I originally posted here: Am I infected post
and was referred here. I started there because I'm not sure I can do the prerequisites required for posting in this forum. DDS told me it wouldn't run on Server 2003, and when I tried to research whether GMER was safe on Server I found lots of references to blue screens. Also, can somebody tell me, if GMER is generally safe for Server use, is it JUST a scan? In other words, this is a live Terminal Server that half our firm uses all day, is it okay to run this during the day, or is it going to cut people off, stop processes, reset connections, etc? I've used GMER and DDS and TDSSKiller and Combofix and a bunch of other stuff on desktops, but this is my first server infection. So here's my problem, if there's something I can do that WILL work (safely) on a Windows Server 2003 machine, please let me know (Below is copied from the other post, if you already checked that link, you can skip the rest...)
We have a Windows 2003 server that is a Terminal Server for branch office and home/remote use. A month or so ago I got a warning from our ISP that somebody had detected remote desktop attempts from our IP address. I ran our virus scanner (Vipre Enterprise) and found nothing, didn't see anything unusual. That weekend, the "deep scan" found something it called "HackTool.Win32.BruteForce" in notepad.exe, "Packed.Win32.Upack(v)" in ippipi.exe, and "Trojan.Win32.Meredrop" in csrss.exe, all in the C:\Windows\system32\ras folder. It also found vnc.exe in that folder.
I looked at the folder and found this: bad.txt, config.ini, FAQ.txt, good.txt, 1321s.txt, 1321s.zip, IP.rar, IP.txt, ipippipi.txt, IPs.zip, libeay32.dll, lo.txt, msvcr71.dll, NEN.txt, p.txt, QTCore3.dll, QTGui4.dll, ras.zip, source.txt, ssleay32.dll, start.bat, vnc.exe, VNC_bypauth.txt, and Winlogo.zip. There was also a Winlogo folder containing: 2Winlogo.zip, Hookmsgina.dll, install.bat, jks.dat, On.reg, pass.txt, ReadLog.bat, readme.txt, Un.reg, Uninstall.bat, and wminotify.dll.
The ".txt" files are mostly either lists of IP addresses, or lists of logon names (admin and variants) and password guesses. Start.bat is hundreds of lines like: vnc.exe -i 220.127.116.11-18.104.22.168 -p 3389 -cT -T 500" I could delete (I copied first) the entire thing except wminotify.dll.
@regedit -s Un.reg
I ran it, and it said that wminotify.dll was 'access denied'. Since Un.reg was "[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wminotify]", I restarted the machine (at night, remotely), and ran unistall again. It said that jks.dat was not found. I thought it was unusual for malware to have an uninstall, but thought I got lucky (ever the blind optimist). A few days later, everything was back. It has reappeared several times, sometimes in the \Help\Tours folder, sometimes in \Dell\Drivers. I'm assuming there's something running in there that keeps putting it back, but the virus scanner can't find it. I'm not sure what else to try, as I suspect that many of the scanners/tools commonly used for this kind of thing aren't meant for servers.
Any suggestions would be greatly appreciated. I'll also need to know, if you suggest a tool to run, if it is background/reporting, or disruptive. If it's report only, I can do it anytime, if it's going to disrupt stuff (like combofix, where it cuts off network and shuts down processes, etc.), I obviously need to avoid doing that during the day.
Thanks! Especially if you actually read all of this!