Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Oh The 27th Was A Horrible Day For This Server...


  • Please log in to reply
2 replies to this topic

#1 hemlockz

hemlockz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 29 November 2007 - 05:47 AM

I was called out to a remote office where their server was not responding. It was very slow on Remote Desktop had had 100% CPU usage. It was nearly impossible to even log in. If I tried to browse C: drive after log in then explorer would reboot (all my icons and task bar go away then come back). Same thing happened for almost everything I did. Start Run cmd would do it. trying to run virtually anything would make explorer crash and restart. msconfig, regedit, services.msc, http://windowsupdate.com. C:\Windows, anything. Also running any exe files would cause explorer to crash. Including HiJackThis and prevxcsi. I was only able to browse my file system with IE going to a file:///C:\ address. Here is some of what I found:

Created 11/27/07 12:00 AM


C:\WINDOWS\system\inudhya.dll
C:\WINDOWS\system32\myad.nls.bak
C:\WINDOWS\system32\qdshm.dll
C:\WINDOWS\system32\rsmyhsp.exe
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\kapjeaz.exe
C:\WINDOWS\system32\okmhaaz.exe
C:\WINDOWS\system32\avwlein.dll


Created 11/27/07 12:01 AM
C:\WINDOWS\system\1.exe
C:\WINDOWS\system32\oeimport.dll
C:\WINDOWS\system32\addrmshelp.dll (hidden)
C:\WINDOWS\upxdnd.exe

Created 11/27/07 12:02 AM
C:\WINDOWS\system\logogo.exe (hidden)

And several others!

I am a little surprised, we were running TrendMicro and were behind a firewall and still were infected so badly. It is the fileserver so possibly a user brought in a downloader or something. Anyway, this server is 2003 SP1 which means its way out of date and probably vulnerable to some exploits. I am stuck now. I was able to delete those files from PE with command prompt but explorer is still appearing to crash if I do anything. At least the CPU is back down to normal. I just cant update or use the system. Oh and remote desktop stopped working after I rebooted. "The requested service provider could not be loaded or initialized", so I have to work from the console. Oh yeah I can no longer go to websites from this server, but was able to before deleting those files... I also deleted Internet Explorer Plug in "Wn_Sys8x.sys" and an autorun.ini that was in the C:\ root.

All these files I have searched for and came up with TSPY_ONLINEG.EOS aka OnlineGamer. And a bunch of stuff in Chinese that seems new. Especially the logogo.exe and qdshm.dll seem to be closely related because they show up next to each other on all these Chinese sites I cannot understand.

So this sucks, I need to fix this f'ed server and go home. Thanks for any tips or suggestions you may have.

BC AdBot (Login to Remove)

 


#2 hemlockz

hemlockz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 29 November 2007 - 06:50 AM

I lost network after renaming the qdshm.dll file because it was taking over as the winsock provider i guess, according to a translated website

Winsock providers
MSAPI Tcpip [TCP/IP] MSAPI Tcpip [TCP / IP]
%systemroot%\system32\qdshm.dll(, N/A) % Systemroot% \ system32 \ qdshm.dll (N / A)
MSAPI Tcpip [UDP/IP] MSAPI Tcpip [UDP / IP]
%systemroot%\system32\qdshm.dll(, N/A) % Systemroot% \ system32 \ qdshm.dll (N / A)

#3 hemlockz

hemlockz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 29 November 2007 - 10:54 AM

Doing a repair install seems to have made some progress... however I had to try a couple times because the installer kept crashing on Installing Network so I disabled the NICs in BIOS and it worked. Had to reboot a couple more times for the drivers to load after enabling them again in the BIOS. It finally worked in Safemode and now I am rebooting normally for the first time. Its still stuck at Applying Computer Settings... and has been for almost 45 minutes. But the IP address works, the shared drives work, and DNS is up. Still waiting on Exchange to become available. Probably at that point it will reinfect itself.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users