Solved

sub0t.dll trojan

Posted on 2004-08-26
5
8,143 Views
Last Modified: 2013-12-04
How can I delete the file c:/winnt/system32/sub0t.dll in windows nt4 to remove
the trojan?
I have set the permission to full control for administrator,but still access is denied.
0
Comment
Question by:ljetljet
5 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 11900160
Have you tried to login in safe mode and then remove it ?

Once in safe mode, go to task manager and check out all the processes and make sure to remove unwanted processes as that file might be used by a process.

0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11900181
Hi ljetljet,

It belongs to an IRC bot, and you certainly won't like to have the EXE belonging to it running on your system.
The filename normally used is C:\%windir%\System32\rpcxserv.exe but I've seen it with other filenames.
And you'll probably also see sub0t.ini and sub0t.log

To remove the dll, you'll have to kill the process first.
It should be listed in the processes as "RPC Interface" with a description of "Provides Interface to remote call services over the network".
Reference to info:
http://lists.virus.org/security-basics-0306/msg00395.html

If you can't find it, please use hijackthis which you can download from:
http://www.aumha.org/freeware/freeware.htm
Direct downloadlink => http://www.aumha.org/downloads/hijackthis.exe
Put it in it's own folder, not on the desktop or any temporary folder, something like c:\hjt\hijackthis.exe will do fine.
Run it, click "scan" and then "save log"
Post the entire contents of the logfile here (if you're on a domain, you might want to edit your domainname though)

Greetings,

LucF
0
 

Author Comment

by:ljetljet
ID: 11900551
Logfile of HijackThis v1.98.2
Scan saved at 4:24:39 PM, on 8/26/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\soundman.exe
C:\WINNT\System32\loadwc.exe
C:\PROGRA~1\SAV\vptray.exe
C:\WINNT\System32\ddhelp.exe
C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\WINPRINT\WINPR32.EXE
C:\Program Files\RMClient\PMCTray.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\system32\RpcSs.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\RDS\srscandr.exe
C:\WINNT\system32\su.exe
C:\Program Files\RDS\ddsschednt.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\Program Files\RDS\dds.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\RDS\spooler.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINPRINT\NAUDPDC3.DRV
c:\winnt\system32\pstores.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
C:\WINNT\system32\tapisrv.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\RDS\BDMTK.EXE
C:\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - Startup: Winpr32.lnk = C:\WINPRINT\WINPR32.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(4).lnk = w32x86\2\E_SRCV04.EXE
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O4 - Global Startup: Start Delivery Services.lnk = C:\Program Files\RDS\DdsLaunch.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O13 - WWW. Prefix: http://
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = imsbiz.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = imsbiz.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 210.87.250.13 210.87.253.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 210.87.250.13 210.87.253.1

0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 500 total points
ID: 11900816
C:\WINNT\SYSTEM32\DNTUS26.EXE belongs to Dameware, which is a legal and valid program, but it could be someone else installed it on your system. So if you didn't know it was there, get rid of it. Some nice reading about it: http:Q_20863588.html

For the rest it looks like a completely clean logfile to me, nothing running that shouldn't be there. So all you have to do is get rid of the dll which is still there.

Try booting into VGA mode and removing the file from there.

LucF


0
 

Expert Comment

by:FF1337
ID: 12141874
subot is an IRC boot for Serv-u Ftp server.

open a Cmd
Try to do an "Net stop serv-u"
then  use SC tool (Sc.exe) included in the Resource Kit to remove serv-u service
"sc delete serv-u"

Sometimes Serv-u is mooded so Service name can change.

Was analising your running process, and since you got an NT4 system i fond some suspicios files:
SysTray.Exe
SysTray.Exe description: From Microsoft: "Systray.exe is a Windows 95/98/Me tool for system taskbar notifications. The taskbar provides a location for programs and hardware devices to display icons. For example, if your computer supports advanced power management (APM), a Battery Meter icon can appear on the taskbar. The following icons provided by Systray.exe may appear on the taskbar: Battery Meter PC Card Status Volume Control Quickres Task Scheduler."



MsgSys.EXE

msgsys.exe description: File msgsys.exe, that starts a process with the same name, is a component of the client part of LANDesk Management Suite, published by Intel Corporation. This application, consisting of client and sever parts, is used in local area networks by system administartors to configure hardware, software, to monitor performance of remote hosts and to perform more specific taks.


MSTask.exe
MSTask.exe description: Task Scheduler Engine

0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now