin infestation
These things had been done already
-
-
February 13, 2005 at 7:46 am #3337927
Reply To: Radmin infestation
by razz2 · about 19 years, 1 month ago
In reply to Radmin infestation
I would add one link to ippirate’s list:
http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=40174
Good Luck,
razz
-
February 16, 2005 at 10:54 am #3349053
Reply To: Radmin infestation
by bhunsinger · about 19 years, 1 month ago
In reply to Reply To: Radmin infestation
Poster rated this answer.
-
-
February 14, 2005 at 5:34 am #3336365
Reply To: Radmin infestation
by sgt_shultz · about 19 years, 1 month ago
In reply to Radmin infestation
does radmin show up in services. is is a remote control utility that came with nt, if it is the same radmin i know. boy i think that name: haxdoor-h sez it all. but you could check virus encycolpedia at symantec/security response hoax list in hopes it is hoax. when you say you can’t remove it what are you doing for removal process. be in safe mode. make sure you are not connected to internet until you have cleaned, rebooted and rescanned a few times. (off internet). you have a firewall on this box? what activity reported? what did lolipop.bat have in it when you looked at it with notepad? after renaming to lolipop.bax
if i had a trojan (remote control agent) on my srver box i would consider repartitioning the hd and reinstalling the os after carefully virus scanning and backing up my data on that box. as an exercise to help me devise or test my disaster recoer plan and because i would have to do back flips to be sure my system was unaldulterated after who knows who had access to my box. how did this virus get by your protection. you must figure this out right away imho so you can plug hole in new installation.-
February 16, 2005 at 10:54 am #3349054
Reply To: Radmin infestation
by bhunsinger · about 19 years, 1 month ago
In reply to Reply To: Radmin infestation
Poster rated this answer.
-
-
February 15, 2005 at 7:06 pm #3349236
Reply To: Radmin infestation
by zlitocook · about 19 years, 1 month ago
In reply to Radmin infestation
I would check the back ups for the last year to see if the files are on them, then I would call the FBI to see what they say about the problem. I say this because they can tell if your net work has been hacked, and what you should do next. If your server has files and programs that should not be there some one has put them there. It is vary hard to find things that a good hacker has installed on your servers. If your company is a bank, credit card or other public company there are a ton of new things you have to do if you suspect you network has been hacked. I would promote the bcd to pdc and wipe the drive and reinstall. Then reinstall the known good back ups.
A good server is a bad thing to give to a hacker!-
February 16, 2005 at 10:54 am #3349055
Reply To: Radmin infestation
by bhunsinger · about 19 years, 1 month ago
In reply to Reply To: Radmin infestation
Poster rated this answer.
-
-
February 16, 2005 at 10:42 pm #3348806
Reply To: Radmin infestation
by d’solve it · about 19 years, 1 month ago
In reply to Radmin infestation
Hi,
Have you downloaded the Windows AntiSpyware beta? It’s available at microsoft.com – see the first link under Polular Downloads on the home page.
Though this is a beta software, it does a good jonb of cleaning your system (registry entries) and disabling/shutting down illegitimate services nad stopping known spyware/adware.
Once this is done, reboot your system (if you are a bit wary of continuing with beta software, remove the SpyWare) and run a full scan of your system with Symantec.
Good Luck
-
February 23, 2005 at 11:09 am #3334295
Reply To: Radmin infestation
by bhunsinger · about 19 years, 1 month ago
In reply to Reply To: Radmin infestation
This has already been done
-
-
February 23, 2005 at 1:44 pm #3334237
Reply To: Radmin infestation
by beantolol · about 19 years, 1 month ago
In reply to Radmin infestation
try disabling it from the services.
in the administrative tools, go to services, find “Remote Administration Tools”. Stop that service, and disable it.
-
March 15, 2005 at 12:35 pm #3351916
Reply To: Radmin infestation
by bhunsinger · about 19 years ago
In reply to Reply To: Radmin infestation
Thanks to everyone, but hte simple things were all done before posting the question. It looks like a wipe and reinstall is the only answer.
-
-
March 15, 2005 at 12:35 pm #3351915
Reply To: Radmin infestation
by bhunsinger · about 19 years ago
In reply to Radmin infestation
This question was closed by the author
-
-
AuthorReplies