Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Backdoor.Win32.Rbot.ayg -- AKA -- W32/Opanki.work!MSo6-040

Started by Ericy , Sep 01 2006 07:14 PM

  • Please log in to reply

#1
Ericy
Posted 01 September 2006 - 07:14 PM

Ericy

    New Member

  • Member
  • Pip
  • 9 posts
Hello,

My Win NT4 Workstation is infected with Backdoor.Win32.Rbot.ayg -- AKA -- W32/Opanki.work!MSo6-040. A file i.exe is placed in winnt\system32 and becomes a running process. I have used Sysinternals.com's ProcessCheck to kill the i.exe process and their Autoruns utility to remove keys. It keeps recurring. A file system32\CTFMON.exe seems to be part of the virus package - contains strings "Mutex". After 4 days of work it is still here - ouch! RASMAN.exe seemed to be part of it also. I have temporarily renamed the both ctfmon and rasman. After renaming ctfmon I am having some performance issues.

Kaspersky recognizes i.exe as Backdoor.Win32.Rbot.ayg but does no cleaning. Nod32 does not see it (running on my system). AVG does not see it. Trojan hunter does not. Cleanup.exe installs but will not run with a procedure entry point error for CreateToolHelp32Snapshot. Many of the others recommended do not do NT4. Also ran Bitdefender and others.

My HiJack this log is below.

Any help would be appreciated! - Eric

Logfile of HijackThis v1.99.1
Scan saved at 6:01:53 PM, on 09/01/06
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\PwsTray.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
C:\WINNT\System32\ddhelp.exe
D:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=192.9.200.213:21;gopher=192.9.200.213:6588;http=192.9.200.213:6588;https=192.9.200.213:6588;socks=192.9.200.213:6588
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .au: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .DImg: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mid: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O12 - Plugin for .wav: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isear...les/initial.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6BD4FB43-470E-11D2-B99D-00104B02C956} (AtDownloadIE Class) - http://www.webex.com...ex/atbootie.cab
O16 - DPF: {6BF52A52-394A-11D3-B153-00C04F79FAA6} - http://activex.micro...en/nsmp2inf.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.bulletinb...sses/CFJava.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...836/mcfscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 66.146.160.13 66.146.160.12 192.9.200.201
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 66.146.160.13 66.146.160.12 192.9.200.201
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 66.146.160.13 66.146.160.12 192.9.200.201
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Seagate Page Server (pageserver) - Unknown owner - C:\Program Files\Seagate Software\WCS\pageserver.exe" -service -cache -deleteCache (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINNT\system32\rasman.exe (file missing)
O23 - Service: Seagate Web Component Server (WebCompServer) - Unknown owner - C:\Program Files\Seagate Software\WCS\WebCompServer.exe" -service (file missing)
  • 0

Advertisements

#2
Ericy
Posted 05 September 2006 - 10:09 AM

Ericy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Does anyone have any ideas on how to remove Backdoor.Win32.Rbot.ayg?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP