Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Server 2008 Enterprise Hijack.ControlPanelStyle


  • Please log in to reply
3 replies to this topic

#1 MarBis97

MarBis97

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 05 March 2013 - 05:53 PM

I have a unique problem.   Vipre Antivirus missed some malware which "phones home" every minute and 40 seconds, and spike the CPU to 100% for 6-8 seconds on my Windows Server 2008 Entrerprise server.   This server is virtualized in a VMWare environment, and runs all of our school district DHCP services.   This is a big deal because if a device is looking for an IP during this 6-8 second period of high CPU utilization, it will just timeout, and assign a local APIPA IP causing our users to have no idea what the problem is...

 

I finally found the problem by installing Malwarebytes, and it is able to remove the malware, here are the pertinent lines from the log entry:

 

Windows Server 2008 Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421

 

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 1 -> Quarantined and deleted successfully.

 

However, the moment that I restart the server, it comes right back.

 

If this was a Windows 7 PC, the forums talk about using the Combofix.exe utility, but it doesn't run on a server.

 

I have looked in the Registry Run Once and Run keys, and found nothing...   Does anyone know where this bugger might be hiding?

 

Any help would be much appreciated!



BC AdBot (Login to Remove)

 


#2 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,123 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:21 PM

Posted 24 March 2013 - 05:48 PM

Please let me know if this topic is unresolved.


Chad Mockensturm 
Network Engineer
Certified CompTia Network +, A +

#3 MarBis97

MarBis97
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 26 March 2013 - 08:37 PM

Yes it is.  Any help on how to proceed would be much appreciated.



#4 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,123 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:21 PM

Posted 26 March 2013 - 10:05 PM

RUN Eset Online Scanner Uncheck remove infections. See if it comes up with anything


Edited by Sneakycyber, 28 March 2013 - 06:28 PM.

Chad Mockensturm 
Network Engineer
Certified CompTia Network +, A +




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users