Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

needing help on removing system install server.exe


  • Please log in to reply
6 replies to this topic

#1 T Reichhart

T Reichhart

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 25 February 2011 - 05:45 PM

Hi Guys
I must got c:\windows\system32\install\server.exe

I have ran superantispyware,spybot,malwarebytes,MSE

MSE didnt find anything
Spybot found spyware and as been removed
Super Anti Spyware- found 727 files and as been removed.
Malwarebytes found-8 files and removed it. (found c:\windows\system32\install\server.exe)

then I restarted the computer

After restart did a other system with super anti spyware,spybot,malwarebytes,MSE

mse- didnt find anything
spybot-didnt find anything
super anti spyware- didnt find anything
malwarebytes keeps finding 8 files and found c:\windows\system32\install\server.exe



so I downloaded combofix after researching some other people problem as me and (I did stop all spyware programs and anti virus programs and malwarebytes) when I get the completed files to 50 it will go to BSOD and gives me this error : Bad_Pool_Header stop 0x00000019.0x00000020,0x891195A0,0x89119B8.

I tried to fun the combofix 2 times and still get the BSOD all the time after completed 50 files.

As of right now I turned off the wireless on my laptop that got this c:\windows\system32\install\server.exe intill I get this crappy virus off of my computer.

here is the malwarebytes log off of my other laptop:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5874

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/25/2011 5:05:25 PM
mbam-log-2011-02-25 (17-05-25).txt

Scan type: Full scan (C:\|)
Objects scanned: 289908
Time elapsed: 1 hour(s), 2 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{DPVU322O-1228-E80S-O10A-7KCBKG33FV04} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{DPVU322O-1228-E80S-O10A-7KCBKG33FV04} (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM (Trojan.Downloader) -> Value: HKLM -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Trojan.Downloader) -> Value: Policies -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU (Trojan.Downloader) -> Value: HKCU -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Trojan.Downloader) -> Value: Policies -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\User\application data\Userlog.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\install\server.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


I also wanted to say that everytime I restart the other laptop I keep getting that c:\windows\system32\install\server.exe when malwarebytes sees it.

Edited by T Reichhart, 25 February 2011 - 06:02 PM.


BC AdBot (Login to Remove)

 


#2 T Reichhart

T Reichhart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 25 February 2011 - 08:09 PM

I need this other laptop fix asp like tonight if possible. Thanks

#3 T Reichhart

T Reichhart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 25 February 2011 - 11:02 PM

ok 32 views and still no help?

#4 T Reichhart

T Reichhart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 26 February 2011 - 11:31 AM

just a update I was able to get that stupid c:\windows\system32\install\server.exe removed from my system by doing this:


make you have a copy of combofix.

then burn it on a computer does not have this virus on it.

then on that computer that have c:\windows\system32\install\server.exe boot into safe mood as admin

after the boot up in safe mood open your dvd drive and drag combofix out to the desktop then start combo fix then it will go complete 50 then it will start deleting them files that have c:\windows\system32\install\server.exe on it then combofix will restart your computer itself.

once the computer combofix screen will come back up on normal windows and it will say Preparing Log Report:

Do Not run any programs untill Combofix has finished.

after its done with the report you want to run a other anti virus,malwarebytes,super anti spyware scan to make sure its gone.

Edited by T Reichhart, 26 February 2011 - 11:37 AM.


#5 T Reichhart

T Reichhart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 26 February 2011 - 12:15 PM

that still didnt fix it so I am going just reformat the computer.

#6 Sofiane Mekroussi

Sofiane Mekroussi

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:n/a
  • Local time:09:55 AM

Posted 15 November 2011 - 10:27 AM

THANK YOU GUYS !!
After reading your informations about the %systemroot%\system32\install\server.exe I was able to stop its startup that made my connection extremely slow
for this I'm sharing this method with you :
Just go to the directory "%systemroot%\system32\install\" and create a new text document name what ever you want BUT change its extension form Text.txt to Text.bat and write in the following lines :
---------------------------------------------
CD /D %systemroot%\system32\install\
del server.exe
MD Server.exe
---------------------------------------------
Then Logout or reboot
Finally delete the registry entries mentioned above with the value of %systemroot%\system32\install\server.exe
Then try finding the traces and please update this informations because I'll try when I get a free time.
Note : %systemroot% for beginners = C:\WINDOWS

Mekroussi Sofiane ( ENGLISH / FRENCH / ARABIC) ALGERIA>GHARDAIA>ZELFANA 15/11/2011 16:25

#7 Sofiane Mekroussi

Sofiane Mekroussi

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:n/a
  • Local time:09:55 AM

Posted 15 November 2011 - 10:33 AM

If you need more help I'll be glad to support contact with this Email :
sofianemekroussi@yahoo.com
Note : Unfortunately I'm not reading my Email every day so BE PATIENT PLEASE !!

Mekroussi Sofiane ( ENGLISH / FRENCH / ARABIC) ALGERIA>GHARDAIA>ZELFANA 15/11/2011 15:31 GMT




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users