Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Server 2003 infected with autorun.inf


  • Please log in to reply
15 replies to this topic

#1 jawerez

jawerez

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 30 June 2012 - 05:35 AM

Hi all,

Recently, I'm faced with a braincrushing headache. I sincerely hope someone can help me.
I have 1 server which is infected with autorun.inf and other *.exe virus(not yet scan).
I have deleted the file on several drives and yet it reborn again and multiple.
I tried to install a full licensed Trendmicro Worry-free Business Security Services but failed.
I tried to install other free Antivirus it failed too.

The server is running MS Server 2003 R2 Standard Edition with SP2.
Currently I am scanning with Malwarebytes Anti-Malware.

Hope someone can assist me.
Very much appreciated !

Jawa

Edited by Orange Blossom, 30 June 2012 - 07:21 AM.
Moved to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:37 AM

Posted 30 June 2012 - 06:12 AM

Post the log of MBAM.


Please also try this; (I'm not sure because of the high security on IE in Windows Server, it would run.)

================================== Eset Scanner ==================================

Run Eset online scanner;

Note: You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin
Go to the Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic


#3 jawerez

jawerez
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 30 June 2012 - 11:15 AM

Hi Elfasso,

After running the Malwarebytes for more than 6.5hrs, 42312 objects detected.
When i tried to remove it, i received a small window pop-up, Run-time error '6' Overflow.
There is no log found!

I am running Malwarebytes again but now I am scanning 1 harddisk with 3 partitions only.
Before that, I was scanning 3 harddisk simultaneously(2 internal and 1 external hdd)

Can I run Eset using Chrome or Firefox ?
Will update later!

#4 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:37 AM

Posted 30 June 2012 - 11:16 AM

If you want to use Google or Firefox: Normally with F-Secure scanner: http://www.f-secure.com/en/web/labs_global/removal/online-scanner

Can you give the virus or malware a name? Because 42312 for one virus is mostly not a good sign...

Edited by ElFasso, 30 June 2012 - 11:17 AM.


#5 jawerez

jawerez
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 30 June 2012 - 12:02 PM

Majority is Malware.Packer.Gen as seen in the image below

Posted Image

#6 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:37 AM

Posted 30 June 2012 - 12:04 PM



#7 jawerez

jawerez
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 01 July 2012 - 03:19 AM

I am unable to surf to any antivirus website thus no online scanning possible.
I am also unable to install any antivirus software.
There is no response after clicking the antivirus application installer.
The MBAM is able to run but after I restart the server the objects appears again.

Are there any other options other than reformat ?

#8 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:37 AM

Posted 01 July 2012 - 04:01 AM

We can try Kaspersky Rescue boot CD.

On a clean computer:

Download Kaspersky Rescue boot CD
Download IMGBurn: http://www.imgburn.com/index.php?act=download
Then install IMGBurn.

Start "IMG burn" and click on "Write image file to disc".
Select the image file of Kaspersky Rescue boot CD and click on the button "Write".

On the sick computer Start the Kaspersky Rescue CD. (Set in the BIOS to boot from CD)

Posted Image
Posted Image
Posted Image
Posted Image

Edited by ElFasso, 01 July 2012 - 04:02 AM.


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:37 AM

Posted 01 July 2012 - 02:57 PM

Hello jawerez, when a computer, and especially a server is infected with Sality, there really is only one viable solution; isolate all computers, reimage any terminals, reformat any removable devices and reformat/reinstall the server.

Please see ThreatExpert's awareness of Win32.Sality.

Sality Family is a family of a polymorphic file infectors which infects .exe, .scr files, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.

About Sality Virus

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach.

Sality/Win32.Sector is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 jawerez

jawerez
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 01 July 2012 - 09:58 PM

Thanks ElFasso,

Does this rescue cd comes with the latest virus definitions?
Does it scans and remove the virus as well?

I will do that later.
I can only run it on weekends.
Will update you later.

Edited by jawerez, 02 July 2012 - 12:32 AM.


#11 jawerez

jawerez
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 01 July 2012 - 10:34 PM

Hi there Elise,

My God, such a major overhaul !

Is it possible to run a linux base bootable cd and do a cleanup from there ?

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:37 AM

Posted 02 July 2012 - 12:14 AM

It is possible, but please be careful when doing so, see also here.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 jawerez

jawerez
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 02 July 2012 - 12:48 AM

Thanks Elise.

Informative readup on your blog.
I have just downloaded the latest Hiren and doing some testing of all AV on a dummy pc.
There are many AV included in the cd.
Have you try it out?
Any recommendations?

http://imageshack.us/photo/my-images/10/hiren001.jpg

Edited by jawerez, 02 July 2012 - 12:49 AM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:37 AM

Posted 02 July 2012 - 03:50 AM

Sorry, at BC we do not support the usage of Hiren's boot CD, as also explained here.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 jawerez

jawerez
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 02 July 2012 - 07:58 AM

Alrite, sorry bout that!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users