RemAdmin-RemoteAdmin Infection

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

LindaHughes

Thread Starter
Joined
Aug 7, 2004
Messages
7
The computer that holds my web site has Microsoft 2000 Server. When McAfee runs a virus scan the report is as follows:

AdmDll.dll C:\WINNT\system32\AdmDll.dll RemAdmin-RemoteAdmin Program
Move failed (clean failed because the file is not cleanable)

rasvc32.exe C:\WINNT\system32\rasvc32.exe RemAdm-Remote Admin Program Move failed (Clean failed because the file is not cleanable)

ServU-exe. C:\quarantine\Serv-U32.exe ServU-Daemon
Move failed (Clean failed)
This is one that I quarantined a week or so ago when it first showed up.

What do I do to get uninfected? Please help!!
 

LindaHughes

Thread Starter
Joined
Aug 7, 2004
Messages
7
I was able to delete ServU, but not the other 2. In safe mode I get the following message when I attempt to delete them "Cannot delete AdmDll:Access is denied. The source file may be in use." Exact same message for rasvc32.exe. Any idea what to try next?
 
Joined
Jul 26, 2002
Messages
46,349
Download TheKillbox from here:

http://www.downloads.subratam.org/KillBox.zip

Unzip the files to the folder of your choice.

Double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINNT\system32\AdmDll.dll

Now put a tick by Delete on reboot. Also put a check in the box by Unregister .dll before deleting.

Click on the button with the red circle with the X. It will ask for confimation. Click yes and your computer will reboot.

After restart run kill box again, copy and paste this line the second time:

C:\WINNT\system32\rasvc32.exe

Tick the delete on reboot box again but you will not check the unregister .dll this time. Clcik the red circle with the X again and it will reboot.

Verify that the files have been deleted.
 

LindaHughes

Thread Starter
Joined
Aug 7, 2004
Messages
7
I have done the procedures listed above 3 times each, twice in the safe mode and once in the regular operating mode. The infected files are still there. There is another one showing up "Memory C:\WINNT\system... RemAdm-RemoteAdmin Program Clean failed". Itried the same procedure on this one thinking that maybe that was shy I can't get rid of the other 2, no luck here either. Any more ideas?
Thanks,
Linda
 
Joined
Jul 26, 2002
Messages
46,349
Please do this:

First create a permanent folder somewhere like in My Documents and name it Hijack This.

Now Click here to download Hijack This. Download and save the file to the Hijack This folder you just created.

Click on Hijackthis.exe to launch the program.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

The log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.
 

LindaHughes

Thread Starter
Joined
Aug 7, 2004
Messages
7
Here is the log.
Logfile of HijackThis v1.98.2
Scan saved at 12:14:49 PM, on 9/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\winnt\system32\Project1.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\rasvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\My Documents\Hijack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{36CD5378-7ACC-445A-89AF-DD981320A5DD}: NameServer = 64.105.113.138,64.105.97.90
O17 - HKLM\System\CS1\Services\Tcpip\..\{36CD5378-7ACC-445A-89AF-DD981320A5DD}: NameServer = 64.105.113.138,64.105.97.90
O17 - HKLM\System\CS2\Services\Tcpip\..\{36CD5378-7ACC-445A-89AF-DD981320A5DD}: NameServer = 64.105.113.138,64.105.97.90

Please help.
 
Joined
Jul 26, 2002
Messages
46,349
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm


Restart your computer.


Did you got to this link that I posted before and check out that info?

http://www.sophos.com/virusinfo/analyses/trojradnaga.html
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top