Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SBS 2003 R2 - Hacked & now Start > All Programs does nothing


  • This topic is locked This topic is locked
22 replies to this topic

#1 Buzzardlip

Buzzardlip

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:43 AM

Posted 15 June 2013 - 05:00 PM

After running Malwarebytes several times and having cleaned out any malware (supposedly), I noticed that some icons were moved or missing from our Small Business Server 2003 R2 desktop. I thought it was our software vendor who has access to the server.

 

But then I noticed in Scheduled Tasks that someone had set up a backup job using Windows backup. Since we are using Symantec Backup Exec, I didn't think it was our vendor & Iwas right. I deleted the job and the schedule, but this S.O.B. kept doing it. I got to them before they ran, but this was getting ridiculus.

 

I noticed a couple of new users listed under Documents & Settings & deleted the ones that were not listed in the Domain users. I also changed the password for the Administrator, but I think he/she/it may have a password cracker.

 

Anyway, I must have pissed  the S.O.B. off because he/she/it has done something to the system so when I click on Start > All Programs nothing happens - no error messages, nothing. The programs that I use are still there and installed, but this is a pain in the arse to not be able to use this feature.

 

Does anyone out there have any idea what this S.O.B. could have done and how I can get this working again?

 

Thanks in advance for any help.

 



BC AdBot (Login to Remove)

 


#2 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:01:43 AM

Posted 15 June 2013 - 05:16 PM

I have notified our Moderators to Move this topic to the Am I Infected forum so our Malware team members can begin to help you find out what is going on. Once they have cleared your system I can help you rebuild the system if neeed.


Edited by Sneakycyber, 15 June 2013 - 05:16 PM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#3 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:01:43 AM

Posted 15 June 2013 - 05:22 PM

And now that were here I can get the ball rolling. Do you have any of the log reports from Malwarebytes?

 

Edit: Most importantly, Is this a live Domain controller, File server, or Exchange server? Do you have back up server?


Edited by Sneakycyber, 15 June 2013 - 05:24 PM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:43 AM

Posted 15 June 2013 - 06:23 PM

Hello Buzzardlip, and welcome to Bleeping Computer!
 
In addition to any MBAM logs you may have, as asked for by Sneakycyber, I'd like you to download another program to be run before MBAM.
 
First thing, please make sure your MalwareBytes Antimalware program is updated fully! Then reboot the machine into Safemode with Networking and follow the below steps:
 
==========
 
Please download Rkill by Grinler and save it to your desktop.
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer after running Rkill, or you will need to run the application again before MBAM!

Please post the Rkill log in your next reply.

==========

Now after Rkill has run and you haven't rebooted, please immediately run MBAM again with a full system scan and post that log in your next reply as well.

Let me know if you have any problems with the above instructions! If needed, I'll move this topic to the Malware Removal Forum to take out the big guns.

Again, thanks for visiting Bleeping Computer! :)

bloopie

#5 Buzzardlip

Buzzardlip
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:43 AM

Posted 15 June 2013 - 06:50 PM

This part of my post got left off - so while I try to learn how to attach files here, I'll post this part:

 

When I tried to run Rkill 2.5.3 using the iexplorer.exe version, I got the error message "There was a problem retrieving the path for: Common_StartMenu. Rkill has terminated". Maybe this will be a clue as to what happened?

 

This is a Domain Controller file server - no Exchange server is set up on it. There is no backup server, but we do use eVault to back up the System State, data and whatever eVault uses for remote disaster recovery.

 

It's Saturday & I'm about to get kicked out of the office. Hopefully I'll get to try these suggestions before I have to go.


Edited by Buzzardlip, 15 June 2013 - 06:58 PM.


#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:43 AM

Posted 15 June 2013 - 08:21 PM

Hi again,

 

Please post any MBAM logs you may have for us to analyze...or any other antimalware logs you have as well.

 

Did you try to run Rkill from safemode as instructed?

 

We will need some kind of logs posted, so that we will know the next best steps to take.

 

bloopie


Edited by bloopie, 16 June 2013 - 11:50 AM.
for some reason, this post was subscripted...fixed


#7 Buzzardlip

Buzzardlip
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:43 AM

Posted 16 June 2013 - 10:06 AM

Bloopie,

 

I am not at the office now, but I do have the logs from Malwarebytes with me. How & where do I post them?

 

I have not been able to restart the server, so I have not tried to start it in Safe mode to run Rkill. I was only able to run Rkill while the server was runnung.



#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:43 AM

Posted 16 June 2013 - 10:44 AM

Hello again,

 

The reason you were unable to attach files was because of the forum the thread was in. I've now moved this thread to the Malware Removal forum where attaching files is allowed. However, I'd ask that you do not attach any files unless instructed to do so.

 

How & where do I post them?

 

Just simply copy and paste them into your next reply. :)

 

Reading the logs are much easier when pasted instead of attached.

 

bloopie


Edited by bloopie, 16 June 2013 - 11:49 AM.
grammatical error


#9 Buzzardlip

Buzzardlip
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:43 AM

Posted 16 June 2013 - 11:51 AM

Here is the latest Malwarebytes run that found something. I have run Malwarebytes several times since (after updating it each tiem), and it did not find anything.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.31.07

Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: CHESTER-SERVER [administrator]

5/31/2013 6:30:21 PM
mbam-log-2013-05-31 (18-30-21).txt

Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 571659
Time elapsed: 1 hour(s), 50 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Documents and Settings\guest1\My Documents\dragon.exe (PUP.HackTool.BruteForce) -> Quarantined and deleted successfully.
C:\SOFTWARE\RockXP\RockXP3.exe (PUP.OficeKey) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nroot.exe (PUP.Netcat) -> Quarantined and deleted successfully.
E:\SOFTWARE\RockXP\RockXP3.exe (PUP.OficeKey) -> Quarantined and deleted successfully.

(end)

 

I deleted the user guest1 and all of its subfolders. I see there is a user under Documents and Settings named "sys". This is not a standard user created by the server is it? Just to be safe, I changed all of his rights to deny and I changed the Administrators password.

 

Thanks again for your help - especially on a Sunday!



#10 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:43 AM

Posted 16 June 2013 - 12:39 PM

Hello again,
 

Thanks again for your help - especially on a Sunday!

It is my pleasure! This may turn out to be a learning experience for myself as well!
 
Thanks for the log.
 

When I tried to run Rkill 2.5.3 using the iexplorer.exe version, I got the error message "There was a problem retrieving the path for: Common_StartMenu. Rkill has terminated". Maybe this will be a clue as to what happened?

This could be due to the Operating System not being compatible with some tools, but we will check elsewhere.
 
I'm not 100% farmiliar with the Operating System, as many here aren't, but I will continue to try some things safely.
 
It would be great if we could throw caution to the wind and give all of our big tools a go at the OS, just to see if/how they work, but we don't want to go ruining your system if we can help it! I'm going to take the safe route with this topic, just in case.

 

I see there is a user under Documents and Settings named "sys". This is not a standard user created by the server is it?

Again, I'm not familiar enough with the OS to know, but it doesn't look like there is a user named "sys" created. I will have to confirm with Sneakycyber to be sure. I will let you know what I find.
 
 ==========
 
Now, going over your log:
 
There's not a whole lot to be concerned about in that log...although, the scan did pick up a file that was not on your C:\ drive, but on your E:\ drive. Could you please tell me what exactly is your E:\ drive?
 
==========
 
I'd like to get a log from another tool:

We need to create a FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the otlicon.png icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the runscan.png button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
bloopie

#11 Buzzardlip

Buzzardlip
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:43 AM

Posted 16 June 2013 - 05:36 PM

Bloopie,

 

"When I tried to run Rkill 2.5.3 using the iexplorer.exe version, I got the error message "There was a problem retrieving the path for: Common_StartMenu. Rkill has terminated". Maybe this will be a clue as to what happened?"

 

I failed to mention that I ran an older version of Rkill on the server & it worked.

 

"Could you please tell me what exactly is your E:\ drive?"

 

The E:\ drive is a data drive. This server was configured by our software vendor & they have 3 sets of mirrored drives. One set is for the operating system C:\, one set is for their data backup - D:\ and the third set is for our other data storage.

 

I will download and run OTL tomorrow when I get to my office. I will then post the results here.

 

Thanks again.



#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:43 AM

Posted 16 June 2013 - 06:08 PM

Hello again,

Thanks for that explanation. Now I have a better idea of what we're working with!

In addition to the OTL log when you have time, please post that older Rkill log as well (or run a new scan with the older version if possible) so I have a good idea of how the tool works with this OS and what it may show, as opposed to the latest error.

That information could be very helpful for us, and for Grinler (the author of RKill) as well!

Thanks for your understanding and diligence!

I will be looking for your post tomorrow, but I may not be able to respond until Tuesday. I will try my best to get back sooner though!

Thanks again!

Regards,

bloopie

#13 Buzzardlip

Buzzardlip
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:43 AM

Posted 16 June 2013 - 06:39 PM

Bloopie,

 

I will rerun the Rkill again tomorrow using the older version & post the results here. I will also try the new version of Rkill and see if there is anything kept in a log to show what happened to cause the error message.

 

I realized after posting the Malwarebytes log that I have some older logs that have caught some items. There are 4 of them and I don't know if it would be a good idea to post them all at once, but maybe the chronology will help in determining what to do.

 

Thanks,

 

Buzzardlip


Edited by Buzzardlip, 16 June 2013 - 08:00 PM.


#14 Buzzardlip

Buzzardlip
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:43 AM

Posted 16 June 2013 - 08:00 PM

Wow, I should have looked closer at these logs, some of these items look like they might be what is causing my problems.

 

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.10.09

Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: CHESTER-SERVER [administrator]

8/10/2012 6:50:04 PM
mbam-log-2012-08-10 (18-50-04).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 379018
Time elapsed: 39 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\r_server (Trojan.Banker) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wminotify|DllName (Trojan.Agent) -> Data: wminotify.dll -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 11
C:\WINDOWS\system\AdmDll.dll (PUP.RemoteAdmin) -> No action taken.
C:\WINDOWS\system\raddrv.dll (PUP.RemoteAdmin) -> No action taken.
C:\WINDOWS\system32\nvidiadrv.exe (PUP.Netcat) -> No action taken.
C:\Documents and Settings\guest1\My Documents\NEW 135\svchost.exe (Malware.NSPack) -> Quarantined and deleted successfully.
C:\SOFTWARE\RockXP\RockXP4.exe (PUP.PWDump) -> Quarantined and deleted successfully.
C:\WINDOWS\system\pwdump2.exe (HackTool.PWDump) -> Quarantined and deleted successfully.
C:\WINDOWS\system\samdump.dll (HackTool.PSWDump) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winback.exe (Application.ServuFTP) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svchost.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\kill.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\system\System.exe (Trojan.Banker) -> Quarantined and deleted successfully.

(end)

============================================================================

 

Here is the next one I ran that caught something:

 

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.04.08

Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: CHESTER-SERVER [administrator]

9/4/2012 1:43:31 PM
mbam-log-2012-09-04 (13-43-31).txt

Scan type: Full scan (C:\|H:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 418649
Time elapsed: 1 hour(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\Networkserver (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 8
C:\WINDOWS\system\AdmDll.dll (PUP.RemoteAdmin) -> No action taken.
C:\WINDOWS\system\raddrv.dll (PUP.RemoteAdmin) -> No action taken.
C:\WINDOWS\system32\nvidiadrv.exe (PUP.Netcat) -> No action taken.
H:\AFS\AFSTRADE\HARPMXFR.REG (Extension.Mismatch) -> Quarantined and deleted successfully.
H:\AFS\AFSTRADE\TMP\HARPMXFR.REG (Extension.Mismatch) -> Quarantined and deleted successfully.
H:\AFS\AFSTRADE\AFSTRADE\HARPMXFR.REG (Extension.Mismatch) -> Quarantined and deleted successfully.
H:\AFS\AFSTRADE\AFSTRADE\TMP\HARPMXFR.REG (Extension.Mismatch) -> Quarantined and deleted successfully.
C:\WINDOWS\addins\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)
================================================================================================

 

And the next one:

 

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.14.07

Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: CHESTER-SERVER [administrator]

9/14/2012 7:20:43 PM
mbam-log-2012-09-14 (19-20-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 334835
Time elapsed: 6 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\WINDOWS\system32\nvidiadrv.exe (PUP.Netcat) -> Quarantined and deleted successfully.
C:\WINDOWS\system\AdmDll.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully.
C:\WINDOWS\system\raddrv.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully.

(end)
=======================================================================================

 

And then this one:

 

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.16.03

Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: CHESTER-SERVER [administrator]

2/16/2013 9:59:58 AM
mbam-log-2013-02-16 (09-59-58).txt

Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 557395
Time elapsed: 1 hour(s), 37 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
E:\Netware\AFSTRADE\HARPMXFR.REG (Extension.Mismatch) -> Quarantined and deleted successfully.
E:\Netware\AFSTRADE\TMP\HARPMXFR.REG (Extension.Mismatch) -> Quarantined and deleted successfully.
E:\Netware\AFSTRADE\AFSTRADE\HARPMXFR.REG (Extension.Mismatch) -> Quarantined and deleted successfully.
E:\Netware\AFSTRADE\AFSTRADE\TMP\HARPMXFR.REG (Extension.Mismatch) -> Quarantined and deleted successfully.
E:\SOFTWARE\RockXP\RockXP4.exe (PUP.PWDump) -> Quarantined and deleted successfully.

(end)
=====================================================================================================

 

The log I originally posted, dated 2013-5-31, is the last one that caught anything.

 

Hopefully I didn't break any protocols by posting all of these logs.



#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:43 AM

Posted 16 June 2013 - 08:57 PM

Hello again, and thanks for posting those logs!

Not to worry, you've done well!!

Allow me some time to look over those logs, and please post the OTL log if possible in your next reply.

The OTL log will give us a much better idea of what's happening with the machine when it's running.

Thanks again!

bloopie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users