Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SBS2003 infected - workstations too


  • This topic is locked This topic is locked
2 replies to this topic

#1 Diemux

Diemux

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 10 May 2011 - 03:05 AM

I have been confronted with a virus spreading on our SBS2003 and it's workstations. We see several files being created on our HDD called:

autorun.inf, setup50045.fon, setup50045.lnk, myporno.avi.lnk and pornmovies.lnk

Googling these filenames tells us we have a mean virus on our hands :(. It seems that all workstation have been infected too, the login process is real slow and on 2 new machines the network drives aren't accessible (giving missing DLL error).

I have run combofix on one of the new workstations and attached the log on this post.

I'm currently running virusscans on the SBS2003 server. What to do?!?

Attached Files

  • Attached File  log.txt   15.55KB   5 downloads


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:57 PM

Posted 17 May 2011 - 11:48 AM

Hi,

I take it this is a business computer?

If so, I strongly recommend you to ask your IT suppport/network Administrator to fix this. After all they are paid to do so.

I ask this for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

Since the infection seems to broadcast through networkshares, I would suggest to isolate all infected PCs from the still clean ones.
The infection you have should be close to this one: http://www.symantec.com/security_response/writeup.jsp?docid=2011-031106-4835-99&tabid=2

regards myrti

Edited by myrti, 17 May 2011 - 11:50 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:57 PM

Posted 05 June 2011 - 03:33 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users