Server 2003 with Malware

I've got a Windows Server 2003 with some kind of malware. I've gotten rid of most of it, but there is one bug that I just can't get rid of. The main problem is a lot of the tools to get rid of these pesky bugs don't work on server OS.

All windows updates have been applied. There are no Antivirus or antimalware programs running at the moment. Just Malwarebytes installed.

I have followed the guide.

The DDS log says this OS is not supported.

Here is the Gmer log....

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-19 23:14:08
Windows 5.2.3790 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Intel___ rev.0.1.
Running: 7cr2mei4.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1\fwtdrpow.sys


---- Kernel code sections - GMER 1.0.15 ----

? ACPI.sys The system cannot find the file specified. !
? pci.sys The system cannot find the file specified. !
? isapnp.sys The system cannot find the file specified. !
? pciide.sys The system cannot find the file specified. !
? intelide.sys The system cannot find the file specified. !
? MountMgr.sys The system cannot find the file specified. !
? ftdisk.sys The system cannot find the file specified. !
? dmload.sys The system cannot find the file specified. !
? dmio.sys The system cannot find the file specified. !
? volsnap.sys The system cannot find the file specified. !
? PartMgr.sys The system cannot find the file specified. !
? atapi.sys The system cannot find the file specified. !
? iaStor.sys The system cannot find the file specified. !
? disk.sys The system cannot find the file specified. !
? fltmgr.sys The system cannot find the file specified. !
? Dfs.sys The system cannot find the file specified. !
? KSecDD.sys The system cannot find the file specified. !
? Ntfs.sys The system cannot find the file specified. !
? NDIS.sys The system cannot find the file specified. !
? Mup.sys The system cannot find the file specified. !
? crcdisk.sys The system cannot find the file specified. !
? agp440.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

UPX1 C:\WINDOWS\TEMP\csrss.exe[2260] C:\WINDOWS\TEMP\csrss.exe entry point in "UPX1" section [0x004BEF20]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat Dfs.sys

---- EOF - GMER 1.0.15 ----

The problem file is of course c:\windows\temp\csrss.exe. The real csrss.exe in the Windows\system32 folder seems fine and is only 4K in size I think. Its this one in the temp folder that Malwarebytes and other programs just can't get rid of. When I boot into safe mode the file doesn't exist and Malwarebytes doesn't find anything wrong. If I do an online scan of this file no antivirus thinks its bad.

Any ideas would be great!

Thanks,

Konrad

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

We need to create a New FULL OTL Report

• Please download OTL from here if you have not done so already:
  
  • Main Mirror
• Save it to your desktop.
• Double click on the icon on your desktop.
• Click the "Scan All Users" checkbox.
• Change the "Extra Registry" option to "SafeList"
• Push the button.
• Two reports will open, copy and paste them in a reply here:
  
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

Best Regards,
oneof4.

Do you still need help?

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.