I think I've been hijacked by Rasman.exe

Hi all,
I am new to this board. I have major problems with my new Win XP pro. I detected the following worms: Blaster, Gaobot, and the Welchia (correct spelling?). I (think) I've eradicated them; however when I start up my pc I saw a window: mIRC. Within that window was another window: Starting: S-[167] Connecting to Strung Out.flnet.org. I googled this and found a link to flurnet.org. I am not experienced in the computer field or any aspect of it; but after reviewing the site it did not appear to be a "legitimate" site. To my novice eyes, it appeared to be an informational site for hackers and "the writing of malicious programs" for hackers. Also on the site there's a link for publications where there's an extensive write-up on rasman.exe. It can be located by clicking onto downloads, research, under the subtitleStake: David Litchfield click onto: Exploiting Windows NT 4 Buffer Overruns A Case Study: RASMAN.EXE. The reason I suspect rasman.exe is because earlier I was curious about why svchost.exe was being listed (with different user names) multiple times in my taskmanager as running processes. When I ran a search on symantec.com for svchost.exe it directed me to an article: Microsoft Knowledge Base Article - 314056
A Description of Svchost.exe in Windows XP

Here, I followed their instructions to access the system in Windows (I think in DOS?) and saw the following (suspicious) processes listed under svchost.exe: CryptSvc, FastUserSwitchingCompatibility, RasAuto, RasMan, ShellHWDetection, Netman, etc. These are not showing up in my taskmanger. Also, just to add, after running the fixes (from Microsoft) and patches for the abovementioned worms, I also downloaded and installed Adaware 6 and Spybot. These programs have NOT caught this problem. I also installed the paid versions of System Mechanic4 and Spysweeper. Neither of these programs has detected this hijack. I also installed the paid version of Zone Alarm4, and it will NOT open up. It has virtually been rendered useless! Also, from your site I downloaded and installed SpywareGuard but the only feature of it that is operational is the LiveUpDate. When I try to open the program I get this error message: X Component 'MSCOMCTL.OCX' or one of its dependencies not correctly registered: a file is missing or invalid. Also, the pc has a serious lag time. I suspect the malicious program the hacker has installed on my pc is using alot of my memory. Any help is greatly appreciated as I am about to go insane over this and I cannot afford to buy a new computer in order to totally get rid of this problem.
Many thanks,
TexasLassie

 

Well Texas
Having multiple SVC hosts is perfectly normal as long as they are listed in C:\WINDOWS\System 32 and not just C:\WINDOWS
So i suggest you read this thread and download Hijack This from over the main site and see if you can spot any potential problems
read this
http://www.majorgeeks.com/vb/showthread.php?t=26149
Download and run this
http://www.majorgeeks.com/download3155.html
Anything you think you found just ask and we might be able to help

Also look in your starting programs list for anything suspicious
Start--Run--Type Msconfig--look for the start-up tab
Cross reference all programs listed with the list on this site
http://www.sysinfo.org/startuplist.php

You may also want to try an online Trojan scan here
http://www.trojanscan.com/
or here
http://housecall.trendmicro.com/

 

Thx Gen Lee

I ran the Trojan Scan & none was found. I then attempted to run Msconfig but nothing opened up. Meanwhile, I am still not able to use my new ZoneLab program nor SpywareGuard. Any other suggestions? Thx again.

 

Thx XFlat

Thx for your reply. I am running System Mechanic 4 Professional by Panda. I just installed this 2 days ago so, yes (I think?) to your question regarding if it is up to date. In addition, I also installed the other programs I mentioned just afterwards. Although, ZoneLab and SpyWareGuard are still not working. I am also comtemplating the 'heck with everything" and just reformatting my hard drives with a paid version of WinXPpro. This is the OS I already have on my pc, although somebody else installed it for me, and I can't help but wonder if it was corrupted? Two days ago in order to get rid of the Blaster Worm, I started up in Safe Mode and disabled my RPC (as my pc was not staying on longer than 10-15 minutes at a time before restarting-thx Blaster!). Also, I disabled SystemRestore. All this was done according to instructions I found on Microsoft.com. In the process, I also discovered I was infected with the Goabot and Welchia Worms...lovely...huh? According to the instructions from Microsoft.com, after downloading and installing the fixes and updates for these worms, I believe I was supposed to go back & enable at least the RPC and maybe also SystemRestore. I don't remember to tell the truth. I have all the stuff printed out so I can refer to it if need be. Just to let you know I have not enabled (nor turned on) SystemRestore nor RPC...I've been to scared to...LOL. Since all this, I noticed this 'other problem' that I'm posting about on this board. I think my pc has been hijacked. By what? I don't know. But it loads up at start up, actually, it loads before all other programs. I believe it is because of this that I'm not able to run my programs nor am I able to run Msconfig as suggested by Gen Lee.
Thx again for your help. I am fixing to follow your advice regarding SpywareGuard.

TexasLassie (your Central Texas neighbor)

 

Thx XFlat

I followed your advice for the missing file for SpywardGuard and it worked. I ran it and everything came up clean. Still, there must be a reason why ZoneLab won't run and why I can't run msconfig? I think I'll take your advice on starting in safe mode. I only did that once and that was to get rid of the blaster worm. I guess I would still do it the same way, holding down the F8 key? But then what do I do? I told y'all I'm a newbie at all this techie stuff, LOL!
Thx again.

Texas Lassie

 

Well first off boot into safe mode and see if your machine behaves the same way, and wether you can get into Msconfig etc

Also did you follow the advice i posted earlier, and have a look at your hijack this log for any suspicious entries

 

Yes, I ran Hijack This and looked at the log. But being the newbie that I am, I have no idea what to look for...i.e. what should be there and what should not be there. I did save the log though. Yes, I will reboot in safe mode soon. Right now I'm running a system scan on ewido security suite as recommended by another member. Looks like it'll be awhile. Afterwards I'll try the safe mode thing.

Thx again.

 

Ok well were trying to cut down on Hijack This log files, but i think in this case were going to need a look ourselves, im mainly interested in the running tasks
But its not worth messing about just copy and paste your log file here and well see if we can find the culprit

 

Thx Gen Lee

Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 1:11:47 PM, on 3/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\ago31.exe
C:\WINDOWS\System32\asclthost.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\winnt\system32\explorer1.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\asclthost.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\IEXPLORER.exe
C:\WINDOWS\System32\explore.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\s3serv.exe
C:\WINDOWS\System32\ccApp32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://foxnews.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://foxnews.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [nirton] IEXPLORER.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [S3 Internal Chip] s3serv.exe
O4 - HKLM\..\Run: [Symantec Configuration Loader] ccApp32.exe
O4 - HKLM\..\Run: [Video] explore.exe
O4 - HKLM\..\Run: [winconf] ago31.exe
O4 - HKLM\..\Run: [Identifier] asclthost.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NTFix] C:\winnt\system32\explorer1.exe
O4 - HKLM\..\RunServices: [nirton] IEXPLORER.exe
O4 - HKLM\..\RunServices: [S3 Internal Chip] s3serv.exe
O4 - HKLM\..\RunServices: [Symantec Configuration Loader] ccApp32.exe
O4 - HKLM\..\RunServices: [Video] explore.exe
O4 - HKLM\..\RunServices: [winconf] ago31.exe
O4 - HKLM\..\RunServices: [Identifier] asclthost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Identifier] asclthost.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15DC5991-36DA-4060-8CE9-EE94E8C31799}: NameServer = 151.164.20.201 151.164.11.201
O17 - HKLM\System\CS1\Services\Tcpip\..\{15DC5991-36DA-4060-8CE9-EE94E8C31799}: NameServer = 151.164.20.201 151.164.11.201

Thx again,
TexasLassie
btw, ewido security scan is still running about 60% through

 

Well Texas
you still got a hell of a lot of virus activity there so im not surprised your Firewall wont start up
C:\Program Files\BroadJump\Client Foundation\CFD.exe
this is spyware
C:\WINDOWS\System32\ago31.exe
O4 - HKLM\..\Run: [winconf] ago31.exe
O4 - HKLM\..\RunServices: [winconf] ago31.exe
this is part of the Goabot Virus
O4 - HKLM\..\RunServices: [Video] explore.exe
this is from the Graybird G virus
O4 - HKLM\..\RunServices: [Identifier] asclthost.exe
This shows up a few times i have no idea what it is do you
O17 - HKLM\System\CCS\Services\Tcpip\..\{15DC5991-36DA-4060-8CE9-EE94E8C31799}: NameServer = 151.164.20.201 151.164.11.201
O17 - HKLM\System\CS1\Services\Tcpip\..\{15DC5991-36DA-4060-8CE9-EE94E8C31799}: NameServer = 151.164.20.201 151.164.11.201
Now do you know if this is your ISPs IP number otherwise it needs to go, testing it online it shows up as in the Austen Texas area

Thats just what i can see at the moment aint really got time to look to thouroughly, so i suggest killing any of those processes you see running in task manager,make sure your System restore is disabled and running your Panda Anti-virus with the latest updates, and running Ad-Aware and Spybot with the latest updates
Once thats all done make a new log file and compare the two and see if those entries remain

 

Not trying to take over here but all these lines are suspect:

O4 - HKLM\..\Run: [nirton] IEXPLORER.exe
O4 - HKLM\..\Run: [Video] explore.exe
O4 - HKLM\..\Run: [winconf] ago31.exe
O4 - HKLM\..\Run: [Identifier] asclthost.exe
O4 - HKLM\..\Run: [NTFix] C:\winnt\system32\explorer1.exe
O4 - HKLM\..\RunServices: [nirton] IEXPLORER.exe
O4 - HKLM\..\RunServices: [Video] explore.exe
O4 - HKLM\..\RunServices: [winconf] ago31.exe
O4 - HKLM\..\RunServices: [Identifier] asclthost.exe


[edit] oops, looks like you got it covered General

 

General, I think those IPs are OK, they show up as SBC Internet Services, a well known ISP here in the US

 

Thx Gen Lee

Could that be my ip? I'm in Austin,Tx. and my isp is with SBC Yahoo DSL. I see where the Goabot worm still lingers even though I ran the patch and installed the fix for it. Do you think it just might be better to reformat my hard drive and start all over? Or do these worms actually embed themselves in your DOS and BIOS? If so, would it be a better idea to get a new motherboard? At my wit's end here!

But, thx for your help and I will proceed with your advice although I'm not sure how to go about killing them off since I have already run the fixes and the patches and they still remain. I've tried ending these processes in my taskmanager only for them to pop up again. My ewido security scan is done and found no infected files. oh well? I guess now I'll try the safe mode start up thing you suggested earlier.

Thx again.
Texas Lassie

 

Thx AlanC

I welcome your input as I need all the help I can get!

Thx!
Texas Lassie
btw, how do I get rid of them?

 

Thanxs for the info Alan never heard of that ISP over here in the UK

I cant believe no Anti-virus is not picking these things up, when they are as clear as day

When you boot into safe mode do a manual search for all these things and delete any that you find, you will need to show hidden files and folders
Do that in any normal explorer window click the tools tab on the top toolbar select folder options, and then view and check the box to show hidden files and folders Apply and Ok
Look for
asclthost.exe
ago31.exe
IEXPLORER.exe
explore.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe

And if you can get into Msconfig disable any of these found from starting up

Try that and see how it goes

Oh yeah BTW worse case scenario a format and clean install, not a new motherboard

 

Hi All,

I think XFlat has a point about these worms disabling/preventing the firewalls from working. I remember reading about that on the research I did on Microsoft and Symantec. That's probably why my zone alarm is not working nor my panda. I just now tried to configure the firewall in the panda and it immediately disappears. Although, I can use the utilities in panda to clean and analyze my hard drives. But it refuses to let the firewall open up. Same when I try to run msconfigure, it immediately disappears. Well, just a little update. I have rebooted in the safe mode and tried to take Gen. Lee's advice on deleting those nasty files. I saw where 'nirton' and 'video' were listed by 'unknown'. I tried to disable and/or delete but I wasn't able to simply because I have no idea what I am doing. I've been at this thing all day, and I'm pretty much fed up with it all. I'm saying to heck with it all...I'm reformatting and hopefully this will take care of my problem. I'll update y'all with another post. Wish me luck.

Thx to all for all y'all's help
TexasLassie

 

General_Lee_Stoned.

Hope your re-format works.