Google reported to me that one of our servers was serving up malware. A counterpart who is the usual admin for the system found a malcious php script on the box, removed it, and shut down the web server. He also ran patches from Windows update (not microsoft update), and I enabled the Windows firewall once he determined the infection was going to take more time to remove than he had.
1. I have attempted to install malware bytes AM and rootkit remover - the AM installs but gives an error that it cannot find the mbam.exe executable when you try to run it. The rootkit remover won't install. Likewise, I attempted to install a rootkit remover from Trend Micro, and that install also failed.
2. I downloaded rkill from this website, the version named iExplore.exe since I was having problems with other security software refusing to execute, see point 1.
Here is the rkill log:
Rkill 2.5.3 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
Program started at: 06/06/2013 11:22:00 AM in x86 mode.
Windows Version: Microsoft Windows Server 2003 R2 Service Pack 2
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Backup Registry file created at:
C:\Documents and Settings\smarouchoc\Desktop\rkill\rkill-06-06-2013-11-22-03.reg
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* No issues found.
Checking Windows Service Integrity:
* No issues found.
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* HOSTS file entries found:
Program finished at: 06/06/2013 11:22:23 AM
Execution time: 0 hours(s), 0 minute(s), and 23 seconds(s)
Here are the contents of the .reg file it created:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe]
I checked the registry at this location, and there are quite a few security program executables listed here with debugger options set to bogus .exe files - I presume this is why none of these security softwares will run. The entires that rkill found are STILL in the running registry, and I cannnot remove them, I get the error: Unable to delete all spcified values
3. I managed to install Secunia PSI - the link in secunia to install Microsoft update (versus windows update) took me to the website, and I was able to do everything right up until I tried to run the active x script it downloaded - no dice, won't install.
4. My browsers won't go to windowsupdate.microsoft.com on their own - I assume secunia has a link the malware writer doesn't cover in their code. Other than that, I seem to have no issues getting to websites. I checked C:\Windows\system32\drivers\etc\hosts and \lmhosts, and neither appear to have any entires other than the default ones.
5. When i rebooted, data execution prevention stopped a program from running:
To help protect your computer, Windows has closed this program.
Name: Talecarr scutibra graunche
I will search the forums for this, but my hopes are not high.
I am going to attempt to rename mbam.exe to iExplore.exe to see if I can get it to run. I need help determining what I should do next (first?) to try to get this system cleaned up. I do not have easy physical access to the machine, it's a 20 minute drive away, so I have done nothing with safe mode yet.
Thanks in advance for your time and help!!
UPDATE: One more piece of information, looking at the administrators group, there is an account called "noob" in there (heh) which no one can account for, so I've removed it from the admin group, and disabled the account.
Edited by Orange Blossom, 06 June 2013 - 02:41 PM.
Moved from Windows NT/2000/2003/2008 to AII. ~ OB