Server Win 2003 Malware

No you should not disable the current antivirus if you wanted to install Avast. You would have to uninstall your current antivirus first. Disabling is not an acceptable thing to do. However I would not uninstall Symantec to use Avast unless you are saying that you are running a server and do not want to pay for a full blown protection program. If that is the case then you need to consider why you are running a server. A server needs good protection and it needs to stay updated and I would not use a free version of any protection software on a server. Pay for it and get full protection plus support.



Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\Documents and Settings\Administrator\Desktop\do not use potential virus\ltc-miner\System_Idle_Process.exe
C:\Documents and Settings\Administrator\Desktop\do not use potential virus\tanechka\realvnc.exe
C:\Documents and Settings\ztest\Local Settings\Temporary Internet Files\Content.IE5\7I216TH0\bsdl1_923721_36925609[1].exe
C:\WINDOWS\tanechka\realvnc.exe
C:\WINDOWS\tanechka\svchosl.exe
C:\WINDOWS\ltc-miner2
C:\WINDOWS\tanechka
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\system32\tmp*.cmd
C:\WINDOWS\Temp\*.*
C:\Documents and Settings\Administrator\Local Settings\Temp\*.*
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• the JRT.TXTlog
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome. Run a new scan with Hitman Pro and attach the new log.

Are you still having problems with the server?

 

You're welcome.

Delete the C:\_OTM folder.

Also delete the below folder:
Cocuments and Settings\Administrator\Desktop\do not use potential virus

Now empty the Recycle Bin.

Now rerun Hitman Pro and allow it to fix any malware it finds. You can ignore the Supicious file report on C:\windows\system32\THREED20.OCX which is not a probelem. After having Hitman Pro fix the malware, immediately reboot the server.

After reboot, run a new scan with Hitman Pro and attach the new log.

 

It is not showing registry entries. It is showing files and folders. SOme I already asked you to delete like:

C:\_OTM folder.
Cocuments and Settings\Administrator\Desktop\do not use potential virus

Can you manually delete the other indicated folders? Are you 100% sure that these are not related to some software that the server needs to run?

The other folders implicated are:

C:\WINDOWS\ltc-miner2
C:\WINDOWS\tanechka

 

I still think it is due to something being run on the server. Based on things I see on the internet this ONLY shows up on Windows Server PC installations.

Why does this PC have 9 user accounts that are set as administrators???? I see that 2 are disabled but they are admin accounts. They should be deleted if not needed.
There should be one administrator account. How do you know that one of the other administrator user accounts has not installed and is responsible for running whatever this is? You have only given me logs from the ZTest user account so I can only see what it is loading at startup and not what any other accounts are doing.

Zip the contents of the below two folders into a ZIP file and attach it for me:
C:\windows\ltc-miner2
C:\windows\tanechka

 

Hi there. Chaslang is currently away for a short while. I will be assisting you with your thread. Do you want to go ahead and let Hitman fix everything it found? Then reboot the machine, re run Hitman, just a scan, and attach log. Let me know how things are running.

 

Hi mongooseba, I have not forgotton about you. There are a few things we need to do in order for me to help you, and I just need a little time for organisation of the fix. Chaslang took me through everything needs doing before he left Hang in there.

 

Have you got your Windows Server boot CD to hand?

 

We may have to delete some folders in system recovery mode, also, possibly a fix of the MBR.

If you do not have your CD I think we may have to create a bootable one.

 

Start having a look at this:

Prepare for Windows Server 2003 disasters with a bootable live Windows CD