I was called out to a remote office where their server was not responding. It was very slow on Remote Desktop had had 100% CPU usage. It was nearly impossible to even log in. If I tried to browse C: drive after log in then explorer would reboot (all my icons and task bar go away then come back). Same thing happened for almost everything I did. Start Run cmd would do it. trying to run virtually anything would make explorer crash and restart. msconfig, regedit, services.msc, http://windowsupdate.com
. C:\Windows, anything. Also running any exe files would cause explorer to crash. Including HiJackThis and prevxcsi. I was only able to browse my file system with IE going to a file:///C:\ address. Here is some of what I found:
Created 11/27/07 12:00 AM
Created 11/27/07 12:01 AM
Created 11/27/07 12:02 AM
And several others!
I am a little surprised, we were running TrendMicro and were behind a firewall and still were infected so badly. It is the fileserver so possibly a user brought in a downloader or something. Anyway, this server is 2003 SP1 which means its way out of date and probably vulnerable to some exploits. I am stuck now. I was able to delete those files from PE with command prompt but explorer is still appearing to crash if I do anything. At least the CPU is back down to normal. I just cant update or use the system. Oh and remote desktop stopped working after I rebooted. "The requested service provider could not be loaded or initialized", so I have to work from the console. Oh yeah I can no longer go to websites from this server, but was able to before deleting those files... I also deleted Internet Explorer Plug in "Wn_Sys8x.sys" and an autorun.ini that was in the C:\ root.
All these files I have searched for and came up with TSPY_ONLINEG.EOS aka OnlineGamer. And a bunch of stuff in Chinese that seems new. Especially the logogo.exe and qdshm.dll seem to be closely related because they show up next to each other on all these Chinese sites I cannot understand.
So this sucks, I need to fix this f'ed server and go home. Thanks for any tips or suggestions you may have.