Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection on my Win2003 server, very nasty


  • This topic is locked This topic is locked
3 replies to this topic

#1 Cannotcompute

Cannotcompute

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 03 April 2009 - 12:41 AM

I run a home server with a Windows Server 2003 operating system, and since my main PC never lasts more than a few weeks before the motherboard's southbridge inexplicably fries (like with smoke and boiling silicon) my server has been doubling up as my primary computer for a while.

I can't say I've treated this thing like a server security-wise, and I've had a couple of infections, but I've had no trouble fixing them on my own.

However, a few days ago, my browser started randomly redirecting to bogus pages (that are usually somewhat "related" to my search) when clicking on Google results. If I use the back button and click on the result again it always takes me to the right page. But almost every time I click on a new result (but not always) it redirects me to another page.

That's what first tipped me off.

So, I did what I always do when my anti-virus program doesn't catch it. I download Spybot S&D.

It installed fine, but when I run the actual program it starts, and shows up in the process list, but hangs, shows 0 CPU usage, and the GUI never appears.

This is the first application that this happened with. So, I downloaded Malwarebytes' Anti-Malware and installed that. I run it and the exact same thing happens.

At this point I'm wondering what it could have possibly been that I had downloaded that gave me the bugger while I download and install HJT!. I go through the HJT! log and find some minorly suspicious things that I remove, but no executables that I can't identify.

And now I must admit that I have come across something that I can't fix :) Here's one for you guys! :thumbup2:

UPDATE:
The virus also causes attempts to defragment hard disks to fail with the error message "Disk Defragmenter could not start."

UPDATE 2:
I successfully got Malwarebytes' Anti-Malware and Spybot to run by changing the names of their executable files on the disk!! I'm running full scans now. I'll post back with the results.

EDIT: Moved the HJT! log to an attachment because it was making the page too wide.
EDIT 2: Added more info

Attached Files


Edited by Cannotcompute, 03 April 2009 - 02:46 AM.


BC AdBot (Login to Remove)

 


#2 Cannotcompute

Cannotcompute
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 03 April 2009 - 12:45 AM

Oh by the way that mass of trusted zones is almost entirely for downloading from sites. IE for Servers blocks downloads by default. I've long since switched to Firefox so I'm going to remove those anyways :D

Edited by Cannotcompute, 03 April 2009 - 12:45 AM.


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,912 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:10 PM

Posted 11 April 2009 - 04:23 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,912 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:10 PM

Posted 18 April 2009 - 02:25 PM

Due to the lack of feedback, this Topic is now closed.

In case you still have problems, please start a new topic.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users