Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Server 2003 Virus removal


  • This topic is locked This topic is locked
3 replies to this topic

#1 Cyberlife

Cyberlife

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 24 February 2011 - 01:02 PM

Good Morning,
I appologize for posting in the wrong forum with this already.

I need help removing a virus from my windows Server 2003. I have alredy resolved the issues of the Virus changing the path in the registry for the userinit.exe file and I am able to log into my server. This was done through a remote registry session to the server and I modified the key located at HKLM\software\microsoft\windows nt\currentversion\winlogon\ The Key is Userinit and the path should read C:\Windows\System32\Userinit.exe, Mine was pointing to the c:\documents and settings folder.

I am currently going through HiJackThis and need some assistance with the log.
Thank you

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:55:53 AM, on 2/24/2011
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\NTR global\NTRsupport Installable RC\installablerc.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe
C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\EagleSoft\Shared Files\esinetconnect.exe
C:\Program Files\XLink EzOpenBackup\xEzBackup.exe
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EagleSoft\Shared Files\dbsrv7.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Cleaning\2 HijackThis\HiJackThis.exe
C:\Program Files\EagleSoft\Shared Files\ESMsgServer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ESInetConnect] "C:\Program Files\EagleSoft\Shared Files\esinetconnect.exe"
O4 - HKLM\..\Run: [XLink EzOpenBackup] C:\Program Files\XLink EzOpenBackup\xEzBackup.exe
O4 - HKLM\..\Run: [ESServer] "C:\Program Files\EagleSoft\Shared Files\startsrv.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTray.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: XLink EzOpenBackup.lnk = C:\Program Files\XLink EzOpenBackup\xEzBackup.exe
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://www.aresgalaxy.org
O15 - ESC Trusted Zone: http://www.avast.com
O15 - ESC Trusted Zone: http://yp.bellsouth.com
O15 - ESC Trusted Zone: http://software-files.download.com
O15 - ESC Trusted Zone: http://www.download.com
O15 - ESC Trusted Zone: http://www.geminicomputers.com
O15 - ESC Trusted Zone: http://quickbooks.intuit.com
O15 - ESC Trusted Zone: http://www.intuit.com
O15 - ESC Trusted Zone: http://www.linksys.com
O15 - ESC Trusted Zone: http://ie.search.msn.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://search.msn.com
O15 - ESC Trusted Zone: http://www.msn.com
O15 - ESC Trusted Zone: http://www.quickbooks.com
O15 - ESC Trusted Zone: http://*.quickbooks.com
O15 - ESC Trusted Zone: http://www.seekar.tk
O15 - ESC Trusted Zone: http://images.trafficmp.com
O15 - ESC Trusted Zone: http://www.whitepages.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://www.xlink.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://192.168.1.1
O15 - ESC Trusted IP range: http://192.168.1.201
O15 - ESC Trusted IP range: http://192.168.1.202
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cordovadentalcenter.com
O17 - HKLM\Software\..\Telephony: DomainName = cordovadentalcenter.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB1FC9DE-1445-4A65-AF94-AD80CC7ECC9C}: NameServer = 192.168.1.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cordovadentalcenter.com
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\Documents and Settings\Administrator\WINDOWS\system32\browseui.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Documents and Settings\Administrator\WINDOWS\system32\browseui.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: XLink EzOpenBackup Service (EzxBkupSvc) - Unknown owner - C:\Program Files\XLink EzOpenBackup\Ezxbkup.exe
O23 - Service: NTRsupport Installable RC (installablerc) - Unknown owner - C:\Program Files\NTR global\NTRsupport Installable RC\installablerc.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7658 bytes Attached File(s)

Attached Files



BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:03:07 AM

Posted 28 February 2011 - 05:18 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

Best Regards,
oneof4.


#3 oneof4

oneof4

  • Malware Response Team
  • 3,498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:03:07 AM

Posted 07 March 2011 - 07:51 AM

Do you still need help?

Best Regards,
oneof4.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,328 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:07 AM

Posted 10 March 2011 - 01:59 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users