Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rorpian.E!lnk and CPlLnk.A removal


  • This topic is locked This topic is locked
8 replies to this topic

#1 erickson147

erickson147

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 03 May 2011 - 09:17 AM

I have Microsoft Security Essentials running on my Windows 2003 R2 x64 server and it keeps finding the following items:

Worm:Win32/Rorpian
Exploit:Win32/CplLnk.A
Wrom:Win32/Rorpian.E!lnk

It states they are being removed, but they keep appearing almost every hour... I have ran Malwarebytes, Spybot S&D, and other spyware programs which don't find anything.

This server is being used for file sharing and all permissions have now been locked down by security groups. (Don't ask why, this was being administered at a remote site)

I can't seem to clean this server for good! I'm also using McAfee for our Enterprise AntiVirus which keeps finding the following(I'm assuming there is some relationship between the two):

W32/Autorun.worm.aabl!lnk
Generic.dx!ytk

These are being found in the Setup50045.fon, setup50045.lnk, myporno.avi.lnk, and pornmovs.lnk files.

Any help would be appreciated. I will post files upon request as this is my production server.

Thanks!

Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Then post your DDS and GMER logs as a reply to this topic. Once you have done that I will remove my reply and consolidate the posts so that you retain your correct place in the queue.

If you can produce at least some of the logs, then please explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.


When attempting to run the DSS.src tool I received the message: This tool does not support your operating system. As previously stated this is a W2K3 R2 64bit OS. Before I run the GMER.exe rootkit scan, will there be any issues with incompatibly for my OS? I ran it on my local Pc first and got a Blue Screen; I did have multiple windows open, and was able to run it once I rebooted my PC. I also noticed it begins a scan when the application opens. Is this normal? Will it cause any interruption on my server for users?

EDIT: Posts merged. Skip the GMER scan for now. When one of our helpers picks up your topic they will provide further instructions. ~Budapest

Edited by Budapest, 04 May 2011 - 03:57 PM.


BC AdBot (Login to Remove)

 


#2 erickson147

erickson147
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 06 May 2011 - 08:52 AM

Thanks for your help.

#3 erickson147

erickson147
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 12 May 2011 - 09:50 AM

Did I miss something that you requested me to post or is this post just waiting in the queue to get picked up?

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:16 PM

Posted 12 May 2011 - 10:32 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 erickson147

erickson147
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 16 May 2011 - 01:05 PM

Attached File  OTL.Txt   80.46KB   6 downloadsHere are the logs... I know there are two instances of anti-virus, but I'm doing some testing at the moment.Attached File  Extras.Txt   35.34KB   1 downloads

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:16 PM

Posted 16 May 2011 - 02:01 PM

Hey,

the detection MSSE showed are for modified shortcuts. Have you recently attached a flash drive to the system?

Please run aswMBR
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

(gmer will not run on a 64bit OS)

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 erickson147

erickson147
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 16 May 2011 - 02:57 PM

I'm not positive if a flash drive has been attached/inserted in to this server. It is being used at one of our remote locations. I do however know this server obtained the virus/malware via open shares. Attached File  EdgeadMBR.txt   1.25KB   4 downloads

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:16 PM

Posted 16 May 2011 - 03:46 PM

Hi,
this is most likely the vulnerability that the exploit-warning is referencing: http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx

If you had the patches applied, there's a chance the PC was never really infected. In addition the files found point to a 32-bit infection, which might not even be able to install a service on the PC: link.

At this point I would make sure that the files are not being created by a different, infected PC that has access to the shares on the server.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:16 PM

Posted 05 June 2011 - 03:34 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users