Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Server 2003 infected with something crazy


  • Please log in to reply
3 replies to this topic

#1 jesuzon

jesuzon

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 17 January 2017 - 11:07 AM

Hello everyone,

 

After years of perusing around this forum and learning a whole lot about virus infections and disinfection methods, it is finally my time to post here for help :(

 

I am pretty avid when it comes to finding and exterminating viruses, but this one has me clueless.

Maybe someone could help me with this one?

 

The problems I am having currently are:

 

1) A whole lot of system protected files are created in my windows installation drive Program Files folder, preventing me from installing common antimalware tools (such as Malwarebytes). The installers always give an error saying that "The folder already exists", but it really doesn't, it's just a system protected file with the name "Malwarebytes". The "Application Data" folder of each user in this system also has the same problem.

 

This can be circumvented by taking ownership of these files, and deleting them. Nevertheless, common antimalware software still struggles to run, as the virus is blocking their services from running. For example, Malwarebytes is unable to start the MBAM service, and hence, fails to start.

 

2) Hosts file is modified on every boot, and made a system protected file that is hidden. This can also be circumvented by taking ownership, and re-editting the file. Another abnormality in the drivers/etc folder is a gm.dls file of about 3000kb, that when deleted is created again.

 

3) I cannot run regedit unless I'm in safe mode

 

4) Until yesterday, I had no internet connectivity, but I fixed this by repairing the windows installation last night.

 

5) A lot of installers don't run at all.

 

6) sfc /scannow produces no log file, and gives no result at the end of the scan

 

Help me solve this problem awesome community!

 

system: Windows Server 2003 SP2 x86

 

Thanks in advance


Edited by jesuzon, 17 January 2017 - 11:12 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 AM

Posted 17 January 2017 - 09:01 PM

Hello, please repost your question with the log from the guide below.
Start at step 6...

We should get a deeper look. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 jesuzon

jesuzon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 18 January 2017 - 12:05 PM

Hello, please repost your question with the log from the guide below.
Start at step 6...

We should get a deeper look. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.

 

Hello boopme,

 

Unfortunately, I am unable to run FRST.exe. The malware has affected the way certain EXE files are run, and this one seems to be one of the ones affected. See the image below to see the window that pops-up when I try to run this EXE:

 

c9bca0a2696fdc9869e66e1aadd9f028.png

 

I have tried running it using those commands via cmd, but it hasn't worked. I also tried running in compatibility mode to no avail.

 

Any clues?



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 AM

Posted 18 January 2017 - 01:42 PM

Ok make the new post and state that you cannot run FRST. They will take it from there.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users