IOFTPD Trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by gtekg, Mar 15, 2005.

  1. gtekg

    gtekg Private E-2

    I have a trojan on a 2003 server which I am having difficulties removing. I have been able to run complete scans with SAV corp 9 and run scans with Adaware - but it keeps coming back. Specifically I have ioftpd.exe and ioservice.exe processes running. I have been deleting folders which have IOFTPD files in them and are being used as a sort of parasite FTP service. I have installed Spybot but it won't start. I am encountering many different errors in the event logs and the server is crashing at odd intervals. I would like to post my HijackThis log.

    Thanks,
    Matt
     
    gtekg, Mar 15, 2005
    #1
  2. shewolf

    shewolf Specialist

    Welcome to MG :)

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    After doing ALL of the above if you still have a problem: make sure that you post back letting us know what you could and couldn't complete in the Read Me First guide and what problems still exist and in the meantime while we are reviewing what problems still exist please read the following guide and then wait for us to ask you to post your HJT log as an attachment.

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread
    NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    Again after you post back to let us know if you are still having the problems please be as specific as possible as to what you couldn't complete and as to what problems still exist as the more information we have the better we will be able to help you.

    Please also be patient in waiting for replies and responses as there are a limited number of people who are able to help you and as you can see by the posts on this forum there are many people out there who have questions/problems. Thanks and again welcome to MG :)

    sw:)
     
    shewolf, Mar 15, 2005
    #2
  3. gtekg

    gtekg Private E-2

    I believe I have covered all the items in the guide. The main issue I am having is the constant crashing of the server with no clear indications in the event log. I was able to run the Trend Micro java version which identified a worm.rbot.asd. I have attempted the fix for ioservice.exe in HijackThis, but the processes ioftpd.exe and ioservice.exe continue run on reboot. My attempts to delete the entries in the registry fail and I am unablet to view the permissions of any of those keys. I have been able to delete all of the physical IOFTPD directories, but am assuming that as the threat is not eliminated then they will eventually return.

    Matt
     
    gtekg, Mar 15, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have run all steps in the READ ME FIRST, follow the below steps.

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Mar 17, 2005
    #4
  5. gtekg

    gtekg Private E-2

    I have attached my log. Since I had last posted I installed an antivirus program called Ewido - which found a large amount of trojan files and quarantined them - Backdoor.ServU-based, Backdoor.Rbackdoor.13, Backdoor.Door, Backdoor.RBackdoor.13, Backdoor.Hacdef.100. Things seem to be better and the server is not crashing anymore. However the GUI for Backup Exec is corrupted - program won't start but the services are running, and Symantec for Exchange seems to be corrupt - when it is running clients can not access mail from the store.

    Anyhow I would like to know that the server is clean at this point.

    Thanks,
    Matt
     

    Attached Files:

    gtekg, Mar 18, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must not run multiple AV packages. So if you still have both, you must pick the one you want to have and uninstall any other additional AV packages.

    Do you recognize these next two items?
    C:\WINDOWS\system32\SD3Service.exe
    O4 - Global Startup: Supero Doctor III Client.lnk = C:\Program Files\SDIII\SuperoDoctor.exe

    Are the below IP addresses valid on your network?
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E407E0E1-2755-4842-89DE-AD6C5ECB3589}: Domain = xx.xx.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E407E0E1-2755-4842-89DE-AD6C5ECB3589}: NameServer = 10.10.10.10
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xx.xx.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xx.xx.com

    Other than the above (and the crazy way HijackThis shows services on 2003 server) you look Ok!
     
    chaslang, Mar 18, 2005
    #6
  7. gtekg

    gtekg Private E-2

    Yes - I have disabled the Ewido.

    The IPs in the log I modified for posting.

    Thanks for your help!
     
    gtekg, Mar 18, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not according to your HJT log:

    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

    You should uninstall it. I'm not sure if that is what you meant by "disabled" .
    Or did you unintstall it after posting the HJT log.
     
    chaslang, Mar 18, 2005
    #8
  9. gtekg

    gtekg Private E-2

    I had disabled the services when posting the log - but have since uninstalled the program.

    Thanks again.
     
    gtekg, Mar 18, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Happy we could help!
     
    chaslang, Mar 18, 2005
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds