Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win Server 2008 Hijack ControlPanel malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 MarBis97

MarBis97

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 05 March 2013 - 06:45 PM

I have a unique problem. Vipre Antivirus missed some malware which "phones home" every minute and 40 seconds, and spike the CPU to 100% for 6-8 seconds on my Windows Server 2008 Entrerprise server. This server is virtualized in a VMWare environment, and runs all of our school district DHCP services. This is a big deal because if a device is looking for an IP during this 6-8 second period of high CPU utilization, it will just timeout, and assign a local APIPA IP causing our users to have no idea what the problem is...

 

I finally found the problem by installing Malwarebytes, and it is able to remove the malware, here are the pertinent lines from the log entry:

 

Windows Server 2008 Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421

 

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 1 -> Quarantined and deleted successfully.

 

However, the moment that I restart the server, it comes right back.

 

If this was a Windows 7 PC, the forums talk about using the Combofix.exe utility, but it doesn't run on a server.

 

I have looked in the Registry Run Once and Run keys, and found nothing... Does anyone know where this bugger might be hiding?

 

Any help would be much appreciated!



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:10 AM

Posted 07 March 2013 - 08:41 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:10 AM

Posted 12 March 2013 - 08:09 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users