Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8190
  • Last Modified:

sub0t.dll trojan

How can I delete the file c:/winnt/system32/sub0t.dll in windows nt4 to remove
the trojan?
I have set the permission to full control for administrator,but still access is denied.
0
ljetljet
Asked:
ljetljet
1 Solution
 
sunray_2003Commented:
Have you tried to login in safe mode and then remove it ?

Once in safe mode, go to task manager and check out all the processes and make sure to remove unwanted processes as that file might be used by a process.

0
 
LucFCommented:
Hi ljetljet,

It belongs to an IRC bot, and you certainly won't like to have the EXE belonging to it running on your system.
The filename normally used is C:\%windir%\System32\rpcxserv.exe but I've seen it with other filenames.
And you'll probably also see sub0t.ini and sub0t.log

To remove the dll, you'll have to kill the process first.
It should be listed in the processes as "RPC Interface" with a description of "Provides Interface to remote call services over the network".
Reference to info:
http://lists.virus.org/security-basics-0306/msg00395.html

If you can't find it, please use hijackthis which you can download from:
http://www.aumha.org/freeware/freeware.htm
Direct downloadlink => http://www.aumha.org/downloads/hijackthis.exe
Put it in it's own folder, not on the desktop or any temporary folder, something like c:\hjt\hijackthis.exe will do fine.
Run it, click "scan" and then "save log"
Post the entire contents of the logfile here (if you're on a domain, you might want to edit your domainname though)

Greetings,

LucF
0
 
ljetljetAuthor Commented:
Logfile of HijackThis v1.98.2
Scan saved at 4:24:39 PM, on 8/26/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\soundman.exe
C:\WINNT\System32\loadwc.exe
C:\PROGRA~1\SAV\vptray.exe
C:\WINNT\System32\ddhelp.exe
C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\WINPRINT\WINPR32.EXE
C:\Program Files\RMClient\PMCTray.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\system32\RpcSs.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\RDS\srscandr.exe
C:\WINNT\system32\su.exe
C:\Program Files\RDS\ddsschednt.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\Program Files\RDS\dds.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\RDS\spooler.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINPRINT\NAUDPDC3.DRV
c:\winnt\system32\pstores.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
C:\WINNT\system32\tapisrv.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\RDS\BDMTK.EXE
C:\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - Startup: Winpr32.lnk = C:\WINPRINT\WINPR32.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(4).lnk = w32x86\2\E_SRCV04.EXE
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O4 - Global Startup: Start Delivery Services.lnk = C:\Program Files\RDS\DdsLaunch.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O13 - WWW. Prefix: http://
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = imsbiz.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = imsbiz.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 210.87.250.13 210.87.253.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 210.87.250.13 210.87.253.1

0
 
LucFCommented:
C:\WINNT\SYSTEM32\DNTUS26.EXE belongs to Dameware, which is a legal and valid program, but it could be someone else installed it on your system. So if you didn't know it was there, get rid of it. Some nice reading about it: http:Q_20863588.html

For the rest it looks like a completely clean logfile to me, nothing running that shouldn't be there. So all you have to do is get rid of the dll which is still there.

Try booting into VGA mode and removing the file from there.

LucF


0
 
FF1337Commented:
subot is an IRC boot for Serv-u Ftp server.

open a Cmd
Try to do an "Net stop serv-u"
then  use SC tool (Sc.exe) included in the Resource Kit to remove serv-u service
"sc delete serv-u"

Sometimes Serv-u is mooded so Service name can change.

Was analising your running process, and since you got an NT4 system i fond some suspicios files:
SysTray.Exe
SysTray.Exe description: From Microsoft: "Systray.exe is a Windows 95/98/Me tool for system taskbar notifications. The taskbar provides a location for programs and hardware devices to display icons. For example, if your computer supports advanced power management (APM), a Battery Meter icon can appear on the taskbar. The following icons provided by Systray.exe may appear on the taskbar: Battery Meter PC Card Status Volume Control Quickres Task Scheduler."



MsgSys.EXE

msgsys.exe description: File msgsys.exe, that starts a process with the same name, is a component of the client part of LANDesk Management Suite, published by Intel Corporation. This application, consisting of client and sever parts, is used in local area networks by system administartors to configure hardware, software, to monitor performance of remote hosts and to perform more specific taks.


MSTask.exe
MSTask.exe description: Task Scheduler Engine

0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now