Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 2003 Server infected


  • Please log in to reply
No replies to this topic

#1 inspiron17

inspiron17

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 03 May 2017 - 07:40 PM

Hello guys,

 

I am running a Windows 2003 Server machine and installed ITbrain AntiMalware a couple of weeks ago.

 

So a couple of days ago i start receiving alerts showing infected files that were being quarantined. Eventually server rebooted caused by BSOD (this never happened before).

 

So i installed and check using Malwarebytes, ESETOnlineScanner, SpyBot and SUPERAntiSpyware. Malwarebytes started blocking a lot of incoming and outgoing traffic from weird ip addresses. Some files were detected and removed. 

 

Installed also some Windows Updates fixes. Firewall defaults setting was restored. I uninstalled Firefox and the only browser was IE with all security functions enabled and zero temp files - all default.

 

After all that - reboots are not ocurring anymore. Now i have only Malwarebytes and  ITbrain AntiMalware installed.

 

ITbrain AntiMalware started to alert again, something like this:

 

Malware name: Trojan.GenericKD.4741539
Malware file path: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BKXURJ79\test[1].dat
Detection time: 03.05.2017 23:45:41 UTC
Additional information / action: Moved to quarantine
 
I manage to restore this file for analysis and this is the result:
 
Sometimes there is a new exe file alert. All dat files appears at Temporary Internet Files folder.
 
I noticed also some strange exe files at Windows folder like notpad.exe (this also was in Run key on registry) and Loginsas.exe. I deleted it manually.
 
Please advise how can i identify correctly what is this infection and eliminate it.
 
Thanks a lot.
 
Rod
 


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users