I have the BKDR_RASBA.A and svchsot.exe worm and excutables

Hello,

I have a Web server in my DMZ that was hit with BKDR_RASBA worm. I did a scan on the system using Trend Micros' Housecall. This found the worm and claimed to clean it and some other files, but this thing is still hanging on. I have tried cleaning out the registry, and deleting the files, but it is still there...

This is a W2K Advanced server with plenty of RAM, Proc. speed, and diskspace, and running Norton AntiVirus (NAV) Corporate Edition 7.5.

The server will boot, but initially, I could not launch IE, or any msc tools like Eventviewer or Services. I was getting an error message similar to "the program you are trying to run does not exist, or some of its related dll files". Also, NAV will not load, the services will not start. I can not unload, remove, or reinstall on top of it.

The main files in this worm are SVCHSOT.EXE, MSCOLSRV.EXE, SYSHID.EXE and SERVER.DLL.

Any thoughts on how this happened, how to prevent it, and remove it are greatly appreciated.

 

Hi Levans!

If I have googled correctly, the worm you got is also known as Backdoor Agent...which is a bit hard to remove...

I'd suggest checking the mentioned files with the Jotti online scanner to identify them correctly, and then google for a special removal utility for the identified version.

[size=-1]http://virusscan.jotti.dhs.org/

Good Luck!

Storm
[/size]

 

Hi Levans, welcome to Wilders, have you tried booting into Safe Mode and running a scan with Norton, if it will still run?

You also might try a few of the suggestions found in General Cleaning, there are quite a few very good tools there.

Hope this helps...

Let us know how you go.

Cheers

 

All,

I looked at the general Cleaning, but the directions indicated not to do anything unless I had a working version of my AV software. NAV would not unload for any reason. I also lost the ability to run executables, and many MSI files.

Working with Microsoft, I am able to get the machine to boot, and I can run executables. They even helped me find a document to manually remove NAV.

The Trend Micro scan was the first to identify the virus, and attempted to remove it. However, the little woolybooger ( a highly technical term) was all over the place.

I went into the registry and searched for SVCHSOT.EXE, MSCOLSVR.EXE, SERVER.DLL, and SYSHID.exe. I removed all of the entries I could find and stopped the active processes. I then deleted the files from the \WINNT\SYSTEM32 directory.

I scanned the registry again, and found none of these files.

Were rockin now...or so he thought....

Upon reboot, things did not feel right. I decided to do another registry search and found nothing. Then I decided to do a search on only part of the name: SVCHSOT, MSCOLSRV, SYSHID. Low and behold there were several entries for these. They were listed as SVCHSOT*, MSCOLSRV* and SYSHID*.

I looked at the key and they were coming from IE. I deleted them from the registry, and then launched IE, with the Enet cable unplugged, and deleted the temp directory and cookies.

Now it appears that all remnants are gone! I was ultimately to upgrade to NAV 9.0.

The server is still a little ill. I am having problems with Active Server pages but that is for another forum.

I know this is long winded but hopefully this may help someone else down the road.

My last question: Since I may ultimately rebuild this machine, what are the best tools to have loaded to prevent this from happening again?

thanks, for your time and your efforts to make life a little easier!

 

Thanks for reporting back, I would still run Norton in Safe Mode, together with the programs mentioned in General Cleaning to be certain all has gone and your system is indeed clean.

Things like Process Guard 3, TDS3 and Nod32 would be my starting place.

This is what works really well for me, very simple to use and maintain. You may not want to use all of these programs, though it should get you headed in the right direction. You may want to take a look here for further discussion on security and how to make your system that much stronger and here for more.

Let us know how you go…

Cheers

 

Do what Blackspear said. If you find that your antivirus is damaged or inoperable, try the MicroWorld free toolkit:

http://www.mwti.net/

It is basically a standalone Kaspersky scanner... it needs no installation. I would run it in safe mode. It has now become an important part of my malware cleaning tools.

 

Thanks very much. I now have way too much to read.

I have noticed that there are a lot of references to Win XP and Win 2000, but no specific mention of Windows 2000 Server, Advanced Server or Windows Server 2003.

Do all of these same tools apply?

The future is bright, I better wear shades....

Thanks,

 

Our pleasure

Ahhh but when you have finished you will have a very secure system

They should do, though just check with each sites FAQ section.

Hope this helps…

Cheers

 

Hi in my honest opinion web habits are the most effective way of protecting your machine, increase your security if you visit dogey sites, handley large financial transactions etc.

Basiclly you need 4 things at least to protect your machine:

Good Anti Virus software
Good Firewall
Reliable Anti Spyware
Windows Updates


Also a good idea to use an altenate browsers such as Mozilla or Opera, with the above metioned programs kept up 2 date you should have no problems.

 

Ailric - I just d/l'ed that toolkit from MicroWorld. Do they really contact you? Also, I'm not sure I want an intimation from them - I don't know them that well yet! <g> Pete

 

I really don't know if they email you or not because I use an email redirection:

Jetable
http://www.jetable.org/en/index

 

W32/RAHack is a virus that attempts to exploit Radmin software. Radmin is a remote administrator software provided by Famatech
see this article:
http://www.esecurityplanet.com/alerts/article.php/3453081

And this, from Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.rahack.html

 

Hi.
My old Windows 98se system got infected by Syshid.exe.
I used an on-line virus scanner and it removed it after I terminated all
instances of it in the Task Manager.
Now I can't run any files with the .exe extension. Windows keeps asking me
for the location of the Syshid.exe file. How do I fix this?
Please help!

A.

 

Download and run this:
http://kpatz.home.comcast.net/misc/swenfix.vbs

It is a fix for the old SWEN virus but will work for your problem. It is a vbscript that fixes the association for .exe, .com, .reg, etc. after getting hit with Swen or other malware that hooks these keys.

Thanks to Kevin Patz from DSLReports for this fix:
http://www.dslreports.com/forum/remark,8422617~root=security,1~mode=flat;start=20#8431200