w32.spybot.worm found on Windows 2003 server

Hi

Yes please start out with our first steps in removing malware, which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs![/

 

Empty your Outlook Express Deleted Items folder and that will remove much of what BitDefender was complaining about. Why are you keep this stuff anyway?
Where are the other logs that were requested
- CounterSpy
- PandaActiveScan

Are the below settings normal for your server?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

What is the below service for?
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\Documents.exe (file missing)

Did you put recent copies of ftp and tftp in your system32 folder. The below are in your newfiles.txt log

Code:

"C:\WINDOWS\system32\"
[URL="ftp://ftp.exe"]ftp.exe[/URL]       Nov 24 2006       44032  "[URL="ftp://ftp.exe"]ftp.exe[/URL]"
tftp.exe      Nov 24 2006       17920  "tftp.exe"

Continue by downloading a tools we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\lsass.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Well the fake lsass.exe process is gone now!

So I assume this means that you guys are not using the FTP or TFTP services and that those two files are not yours (Note: Windows does also have valid files with those exact names but they are not always in the folder unless you use the services. This malware tries to capitalize on this and sneak by you. I would boot into save mode and rename them to have .XXX extension or use Killbox to delete them since Killbox will save them in a backup folder just in case you find you need them.

You should look into cleaning up the original source folder. Deleting all the backups. And then saving new backups! No sense in having infected backups.


You had some other bad stuff show up. Delete the below:

Code:

"C:\WINDOWS\"
wdfmgrr.exe   Nov 26 2006       49579  "wdfmgrr.exe"
 
"C:\WINDOWS\Temp\"
erasem~1.exe  Nov 26 2006       49579  "eraseme_21466.exe"

Also the below file bothers me even though it is a valid Windows file. Why is the date changing? Look at your first newfiles.txt log and your second newfiles.txt log and you will see what I mean. Check file Properties to make sure it is a valid Microsoft file.

Code:

"C:\WINDOWS\system32\"
sfc_os.dll    Nov 27 2006      136192  "sfc_os.dll"

Attach a new log from ShowNew and tell me how things are running.


You did not answer my question about the below service?
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\Documents.exe (file missing)

This does not look valid!

 

You still have not answered my question twice asked about that service.

You also did not get me the properties info on the sfc_os.dll that I requested.

And now here are some new questions.

What is the below folder for? Where did it come from?

Code:

"C:\Program Files\"
CMAK          Nov 27 2006              "cmak"

What problems remain?

You need to delete all the below files in the root folder of drive C

Code:

C:\
1w3e5t.exe    Nov 26 2006        7776  "1w3e5t.exe"
f5s3g3~1.exe  Nov 27 2006       33195  "f5s3g3z4g6f1.exe"
jeghy1~1.exe  Nov 27 2006       33195  "jeghy1ho6.exe"
r9h6w4~1.exe  Nov 27 2006       33195  "r9h6w4e4q4j3.exe"

 

That was not what I was pointing out on this file. I know what it is supposed to be. I was wondering why the file date was changing.


The other question I was referring to that you never answered was this:

Those files you said you cannot find were in your last newfiles.txt log. Are you sure they are gone? Get a new log from ShowNew and check it.

 

Be very careful when doing the below step to remove this service there are other similar named services that are valid. You must make sure you are looking for the exact names that I give in the below procedure and nothing else.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Remote Procedure Call (RPC)
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click theMisc tools button
• Select Delete an NT Service
• Copy/paste RpcSs into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot when it tells you it needs to.

After reboot, attach a new HJT log!

Your newfiles.txt log is clean now. Thus those files are gone.

 

You will have to be physically at this PC to follow the steps. The PC will also have to be rebooted for the change to take effect. Note: I had a typo in the steps where I had the instructions for Deleting the Service with HJT. So please read read them or redownload them to make sure you have the current into. Does the file this service refers to exist. ( C:\Documents.exe ) Sometimes HJT will say a file is missing when it is not.

 

Are you saying that someone in your IT department is not keeping up with security updated??????

Ask them if they would like their pay checks 6 months behind schedule.

Notice I did question the ftp.exe and tftp.exe way back in message # 6.