Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2003 server r2 infected with security virus


  • Please log in to reply
7 replies to this topic

#1 picturecar

picturecar

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 13 April 2010 - 04:30 PM

Hospital domain with 2003 server and terminal services. A user was checking e-mail and infection came up as security center, emulating vista or win 7 look. she ctrl alt deleted and ended task and called me. ran a scan on server and got trojan.bho, Worm.KoobFace and Hijack.ControlPanelStyle using updated Malware bytes and am now running registered version of Superantispyware.

I Ran Hijack this but have done nothing yet but save log. This Domain is not set up exactly by one person so i am sure there are holes. I am putting a sonicwall in.

What should I do?

Thanks,
Jimmy

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:08 PM

Posted 13 April 2010 - 07:23 PM

Post the SUPER scan log please.
Then run
FixExe.reg

FixExe.reg
....click Run when the box opens

RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot your computer after running rkill as the malware programs will start again.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 picturecar

picturecar
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 14 April 2010 - 02:33 PM

I am so Sorry for Delay.

I ran updated Malwarebytes and Superantispyware.

Ok Here is scan log. Very strange dates and time. I am including a screenshot because scan log looks messed.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/28/2008 at 01:46 PM

Application Version : 4.23.1006

Core Rules Database Version : 3687
Trace Rules Database Version: 1663

Scan type : Complete Scan
Total Scan Time : 00:38:48

Memory items scanned : 607
Memory threats detected : 0
Registry items scanned : 5904
Registry threats detected : 0
File items scanned : 25663
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\Workstation8\Cookies\workstation8@www.googleadservices[5].txt
C:\Documents and Settings\Workstation8\Cookies\workstation8@perf.overture[1].txt


Posted Image

I also am running windows Server 2003 with RDP in Terminal Services

so Files like gmr.exe etc do not work and some will lock up server. I can only reboot once a day at 7:00pm

If these files are ok for me I will run them today at 7:00pm

Thank You,

Jimmy

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:08 PM

Posted 14 April 2010 - 02:54 PM

Ok, perhaps the PC or servers clock is not coorect to time/date.

Let me ask here. This is a Hospital machine so is there not an IT or dept head that will be all over you for trying to run these tools here.
Those were simple tracking cookies in the SAS scan and can safely be deleted.
You did not post MBAM eeven tho it's what I asked for..??

Did you mean gmer.exe or gmr.exe?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 picturecar

picturecar
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 15 April 2010 - 12:13 AM

I'm sorry I thought you wanted Super antispyware log by post. Anyway I am ok to do what I want on server.

Here is Malwarebytes log.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3988

Windows 5.2.3790 Service Pack 2
Internet Explorer 7.0.5730.11

4/14/2010 8:32:54 PM
mbam-log-2010-04-14 (20-32-54).txt

Scan type: Quick scan
Objects scanned: 283886
Time elapsed: 23 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I am not sure but on workstation 12 and 13 these are two different workstations runnibg rdp in terminal services mode. Should I run these in local mode as well and sweep?

Also I will run fixexe.reg and rkill in am and get back to you. I really would like to know I have a clean server because that Security virus has been on a lot of systems around here.

Jimmy

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:08 PM

Posted 15 April 2010 - 06:47 PM

Yes , run it on them All. SAS will need to be run on all user accounts to to be certain it accesses those hives.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 picturecar

picturecar
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 17 April 2010 - 01:19 AM

Ok Sorry for slowness, they have been busy.

Here is Rkill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Administrator on 04/17/2010 at 0:20:28.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Administrator\Desktop\rkill.pif


Rkill completed on 04/17/2010 at 0:20:34.


Here is Malwarebytes Log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3999

Windows 5.2.3790 Service Pack 2
Internet Explorer 7.0.5730.11

4/17/2010 2:01:15 AM
mbam-log-2010-04-17 (02-01-15).txt

Scan type: Full scan (C:\|)
Objects scanned: 376663
Time elapsed: 52 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I will test the workstation that was first infected. (which is the server ) So the hive is from the login from each workstation if I am understanding this right and SAS should be run on each workstation to clear anyone that may have contracted these.

Jimmy

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:08 PM

Posted 17 April 2010 - 10:27 AM

Yes...

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data.

Each time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile. This is called the user profile hive. A user's hive contains specific registry information pertaining to the user's application settings, desktop, environment, network connections, and printers. User profile hives are located under the HKEY_USERS key.

Registry Hives
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users