1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

RemAdmin-RemoteAdmin Infection

Discussion in 'Virus & Other Malware Removal' started by LindaHughes, Sep 12, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. LindaHughes

    LindaHughes Thread Starter

    Joined:
    Aug 7, 2004
    Messages:
    7
    The computer that holds my web site has Microsoft 2000 Server. When McAfee runs a virus scan the report is as follows:

    AdmDll.dll C:\WINNT\system32\AdmDll.dll RemAdmin-RemoteAdmin Program
    Move failed (clean failed because the file is not cleanable)

    rasvc32.exe C:\WINNT\system32\rasvc32.exe RemAdm-Remote Admin Program Move failed (Clean failed because the file is not cleanable)

    ServU-exe. C:\quarantine\Serv-U32.exe ServU-Daemon
    Move failed (Clean failed)
    This is one that I quarantined a week or so ago when it first showed up.

    What do I do to get uninfected? Please help!!
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  3. LindaHughes

    LindaHughes Thread Starter

    Joined:
    Aug 7, 2004
    Messages:
    7
    I was able to delete ServU, but not the other 2. In safe mode I get the following message when I attempt to delete them "Cannot delete AdmDll:Access is denied. The source file may be in use." Exact same message for rasvc32.exe. Any idea what to try next?
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Download TheKillbox from here:

    http://www.downloads.subratam.org/KillBox.zip

    Unzip the files to the folder of your choice.

    Double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

    C:\WINNT\system32\AdmDll.dll

    Now put a tick by Delete on reboot. Also put a check in the box by Unregister .dll before deleting.

    Click on the button with the red circle with the X. It will ask for confimation. Click yes and your computer will reboot.

    After restart run kill box again, copy and paste this line the second time:

    C:\WINNT\system32\rasvc32.exe

    Tick the delete on reboot box again but you will not check the unregister .dll this time. Clcik the red circle with the X again and it will reboot.

    Verify that the files have been deleted.
     
  5. LindaHughes

    LindaHughes Thread Starter

    Joined:
    Aug 7, 2004
    Messages:
    7
    I have done the procedures listed above 3 times each, twice in the safe mode and once in the regular operating mode. The infected files are still there. There is another one showing up "Memory C:\WINNT\system... RemAdm-RemoteAdmin Program Clean failed". Itried the same procedure on this one thinking that maybe that was shy I can't get rid of the other 2, no luck here either. Any more ideas?
    Thanks,
    Linda
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Please do this:

    First create a permanent folder somewhere like in My Documents and name it Hijack This.

    Now Click here to download Hijack This. Download and save the file to the Hijack This folder you just created.

    Click on Hijackthis.exe to launch the program.

    Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

    The log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.
     
  7. LindaHughes

    LindaHughes Thread Starter

    Joined:
    Aug 7, 2004
    Messages:
    7
    Here is the log.
    Logfile of HijackThis v1.98.2
    Scan saved at 12:14:49 PM, on 9/16/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\winnt\system32\Project1.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\llssrv.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\rasvc32.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\snmp.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\My Documents\Hijack This\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{36CD5378-7ACC-445A-89AF-DD981320A5DD}: NameServer = 64.105.113.138,64.105.97.90
    O17 - HKLM\System\CS1\Services\Tcpip\..\{36CD5378-7ACC-445A-89AF-DD981320A5DD}: NameServer = 64.105.113.138,64.105.97.90
    O17 - HKLM\System\CS2\Services\Tcpip\..\{36CD5378-7ACC-445A-89AF-DD981320A5DD}: NameServer = 64.105.113.138,64.105.97.90

    Please help.
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm


    Restart your computer.


    Did you got to this link that I posted before and check out that info?

    http://www.sophos.com/virusinfo/analyses/trojradnaga.html
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/273218

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice