General discussion

  • Creator
    Topic
  • #2174973

    Radmin infestation

    Locked

    by bhunsinger ·

    Last month we noticed a spike in CPU usage by Task manager on one of our W2K advanced servers.
    Discovered some strange files in the root of the boot volume, i.e., lolipop.bat, …SBSD identified Haxdoor-H present and supposedly removed related files..
    We keep getting an item in the system tray called radmin. The associated website does not help at all, and we cant remove it, it just keeps coming back.
    It seems to be a piec of freeware that got used to creat a hack. This was not installed locally.
    Running Symantic corporate edition 7.6, fully updated.

All Comments

  • Author
    Replies
    • #3338391

      Reply To: Radmin infestation

      by bhunsinger ·

      In reply to Radmin infestation

      here are the names and locations of some of those files: blubb.ini, drk.exe blubb.exe raspp.ini found and deleted
      unidentified services up.exe msservice.exe
      files in root lollypop.bat aux.exe,
      files in root of windows nt folder = blubb.ini earlogs.bat, earlogs.exe, fbort.exe, info.exe install.bat, ramin.exe, raspp.dll, reglocs setit.exe, sysdir.bat, sysdir.exe, dcpsyssrv.bat, dcpsyss.exe, clock.avi

    • #3338352

      Reply To: Radmin infestation

      by ippirate ·

      In reply to Radmin infestation

      It would appear that you have a few possible infectious files still present. Some of the files you have posted are legit at first glance. Posted below are the links to sites describing the possible malicious files these include info.bat,

      http://securityresponse.symantec.com/avcenter/venc/data/backdoor.zins.html

      http://www.2-spyware.com/remove-info.html

      http://www.2-spyware.com/file-install-bat.html

      http://securityresponse.symantec.com/avcenter/venc/data/w32.coflop@mm.html

      The files sysdir.bat, sysdir.exe, assuming all equal, are legit. Found at link below for MDAC update.

      http://support.microsoft.com/default.aspx?scid=kb;en-us;238239

      up.exe check here, it may be malicious, I found it on the microsoft site as well
      http://search.symantec.com/custom/us/query.html

      msservice.exe
      C:\WINDOWS\System32\msservice.exe
      Kaspersky anti-virus
      Trojan.Win32.Agent.b
      http://translate.google.com/translate?sourceid=navclient-menuext&hl=en&u=http%3A%2F%2Fwww%2Etrojaner%2Dboard%2Ecom%2Fprintthread%2Ephp%3Ft%3D7952

      Few things that I would suggest to start.

      Read through the data above, its alot but thus is the life.

      Two, Scan the disk remotely from a known clean machine.

      Three, Scan with more than just Symantec

      Four, Update Symantec to latest release once everything is resolved if you can.

      Finally, run through the information above and make what removals you can. Post back out what still comes up and I’ll take a look again tomorrow to see where we can go from there.

      Sorry couldn’t be more help in the immediate.

      J

    • #3337927

      Reply To: Radmin infestation

      by razz2 ·

      In reply to Radmin infestation

      I would add one link to ippirate’s list:

      http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=40174

      Good Luck,

      razz

    • #3336365

      Reply To: Radmin infestation

      by sgt_shultz ·

      In reply to Radmin infestation

      does radmin show up in services. is is a remote control utility that came with nt, if it is the same radmin i know. boy i think that name: haxdoor-h sez it all. but you could check virus encycolpedia at symantec/security response hoax list in hopes it is hoax. when you say you can’t remove it what are you doing for removal process. be in safe mode. make sure you are not connected to internet until you have cleaned, rebooted and rescanned a few times. (off internet). you have a firewall on this box? what activity reported? what did lolipop.bat have in it when you looked at it with notepad? after renaming to lolipop.bax
      if i had a trojan (remote control agent) on my srver box i would consider repartitioning the hd and reinstalling the os after carefully virus scanning and backing up my data on that box. as an exercise to help me devise or test my disaster recoer plan and because i would have to do back flips to be sure my system was unaldulterated after who knows who had access to my box. how did this virus get by your protection. you must figure this out right away imho so you can plug hole in new installation.

    • #3349236

      Reply To: Radmin infestation

      by zlitocook ·

      In reply to Radmin infestation

      I would check the back ups for the last year to see if the files are on them, then I would call the FBI to see what they say about the problem. I say this because they can tell if your net work has been hacked, and what you should do next. If your server has files and programs that should not be there some one has put them there. It is vary hard to find things that a good hacker has installed on your servers. If your company is a bank, credit card or other public company there are a ton of new things you have to do if you suspect you network has been hacked. I would promote the bcd to pdc and wipe the drive and reinstall. Then reinstall the known good back ups.
      A good server is a bad thing to give to a hacker!

    • #3348806

      Reply To: Radmin infestation

      by d’solve it ·

      In reply to Radmin infestation

      Hi,

      Have you downloaded the Windows AntiSpyware beta? It’s available at microsoft.com – see the first link under Polular Downloads on the home page.

      Though this is a beta software, it does a good jonb of cleaning your system (registry entries) and disabling/shutting down illegitimate services nad stopping known spyware/adware.

      Once this is done, reboot your system (if you are a bit wary of continuing with beta software, remove the SpyWare) and run a full scan of your system with Symantec.

      Good Luck

    • #3334237

      Reply To: Radmin infestation

      by beantolol ·

      In reply to Radmin infestation

      try disabling it from the services.

      in the administrative tools, go to services, find “Remote Administration Tools”. Stop that service, and disable it.

      • #3351916

        Reply To: Radmin infestation

        by bhunsinger ·

        In reply to Reply To: Radmin infestation

        Thanks to everyone, but hte simple things were all done before posting the question. It looks like a wipe and reinstall is the only answer.

    • #3351915

      Reply To: Radmin infestation

      by bhunsinger ·

      In reply to Radmin infestation

      This question was closed by the author

Viewing 7 reply threads