Solved

sub0t.dll trojan

Posted on 2004-08-26
5
8,129 Views
Last Modified: 2013-12-04
How can I delete the file c:/winnt/system32/sub0t.dll in windows nt4 to remove
the trojan?
I have set the permission to full control for administrator,but still access is denied.
0
Comment
Question by:ljetljet
5 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 11900160
Have you tried to login in safe mode and then remove it ?

Once in safe mode, go to task manager and check out all the processes and make sure to remove unwanted processes as that file might be used by a process.

0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11900181
Hi ljetljet,

It belongs to an IRC bot, and you certainly won't like to have the EXE belonging to it running on your system.
The filename normally used is C:\%windir%\System32\rpcxserv.exe but I've seen it with other filenames.
And you'll probably also see sub0t.ini and sub0t.log

To remove the dll, you'll have to kill the process first.
It should be listed in the processes as "RPC Interface" with a description of "Provides Interface to remote call services over the network".
Reference to info:
http://lists.virus.org/security-basics-0306/msg00395.html

If you can't find it, please use hijackthis which you can download from:
http://www.aumha.org/freeware/freeware.htm
Direct downloadlink => http://www.aumha.org/downloads/hijackthis.exe
Put it in it's own folder, not on the desktop or any temporary folder, something like c:\hjt\hijackthis.exe will do fine.
Run it, click "scan" and then "save log"
Post the entire contents of the logfile here (if you're on a domain, you might want to edit your domainname though)

Greetings,

LucF
0
 

Author Comment

by:ljetljet
ID: 11900551
Logfile of HijackThis v1.98.2
Scan saved at 4:24:39 PM, on 8/26/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\soundman.exe
C:\WINNT\System32\loadwc.exe
C:\PROGRA~1\SAV\vptray.exe
C:\WINNT\System32\ddhelp.exe
C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\WINPRINT\WINPR32.EXE
C:\Program Files\RMClient\PMCTray.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\system32\RpcSs.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\RDS\srscandr.exe
C:\WINNT\system32\su.exe
C:\Program Files\RDS\ddsschednt.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\Program Files\RDS\dds.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\RDS\spooler.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINPRINT\NAUDPDC3.DRV
c:\winnt\system32\pstores.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
C:\WINNT\system32\tapisrv.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\RDS\BDMTK.EXE
C:\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - Startup: Winpr32.lnk = C:\WINPRINT\WINPR32.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(4).lnk = w32x86\2\E_SRCV04.EXE
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O4 - Global Startup: Start Delivery Services.lnk = C:\Program Files\RDS\DdsLaunch.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O13 - WWW. Prefix: http://
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = imsbiz.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = imsbiz.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 210.87.250.13 210.87.253.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 210.87.250.13 210.87.253.1

0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 500 total points
ID: 11900816
C:\WINNT\SYSTEM32\DNTUS26.EXE belongs to Dameware, which is a legal and valid program, but it could be someone else installed it on your system. So if you didn't know it was there, get rid of it. Some nice reading about it: http:Q_20863588.html

For the rest it looks like a completely clean logfile to me, nothing running that shouldn't be there. So all you have to do is get rid of the dll which is still there.

Try booting into VGA mode and removing the file from there.

LucF


0
 

Expert Comment

by:FF1337
ID: 12141874
subot is an IRC boot for Serv-u Ftp server.

open a Cmd
Try to do an "Net stop serv-u"
then  use SC tool (Sc.exe) included in the Resource Kit to remove serv-u service
"sc delete serv-u"

Sometimes Serv-u is mooded so Service name can change.

Was analising your running process, and since you got an NT4 system i fond some suspicios files:
SysTray.Exe
SysTray.Exe description: From Microsoft: "Systray.exe is a Windows 95/98/Me tool for system taskbar notifications. The taskbar provides a location for programs and hardware devices to display icons. For example, if your computer supports advanced power management (APM), a Battery Meter icon can appear on the taskbar. The following icons provided by Systray.exe may appear on the taskbar: Battery Meter PC Card Status Volume Control Quickres Task Scheduler."



MsgSys.EXE

msgsys.exe description: File msgsys.exe, that starts a process with the same name, is a component of the client part of LANDesk Management Suite, published by Intel Corporation. This application, consisting of client and sever parts, is used in local area networks by system administartors to configure hardware, software, to monitor performance of remote hosts and to perform more specific taks.


MSTask.exe
MSTask.exe description: Task Scheduler Engine

0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now