I have a VPS (Win 2008 R2) that became extremely slow after the host moved the server to a new IP. They disabled the firewall to test it (since I had it set to refuse all IP connections except those coming from my own), and I believe that's when someone managed to install the malware.
Following this page:
The infected VPS has SysData, with control.exe, kill.exe, install.exe, acnon.exe, and acnom.exe.
Task Manager shows Control.exe *32 running.
When I followed that page's instructions and ran Rkill.exe as iExplore.exe, it completed but did not find anything.
I was able to end task on control.exe.
I will try to follow that page's instructions on running Emsisoft Anti-Malware, AdwCleaner, and Hitman Pro, in that order. But I'm not sure if it's going to work since Rkill didn't work.
(Incidentally I have Windows Defender running and that's not detecting it either.)
Here's the CRC32's I have and rkill.txt, however if there's a rootkit involved who knows what's actually going on.
acnom.exe 725C0F4D acnon.exe 0AD4006B control.exe A327A885 install.exe 1B5A5AC2 kill.exe FC19BFBC
Rkill 2.9.1 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2017 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 12/08/2017 09:34:32 AM in x64 mode. Windows Version: Windows Server 2008 R2 Standard Service Pack 1 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * No malware processes found to kill. Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * No issues found. Searching for Missing Digital Signatures: * No issues found. Checking HOSTS File: * HOSTS file entries found: 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1001namen.com 127.0.0.1 www.1001namen.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100888290cs.com 127.0.0.1 www.100sexlinks.com 127.0.0.1 100sexlinks.com 20 out of 15633 HOSTS entries shown. Please review HOSTS file for further entries. Program finished at: 12/08/2017 09:48:19 AM Execution time: 0 hours(s), 13 minute(s), and 47 seconds(s)
(All of the HOSTS entries are from Spybot's Innoculate.)