Disclaimer: This fix is a loose guide and involves editing the
registry. If you do not have a current registry backup or do not fully
understand the steps then it is recommended you seek help before
attempting to remove the RootKit and/or the Trojan.

The symptoms we witnessed were as follows;

Server is locked up or non-responsive to keyboard input.
Server reboots because dumprep.exe has been added to your Startup items
in MSCONFIG.
Mcafee no longer runs.
Excessive traffic on NIC.
Firewall may no longer run.
Hard drive(s) may be full or nearly full.
Look in your Trusted Internet Sites in IE for strange websites.

On each server, the attack may have been only partially successful.
You may or may not find all of the following hacks on your server.
If your server was infected, follow the steps below to manually clean
out your registry and your hard drives.
* Write names of files, folders and registry entries for later deletion

Removal guidelines:

1. Reboot and login to SafeMode as administrator.
2. To verify the existence of the RootKit. and or Trojan,
a. Run Explorer and change your view options to show hidden and OS
files.
3. Look in the Recycler folders on each of your local disks.
a. If you see a folder which appears yellow and has a long HEX looking
name then look inside it.
b. Note down or remember these folder names, we need to delete them
later.
c. There will probably be illegal software, movies and or music inside
this folder. EQUINOX was one of the folders.
4. Look inside your %SystemRoot%\System32 folder for any folders called
CatRoot or CatRoot2.
a. These files are the actual Trojan and RootKit.
5. Look for wdfmngr.exe which is the Trojan and crss.ini, which is the
RootKit, identified as HackerDefender.ini by Mcafee.
a. We will kill all of these files later. Right now they are running
as services and you may not be able to see them.
6. Also look in your %SystemRoot%\System32 for files named asydec.ini,
asydec.dll, asydec.exe, asydec.sys.
a. These were also running as a hidden service and we need to delete
them later.
7. Run MSCONFIG and uncheck the dumprep entry.
8. Reboot and go back into SafeMode as administrator.
9. Clean the registry by searching for and deleting these patterns;
a. Dhcplm b. legacy_dhcplm c. systembusdrv d. legacy_systembusdrv
e. ascbus f. legacy_ascbus g. crss h. asydec
i. wdfmngr

Search ALL hives thoroughly and kill any branches, keys or values
starting or containing any of those patterns.

10. Some of the files inside the CatRoot or the CatRoot2 need to be
deleted. Referring back to your registry entry notes to get the folder
name, find the corresponding folder from the path location in some of
the registry entries. EX: of syntax for a known good entry.
{F750E6C3-38EE-11D1-85E5-00C04FC295EE}. Some of the files in CatRoot
subdirectories are valid. Be sure not to delete the folders containing
the .cat files or timestamp. The two folders with the identical names
are OK.
11. Reboot and go into Normal mode as administrator
12. Check to see if all your normal services started running and that
the server logs in OK and seems to act normally.
13. Reinstall Mcafee unless it started running after these fixes.

Consider the following; Patch your OS and turn on a firewall.
Monitor the server’s TCP/IP traffic looking for high levels of
Ethernet activity.
Download TCPView from Sysinternals.com and look at your TCP/IP
connections.
Change your administrator(s) passwords.

As stated earlier, this is only a guide and we would truly appreciate
any additions or corrections you may have to this document. Some
screenshots would be nice. � Remember it is only a guide and may or
may not completely remove the infection. My opinion is that this was
an unsuccessful hack job. I believe this because the servers were
locked up and would not stop rebooting. If this had been truly
successful then the server would be sitting there doing it’s normal
job but also running an illegal FTP server unbeknownst to the server
admin. In other words, you might just take a look at all the Windows
servers. It seemed to attack the Windows 2003 Standard Edition Servers
with a little higher success rate.



Psexec was used to remotely execute commands on the servers.

The hacker setup a hidden FTP server, an LDAP client and a remote login
service. IMAIL Firefox Daemon, DHCPLM and

Go to the system event log and filter by eventlog and value 6008. This
will show you unscheduled reboots.

Svhost.exe – identified by Mcafee as a HackerDefender.

From: <kurtis@latech.edu>

| Disclaimer: This fix is a loose guide and involves editing the
| registry. If you do not have a current registry backup or do not fully
| understand the steps then it is recommended you seek help before
| attempting to remove the RootKit and/or the Trojan.
|
| The symptoms we witnessed were as follows;
|
| Server is locked up or non-responsive to keyboard input.
| Server reboots because dumprep.exe has been added to your Startup items
| in MSCONFIG.
| Mcafee no longer runs.
| Excessive traffic on NIC.
| Firewall may no longer run.
| Hard drive(s) may be full or nearly full.
| Look in your Trusted Internet Sites in IE for strange websites.
|
| On each server, the attack may have been only partially successful.
| You may or may not find all of the following hacks on your server.
| If your server was infected, follow the steps below to manually clean
| out your registry and your hard drives.
| * Write names of files, folders and registry entries for later deletion
|
| Removal guidelines:
|
| 1. Reboot and login to SafeMode as administrator.
| 2. To verify the existence of the RootKit. and or Trojan,
| a. Run Explorer and change your view options to show hidden and OS
| files.
| 3. Look in the Recycler folders on each of your local disks.
| a. If you see a folder which appears yellow and has a long HEX looking
| name then look inside it.
| b. Note down or remember these folder names, we need to delete them
| later.
| c. There will probably be illegal software, movies and or music inside
| this folder. EQUINOX was one of the folders.
| 4. Look inside your %SystemRoot%\System32 folder for any folders called
| CatRoot or CatRoot2.
| a. These files are the actual Trojan and RootKit.
| 5. Look for wdfmngr.exe which is the Trojan and crss.ini, which is the
| RootKit, identified as HackerDefender.ini by Mcafee.
| a. We will kill all of these files later. Right now they are running
| as services and you may not be able to see them.
| 6. Also look in your %SystemRoot%\System32 for files named asydec.ini,
| asydec.dll, asydec.exe, asydec.sys.
| a. These were also running as a hidden service and we need to delete
| them later.
| 7. Run MSCONFIG and uncheck the dumprep entry.
| 8. Reboot and go back into SafeMode as administrator.
| 9. Clean the registry by searching for and deleting these patterns;
| a. Dhcplm b. legacy_dhcplm c. systembusdrv d. legacy_systembusdrv
| e. ascbus f. legacy_ascbus g. crss h. asydec
| i. wdfmngr
|
| Search ALL hives thoroughly and kill any branches, keys or values
| starting or containing any of those patterns.
|
| 10. Some of the files inside the CatRoot or the CatRoot2 need to be
| deleted. Referring back to your registry entry notes to get the folder
| name, find the corresponding folder from the path location in some of
| the registry entries. EX: of syntax for a known good entry.
| {F750E6C3-38EE-11D1-85E5-00C04FC295EE}. Some of the files in CatRoot
| subdirectories are valid. Be sure not to delete the folders containing
| the .cat files or timestamp. The two folders with the identical names
| are OK.
| 11. Reboot and go into Normal mode as administrator
| 12. Check to see if all your normal services started running and that
| the server logs in OK and seems to act normally.
| 13. Reinstall Mcafee unless it started running after these fixes.
|
| Consider the following; Patch your OS and turn on a firewall.
| Monitor the server’s TCP/IP traffic looking for high levels of
| Ethernet activity.
| Download TCPView from Sysinternals.com and look at your TCP/IP
| connections.
| Change your administrator(s) passwords.
|
| As stated earlier, this is only a guide and we would truly appreciate
| any additions or corrections you may have to this document. Some
| screenshots would be nice. ? Remember it is only a guide and may or
| may not completely remove the infection. My opinion is that this was
| an unsuccessful hack job. I believe this because the servers were
| locked up and would not stop rebooting. If this had been truly
| successful then the server would be sitting there doing it’s normal
| job but also running an illegal FTP server unbeknownst to the server
| admin. In other words, you might just take a look at all the Windows
| servers. It seemed to attack the Windows 2003 Standard Edition Servers
| with a little higher success rate.
|
| Psexec was used to remotely execute commands on the servers.
|
| The hacker setup a hidden FTP server, an LDAP client and a remote login
| service. IMAIL Firefox Daemon, DHCPLM and
|
| Go to the system event log and filter by eventlog and value 6008. This
| will show you unscheduled reboots.
|
| Svhost.exe – identified by Mcafee as a HackerDefender.


You should execute services.msc and determine if there are malware services such as;
systembusdrv

Then execute...

sc stop systembusdrv
sc delete systembusdrv

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm