Solved

sub0t.dll trojan

Posted on 2004-08-26
5
8,154 Views
Last Modified: 2013-12-04
How can I delete the file c:/winnt/system32/sub0t.dll in windows nt4 to remove
the trojan?
I have set the permission to full control for administrator,but still access is denied.
0
Comment
Question by:ljetljet
5 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 11900160
Have you tried to login in safe mode and then remove it ?

Once in safe mode, go to task manager and check out all the processes and make sure to remove unwanted processes as that file might be used by a process.

0
 
LVL 32

Expert Comment

by:LucF
ID: 11900181
Hi ljetljet,

It belongs to an IRC bot, and you certainly won't like to have the EXE belonging to it running on your system.
The filename normally used is C:\%windir%\System32\rpcxserv.exe but I've seen it with other filenames.
And you'll probably also see sub0t.ini and sub0t.log

To remove the dll, you'll have to kill the process first.
It should be listed in the processes as "RPC Interface" with a description of "Provides Interface to remote call services over the network".
Reference to info:
http://lists.virus.org/security-basics-0306/msg00395.html

If you can't find it, please use hijackthis which you can download from:
http://www.aumha.org/freeware/freeware.htm
Direct downloadlink => http://www.aumha.org/downloads/hijackthis.exe
Put it in it's own folder, not on the desktop or any temporary folder, something like c:\hjt\hijackthis.exe will do fine.
Run it, click "scan" and then "save log"
Post the entire contents of the logfile here (if you're on a domain, you might want to edit your domainname though)

Greetings,

LucF
0
 

Author Comment

by:ljetljet
ID: 11900551
Logfile of HijackThis v1.98.2
Scan saved at 4:24:39 PM, on 8/26/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\soundman.exe
C:\WINNT\System32\loadwc.exe
C:\PROGRA~1\SAV\vptray.exe
C:\WINNT\System32\ddhelp.exe
C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\WINPRINT\WINPR32.EXE
C:\Program Files\RMClient\PMCTray.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\system32\RpcSs.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\RDS\srscandr.exe
C:\WINNT\system32\su.exe
C:\Program Files\RDS\ddsschednt.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\Program Files\RDS\dds.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\RDS\spooler.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINPRINT\NAUDPDC3.DRV
c:\winnt\system32\pstores.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
C:\WINNT\system32\tapisrv.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\RDS\BDMTK.EXE
C:\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - Startup: Winpr32.lnk = C:\WINPRINT\WINPR32.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(4).lnk = w32x86\2\E_SRCV04.EXE
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O4 - Global Startup: Start Delivery Services.lnk = C:\Program Files\RDS\DdsLaunch.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O13 - WWW. Prefix: http://
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = imsbiz.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = imsbiz.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 210.87.250.13 210.87.253.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 210.87.250.13 210.87.253.1

0
 
LVL 32

Accepted Solution

by:
LucF earned 500 total points
ID: 11900816
C:\WINNT\SYSTEM32\DNTUS26.EXE belongs to Dameware, which is a legal and valid program, but it could be someone else installed it on your system. So if you didn't know it was there, get rid of it. Some nice reading about it: http:Q_20863588.html

For the rest it looks like a completely clean logfile to me, nothing running that shouldn't be there. So all you have to do is get rid of the dll which is still there.

Try booting into VGA mode and removing the file from there.

LucF


0
 

Expert Comment

by:FF1337
ID: 12141874
subot is an IRC boot for Serv-u Ftp server.

open a Cmd
Try to do an "Net stop serv-u"
then  use SC tool (Sc.exe) included in the Resource Kit to remove serv-u service
"sc delete serv-u"

Sometimes Serv-u is mooded so Service name can change.

Was analising your running process, and since you got an NT4 system i fond some suspicios files:
SysTray.Exe
SysTray.Exe description: From Microsoft: "Systray.exe is a Windows 95/98/Me tool for system taskbar notifications. The taskbar provides a location for programs and hardware devices to display icons. For example, if your computer supports advanced power management (APM), a Battery Meter icon can appear on the taskbar. The following icons provided by Systray.exe may appear on the taskbar: Battery Meter PC Card Status Volume Control Quickres Task Scheduler."



MsgSys.EXE

msgsys.exe description: File msgsys.exe, that starts a process with the same name, is a component of the client part of LANDesk Management Suite, published by Intel Corporation. This application, consisting of client and sever parts, is used in local area networks by system administartors to configure hardware, software, to monitor performance of remote hosts and to perform more specific taks.


MSTask.exe
MSTask.exe description: Task Scheduler Engine

0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
OfficeMate Freezes on login or does not load after login credentials are input.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question