RemoteAdmin Cum sterg chestia asta?

Salut! Sunt nou pe aici asa ca aveti mila daca nu ma exprim chiar atit de exact.Deci:De ceva timp mi-a aparut jos linga ceas un icon nou  ''R'' Cind pun cursorul pe el imi apare I.P.-ul meu din retea.Ce sa fac? Am inteles ca ar fi un program prin care cineva poate avea acces la computerul meu de la distanta.Cum fac sa scot chestia asta?In ad or remove programe nu apare . Ce sa fac? Multumesc!

parcat75, on Jan 14 2006, 05:37, said:

nici in start/programs nu apare?

Iuzeir Ally, on Jan 14 2006, 05:44, said:

Nu nici in Start/Programe nu apare

parcat75, on Jan 14 2006, 05:48, said:

C:\Documents and Settings\All Users\Start Menu\Programs\Remote Administrator
C:\Program Files\Radmin poate il gasesti aici....dar ca sa il dezinstalezi s-ar putea sa iti ceara parola!!!


se poate ca ti l-a instalat in alta parte da-i un search sau

poti sa scoti procesul din startup:

instaleaza-ti reg cleanerul si il scoti din startup list!

Edited by Iuzeir Ally, 14 January 2006 - 05:59.

Iuzeir Ally, on Jan 14 2006, 05:56, said:

Hai sa fiu mai explicit:
Fata de cele ce am spus mai sus adaug ca:
Aplicatia nu apare in niciuna din cele 2 locatii din C.
Nu apare in StartUp list.
Cind dau sa scaneze Nod32-ul setat la max imi apare o chestie de genul:Application Win32/RemoteAdmin found in operating memory. NOD32 cannot clean this infiltration. No action can be taken on a memory infiltration.
Nu stiu ce sa mai fac! Va rog ajutati-ma

e direct in system32 probabil, poate redenumit... ia regcleanerul si rezolva-l

Start -> Run -> services.msc și vezi pe acolo

Download HiJackThis , dezarhiveaza, deschide-l, apasa "do a system scan and save a logfile", copiaza ce scrie in log si pune aici.
Download Rootkit Revealer, deschide-l, apasa scan, asteapta sa termine de scanat, apoi din file- alege save si salveaza logul apoi pune-l aici.
Sorry am uitat sa pun lunkul pentru hijackthis.Il downloadezi de aici HijackThis

Edited by SE7EN, 14 January 2006 - 13:19.

SE7EN, on Jan 14 2006, 13:10, said:

Iata ce am gasit cu ;Rootkit;
 RootkitReveal.txt   5.05K   96 downloads

SE7EN, on Jan 14 2006, 13:10, said:

Iata ce am gasit cu Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 13:31:14, on 14.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Application Win32/RemoteAdmin found in operating memory. NOD32 cannot clean this infiltration. No action can be taken on a memory infiltration.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\ATKKBService.exe
C:\NVIDIA\NetworkAccessManager\Apache

Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\Apache

Group\Apache2\bin\apache.exe
C:\Program Files\Eset\nod32krn.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system\svhost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\123\LOCALS~1\Temp\Rar$EX00.844\HijackThis.e

xe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.google.ro/
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet

Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper -

{02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class -

{65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program

Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program

Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program

Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI

Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program

Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task]

"C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Nod32fix] regedit /s

nod32admincrack.reg
O4 - HKLM\..\Run: [gcasServ] "C:\Program

Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE

TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [Skype] "C:\Program

Files\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: &Yahoo! Search -

file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary -

file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -

file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS -

file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) -

{85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender

Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

(YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies

Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service

(ATKKeyboardService) - ASUSTeK COMPUTER INC. -

C:\WINDOWS\ATKKBService.exe
O23 - Service: Forceware Web Interface

(ForcewareWebInterface) - Unknown owner -

C:\NVIDIA\NetworkAccessManager\Apache

Group\Apache2\bin\apache.exe" -k runservice (file

missing)
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG -

C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) -

Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown

owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) -

Unknown owner -

C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: TuneUp WinStyler Theme Service

(TUWinStylerThemeSvc) - TuneUp Software GmbH -

C:\Program Files\TuneUp Utilities

2006\WinStylerThemeSvc.exe

Hai nu o mai zapaciti atat de cap

radmin-ul se scoate direct

ruleaza din start - run - cmd si apoi de acolo

r_server /uninstall

asta opreste serviciul si ce mai are asociat daca ruleaza radmin, apoi se pot sterge linistit fisierell

de curatat poti folosi Ms Antispyware sau poti cauta de mana si sterge
AdmDll.dll
r_server.exe
raddrv.dll
radmin.exe


atat

Download Advanced Process Termination, deschide-l, gaseste procesul asta: C:\WINDOWS\system\svhost.exe, da click pe el si apoi apasa butonul "suspend"
Download Ccleaner, si ruleaza "run cleaner"
Cauta folderul C:\WINDOWS\Prefetch\ si sterge tot ce este in el cu shift delete, in special acest fisier: CMD.EXE-087B4001.pf
Cauta fisierul C:\WINDOWS\system\svhost.exe si sterge-l manual.Pune un nou log de HiJackThis.
Sper ca nu am scapat ceva mi-e greu sa urmaresc logul asa cum l-ai pus  

EDIT:Celestin nu stiu cine a tras concluzia asta ca e remote admin, poate sa fie si asta insa dupa procesul svhost.exe ma indoiesc.Acest proces apartine si viermelui mydoom si este specific si altor viermi si RAT.Concluziile pripite pot duce la solutii gresite.

Edited by SE7EN, 14 January 2006 - 14:16.

SE7EN, on Jan 14 2006, 14:12, said:

Quote

de aici ...

Ca mai are si svhost-uri    este alta problema.

Celestin, on Jan 14 2006, 13:56, said:

Celestin, cind fac ce ai spus apare chestia asta;
,r_server,is not recognized as an internal or external command , operable program or batch file
am incercat de doua ori. Ce sa fac?

daca asta se intampla in timp ce R-ul ala este in bara, atunci inseamna ce a spus Seven mai sus ... nu este Radmin ...daca nu este in bara, atunci este ok mesajul, inseamna ca nu ruleaza.

Fa o cautare pe hdd dupa fisierele care ti le-am spus. Sau foloseste Ms AntiSpyware ca vad ca il ai instalat.

Edited by Celestin, 14 January 2006 - 15:22.

Celestin, on Jan 14 2006, 15:21, said:

Cind am facut ce mi-ai spus intradevar R-ul nu era in bara dar NOD32-ul detecta aplicatia in ;Operating memory.La Ms Antyspy nu apare nimic.
Am sa mai incerc cind o sa apara R-ul linga ceas.
Multumesc!

Quote

nu conteaza daca r-ul apare sau nu in tray, ar trebui sa mearga ce a zis celestin daca ai remote admin.Mai incearca poate are dreptate si o sa scapi de server.
E absolut ok sa incerci ce a sugerat celestin dar intelege ca indiferent daca ai sau nu remote admin, cu siguranta mai e si altceva.Fa cum am zis intr-un post anterior

Quote

intuitia imi spune ca aceasta este problema dar totusi s-ar putea sa ma insel.Fa ce am zis si pune un nou log de HiJackThis.

Linkurile la programe le gasesti in postul de mai sus

Edited by SE7EN, 14 January 2006 - 17:59.

SE7EN, on Jan 14 2006, 17:57, said:

Intuitia ta  a functionat foarte bine se7en dar dupa ce dau restart totul revine la ;normal; adica dupa ma chinui si le sterg asa ca la carte cum m-ai invatat , la restart apar aceleasi probleme.
Aici pun log-ul de la HijackThis inainte de restart:Logfile of HijackThis v1.99.1
Scan saved at 22:33:09, on 14.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\ATKKBService.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Eset\nod32krn.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\123\LOCALS~1\Temp\Rar$EX00.500\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Nod32fix] regedit /s nod32admincrack.reg
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TweakUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Intuitia imi spune ca folosesti un crack.
O4 - HKLM\..\Run: [Nod32fix] regedit /s nod32admincrack.reg

Nu stiu daca e moral sa primesti ajutor aici.