Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SBCORE and SBSCREXE.EXE Virus/Trojan?


  • This topic is locked This topic is locked
4 replies to this topic

#1 DigiCypher

DigiCypher

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 04 February 2014 - 01:29 PM

I have a SBS2003 server that seems to have issues. Symantec End Point Protection, Malwarebytes & Malwarebytes Anti Rootkit all scans come up clean. The scan I ran with Kaspersky TDSSKILLER reports finding a "suspicious Object, Medium Risk" c:\Windows\System32\sbscrexe.exe autostart (0x2). Looking this up on Google I see a lot of reports that indicate this is indeed some sort of virus/Trojan. The 2 windows 7 Ult. workstations on the network worked fine until about 2 weeks ago. Then, one of them started to have all kinds of memory related issues. I tested and even replaced the memory on that system and still received 01, 1a, 73 BSOD's. I ended up reformatting and reinstalling everything and the issue seemed to go away for a day or two. After this the second machine started to have BSOD's with the same errors. Both machines started out with issues authenticating on the server (SBS2003). I deleted each account and recreated on the server and rejoined thinking something was within the profiles. Again the workstations ran for a couple of days and then the first machine had access errors (authentication) and the first user accessed a file from his documents on the server and it blue screened. I have run check disk on all  hard drives with zero errors encountered. I forgot to mention that after reloading the first box there were no errors until I loaded the Symantec EPP on it. It blue screened. I uninstalled and reinstalled with no issues for a couple of days then the BSOD's started randomly. Now it seems that there are random BSOD's (memory related by the codes) on both workstations. All hardware has been tested outside of the network and passes all tests. There is no over clocking on either machine. I called the manufacturer of the motherboards (ASUS) and spoke with a support engineer and he agreed there should not be a hardware issue that all the testing should have revealed whether or not there was anything physically wrong (I ran the MS memtest for over 24 hours on each box with no issues).  I found a support webpage and used an app called gmer and (I am sharing the output). On the second workstation I ran the gmer app and it found this: Driver: C:\DOCUME~1\XXXX~1\LOCALS~1\Temp\uftdypob.sys. I used process explorer to kill it and deleted the file. The server had NO Antivirus suite on it at the times they were experiencing the BSOD's. I installed the Symantec EPP 12.1.2 to scan for infections but found none. All functions except the firewall are in place and working with no issues. I have the SBS2003 firewall in place instead. 

 

One further observation: The SQLServer instance was running at 99% CPU time when I logged into the server today. This went on for about 20 minutes then stopped. As of this post system idle is 98%.

 

Any help is greatly appreciated. This has been going on for too long  now and I have been unable to catch the culprit!

 

I am sorry for the long post, I just wanted to pass along as much info as I could on the first post. I know it has to be something simple I am missing! Thanks for the help in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,669 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 AM

Posted 09 February 2014 - 01:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/523185 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 DigiCypher

DigiCypher
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 10 February 2014 - 09:10 AM

DDS will not run on this SBS2002 SP2 server. Yes I have the install disk. It is a 32 bit system.



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 10 February 2014 - 09:20 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

As you can see, the driver you´ve deleted is part of Gmer itself:

 

 

Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2\uftdypob.sys

So no more worries about that one.

 

The entry mentioned by TDSS-Killer is part of the Small Business Server itself and should be deleted. Let´s try something else:

 

 

Scan with OTL
 

  • Download OTL by OldTimer and save it to your desktop.
  • Double click on the OTL.exe icon on your desktop. If you are using Vista, please right-click and select run as administrator
  • Click the "Scan All Users" checkbox.


    Note: If you are using a Windows 64bit machine, please make sure the checkbox next to Include 64Bit Scans is checked. It will be checked by default.
     
  • Push the runscanbutton.png button.
  • It will now begin to scan, please be paitent while it scans.
  • Two reports will open once it's done.
  • Please copy and paste them in your next reply:
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized

 

 

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).

 

 

 

In addition, please provide the exact error message displayed on the BSOD.


Edited by TB-Psychotic, 10 February 2014 - 09:21 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 13 February 2014 - 09:07 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users