Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

KFSmyth515

5 Posts

612

September 30th, 2005 14:00

Cannot remove w32.esbot a Please Help!

I've tried multiple time to remove w32.esbot from a server with no luck. 
 
 
 
Logfile of HijackThis v1.99.1
Scan saved at 11:05:53 AM, on 9/30/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\NetMgmt.exe
C:\WINNT\system32\network.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
C:\Program Files\Dell\OpenManage\Drac\client\RacAddrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\rsvterm.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINNT\winhlp.exe
C:\WINNT\system32\ipsmgr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\windrv32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rpc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Dell\OpenManage\Drac\client\CmdSrvr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mdm.exe
C:\Program Files\Microsoft Visual Studio\VB98\VB6.EXE
C:\WINNT\System32\svchost.exe
A:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.0.64/
O1 - Hosts: 172.16.1.43 tp_transact
O1 - Hosts: 172.16.1.115 TP_TEST_SQL
O1 - Hosts: 172.16.1.244 TEST_CRYSTAL
O1 - Hosts: 172.16.1.230 TP_TESTHSK
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CYBERRAC] C:\Program Files\Dell\OpenManage\Drac\client\CmdSrvr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125084232981
O16 - DPF: {ED990224-80E6-11D3-9190-00105AE647BB} (RACView Control) - file://C:\Program Files\Dell\OpenManage\Drac\client\Web\WebRacView.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tp.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FD20BF2-A087-4BCB-B8AF-EBDE0D252637}: NameServer = 172.16.1.25,4.2.2.1,4.2.2.2,4.2.2.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tp.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tp.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FD20BF2-A087-4BCB-B8AF-EBDE0D252637}: NameServer = 172.16.1.25,4.2.2.1,4.2.2.2,4.2.2.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tp.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{1FD20BF2-A087-4BCB-B8AF-EBDE0D252637}: NameServer = 172.16.1.25,4.2.2.1,4.2.2.2,4.2.2.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tp.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CIODell - Unknown owner - C:\Program Files\Dell\HIP\bin\ciodell.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: Network Manager (netwrk) - Unknown owner - C:\WINNT\system32\network.exe
O23 - Service: NobleNet Portmapper - Unknown owner - C:\Program Files\Dell\HIP\NNPortMap\portserv.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Seagate Page Server (pageserver) - Unknown owner - C:\Program Files\Seagate Software\WCS\pageserver.exe" -service -cache -deleteCache (file missing)
O23 - Service: DRAC AddressBook Server (RacAddrBook) - American Megatrends Inc. - C:\Program Files\Dell\OpenManage\Drac\client\RacAddrs.exe
O23 - Service: DRAC CardObject Server (RacObject) - American Megatrends Inc. - C:\Program Files\Dell\OpenManage\Drac\client\MStation.exe
O23 - Service: RSV Term Advise (RSV-ID) - Unknown owner - C:\WINNT\system32\rsvterm.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: Seagate Web Component Server (WebCompServer) - Unknown owner - C:\Program Files\Seagate Software\WCS\WebCompServer.exe" -service (file missing)
O23 - Service: Windows Help And Support (WHS) (WinHlp) - Unknown owner - C:\WINNT\winhlp.exe
O23 - Service: Windows Management Service (WMS) (WinMgr) - Unknown owner - C:\WINNT\system32\windrv32.exe
 

RKinner

2 Intern

 • 

5.9K Posts

October 1st, 2005 11:00

You have nasties on your PC.  One of them supposedly takes a special program to remove.

 

O23 - Service: RSV Term Advise (RSV-ID) - Unknown owner - C:\WINNT\system32\rsvterm.exe

http://www.aluriasoftware.com/forum/thread998.html

Another takes a search of your system

O23 - Service: Network Manager (netwrk) - Unknown owner - C:\WINNT\system32\network.exe

http://securityresponse.symantec.com/avcenter/venc/data/vbs.network.b.html

This one steals passwords for banks:

 

O23 - Service: Windows Help And Support (WHS) (WinHlp) - Unknown owner - C:\WINNT\winhlp.exe

http://www.bleepingcomputer.com/forums/How-to-remove-the-PWStealFormglieder-tx11380-0.html#entry71469

 

 

This one is a mass mailer:

O23 - Service: Windows Management Service (WMS) (WinMgr) - Unknown owner - C:\WINNT\system32\windrv32.exe

 

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.t@mm.html

 

Download the Hoster from:


http://www.funkytoad.com/

Unpack to your desktop and run it.  If you have green print at the top then just press Restore Original Hosts then OK. 
IF you have red print then press make Hosts Writeable first.
 


Get DelDomain.inf from:
 
http://www.mvps.org/winhelp2002/restricted.htm  and then right click on it and Install. 

Get ccleaner from http://ccleaner.com.  Install it but do not let it clean anything yet.

rdrvRem.zip from

http://www.geekstogo.com/forum/index.php?act=Attach&type=post&id=1778  and extract it to your desktop.

 

Get the killbox

http://www.bleepingcomputer.com/files/killbox.php

and extract it to your desktop.

 

Get regseeker from

 

http://www.hoverdesk.net/freeware.htm

and install it.

Let it reboot

Boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.  Log in with your usual login.

 

Run HijackThis and just do a Scan only. Check then Fix Checked the following:

O23 - Service: Network Manager (netwrk) - Unknown owner - C:\WINNT\system32\network.exe
O23 - Service: RSV Term Advise (RSV-ID) - Unknown owner - C:\WINNT\system32\rsvterm.exe
O23 - Service: Windows Help And Support (WHS) (WinHlp) - Unknown owner - C:\WINNT\winhlp.exe
O23 - Service: Windows Management Service (WMS) (WinMgr) - Unknown owner - C:\WINNT\system32\windrv32.exe

Run  rdrivRem.bat (you may not see the .bat part)
 

Run Killbox and where it says Full Path of File to Delete, Type or Copy (Ctrl + c) and Paste (Ctrl + p)

C:\WINNT\system32\network.exe

Press the red button and agree you want to delete the file.  If it says it can't find the file that is good just go on to the next one.  If it says it can't delete the file then click on delete on reboot and then the red button.  Do not let it reboot.

Repeat for

  • C:\WINNT\system32\Network.dll <==Also check Unregister.dll

  • C:\WINNT\system32\rsvterm.exe

    C:\WINNT\winhlp.exe

    C:\WINNT\system32\windrv32.exe

    C:\WINNT\system32\rdriv.sys

    Run ccleaner.exe, uncheck everything on the first page except the two entries
    with Temporary and then Run Cleaner.

    Run regseeker and select Find in Registry.  Check all of the HKEY places to search and have it search for:

    network.exe

    When  done  - if it finds anything - Select All then right click on the selection and Delete Selected Items.

     

    Repeat for

    network.dll

    network.vbs

    winhlp.exe

    windrv32.exe

    rsvterm.exe

    rdriv.sys


    Reboot into regular mode and run another HijackThis log and post it as a reply. Let's
    see how we did.


    Ron

Was this post helpful?

View All

No Events found!

Top