I have the BKDR_RASBA.A and svchsot.exe worm and excutables

Discussion in 'malware problems & news' started by levans, Jan 6, 2005.

Thread Status:
Not open for further replies.
  1. levans

    levans Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    5
    Hello,

    I have a Web server in my DMZ that was hit with BKDR_RASBA worm. I did a scan on the system using Trend Micros' Housecall. This found the worm and claimed to clean it and some other files, but this thing is still hanging on. I have tried cleaning out the registry, and deleting the files, but it is still there...

    This is a W2K Advanced server with plenty of RAM, Proc. speed, and diskspace, and running Norton AntiVirus (NAV) Corporate Edition 7.5.

    The server will boot, but initially, I could not launch IE, or any msc tools like Eventviewer or Services. I was getting an error message similar to "the program you are trying to run does not exist, or some of its related dll files". Also, NAV will not load, the services will not start. I can not unload, remove, or reinstall on top of it.

    The main files in this worm are SVCHSOT.EXE, MSCOLSRV.EXE, SYSHID.EXE and SERVER.DLL.

    Any thoughts on how this happened, how to prevent it, and remove it are greatly appreciated.
     
  2. Storm

    Storm Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    46
    Hi Levans!

    If I have googled correctly, the worm you got is also known as Backdoor Agent...which is a bit hard to remove...

    I'd suggest checking the mentioned files with the Jotti online scanner to identify them correctly, and then google for a special removal utility for the identified version.

    [size=-1]http://virusscan.jotti.dhs.org/

    Good Luck!

    Storm
    [/size]
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Levans, welcome to Wilders, have you tried booting into Safe Mode and running a scan with Norton, if it will still run?

    You also might try a few of the suggestions found in General Cleaning, there are quite a few very good tools there.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  4. levans

    levans Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    5
    All,

    I looked at the general Cleaning, but the directions indicated not to do anything unless I had a working version of my AV software. NAV would not unload for any reason. I also lost the ability to run executables, and many MSI files.

    Working with Microsoft, I am able to get the machine to boot, and I can run executables. They even helped me find a document to manually remove NAV.

    The Trend Micro scan was the first to identify the virus, and attempted to remove it. However, the little woolybooger ( a highly technical term) was all over the place.

    I went into the registry and searched for SVCHSOT.EXE, MSCOLSVR.EXE, SERVER.DLL, and SYSHID.exe. I removed all of the entries I could find and stopped the active processes. I then deleted the files from the \WINNT\SYSTEM32 directory.

    I scanned the registry again, and found none of these files.

    Were rockin now...or so he thought....

    Upon reboot, things did not feel right. I decided to do another registry search and found nothing. Then I decided to do a search on only part of the name: SVCHSOT, MSCOLSRV, SYSHID. Low and behold there were several entries for these. They were listed as SVCHSOT*, MSCOLSRV* and SYSHID*.

    I looked at the key and they were coming from IE. I deleted them from the registry, and then launched IE, with the Enet cable unplugged, and deleted the temp directory and cookies.

    Now it appears that all remnants are gone! I was ultimately to upgrade to NAV 9.0.

    The server is still a little ill. I am having problems with Active Server pages but that is for another forum.

    I know this is long winded but hopefully this may help someone else down the road.

    My last question: Since I may ultimately rebuild this machine, what are the best tools to have loaded to prevent this from happening again?

    thanks, for your time and your efforts to make life a little easier!
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks for reporting back, I would still run Norton in Safe Mode, together with the programs mentioned in General Cleaning to be certain all has gone and your system is indeed clean.


    Things like Process Guard 3, TDS3 and Nod32 would be my starting place.

    This is what works really well for me, very simple to use and maintain. You may not want to use all of these programs, though it should get you headed in the right direction. You may want to take a look here for further discussion on security and how to make your system that much stronger and here for more.

    Let us know how you go…

    Cheers :D
     
  6. Ailric

    Ailric Guest

    Do what Blackspear said. If you find that your antivirus is damaged or inoperable, try the MicroWorld free toolkit:

    http://www.mwti.net/

    It is basically a standalone Kaspersky scanner... it needs no installation. I would run it in safe mode. It has now become an important part of my malware cleaning tools.
     
  7. levans

    levans Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    5
    Thanks very much. I now have way too much to read.

    I have noticed that there are a lot of references to Win XP and Win 2000, but no specific mention of Windows 2000 Server, Advanced Server or Windows Server 2003.

    Do all of these same tools apply?

    The future is bright, I better wear shades....

    Thanks,
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Our pleasure ;) :D


    Ahhh but when you have finished you will have a very secure system :D


    They should do, though just check with each sites FAQ section.

    Hope this helps…

    Cheers :D
     
  9. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi in my honest opinion web habits are the most effective way of protecting your machine, increase your security if you visit dogey sites, handley large financial transactions etc.

    Basiclly you need 4 things at least to protect your machine:

    Good Anti Virus software
    Good Firewall
    Reliable Anti Spyware
    Windows Updates


    Also a good idea to use an altenate browsers such as Mozilla or Opera, with the above metioned programs kept up 2 date you should have no problems.
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Ailric - I just d/l'ed that toolkit from MicroWorld. Do they really contact you? Also, I'm not sure I want an intimation from them - I don't know them that well yet! <g> Pete
     

    Attached Files:

  11. Ailric

    Ailric Guest

  12. aniemotion

    aniemotion Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    2
  13. Telios

    Telios Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    1
    Hi.
    My old Windows 98se system got infected by Syshid.exe.
    I used an on-line virus scanner and it removed it after I terminated all
    instances of it in the Task Manager.
    Now I can't run any files with the .exe extension. Windows keeps asking me
    for the location of the Syshid.exe file. How do I fix this?
    Please help!

    A.
     
  14. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Download and run this:
    http://kpatz.home.comcast.net/misc/swenfix.vbs

    It is a fix for the old SWEN virus but will work for your problem. It is a vbscript that fixes the association for .exe, .com, .reg, etc. after getting hit with Swen or other malware that hooks these keys.

    Thanks to Kevin Patz from DSLReports for this fix:
    http://www.dslreports.com/forum/remark,8422617~root=security,1~mode=flat;start=20#8431200
     
Loading...
Thread Status:
Not open for further replies.