Malware attack on Server 2003

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by rrobinson01, May 23, 2011.

  1. rrobinson01

    rrobinson01 Private E-2

    Hi All, I have a client with a small network, the main server is Server 2003 with Exchange 2003 installed as well. Last Thursday the server rebooted (on its own)and when it came up they logged in and the "Server 2003 Recovery" screen popped up, the desktop was completely blank and when you clicked on programs or admin tools there was nothing listed. Also when you browsed the computer no files or folders appeared. But, Exhange seemed to be working (excluding OWA which looks strange when you access it)and users could access files on the server from their desktops.

    I ran Search and Destroy, Malware Bytes, ComboFix (yes it did not complete, just want to give all the info I can) and Super Antivirus. I did find many infections and have cleaned them. Now when you log in there are still no programs listed and nothing under admin tools. I can run things from the command prompt but am hoping you might be able to help.

    I followed the directions on your forum and am attaching the log files.
     

    Attached Files:

    rrobinson01, May 23, 2011
    #1
  2. rrobinson01

    rrobinson01 Private E-2

    As additional information, I am finding that all folder attibutes were changed to hidden and read only. I have gotten owa to work properly now.
     
    rrobinson01, May 23, 2011
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    This is one of the newer infections that is a pain to fix. Use windows explorer to find and delete:
    C:\Documents and Settings\All Users\Application Data\17620776
    C:\Documents and Settings\All Users\Application Data\~17620776
    C:\Documents and Settings\All Users\Application Data\~17620776r

    Now tell me what this is ( right click the file and check the properties):
    C:\WINDOWS\system32\drivers\4361E55.sys

    All of your Files and folders are in the below smtmp folders. You will have to move them all back to their proper place:
    Code:
    "C:\temp\smtmp\"
1             May 19 2011              "1"
2             May 19 2011              "2"
4             May 19 2011              "4"

"C:\temp\smtmp\1\"
PROGRAMS      May 19 2011              "Programs"

"C:\temp\smtmp\4\"
spywar~1.lnk  May 19 2011        1664  "Spyware Doctor.lnk"

"C:\temp\smtmp\1\Programs\"
ACCESS~1      May 19 2011              "Accessories"
ADMINI~1      May 19 2011              "Administrative Tools"
ADOBER~1      May 19 2011              "Adobe Reader"
APACHE~1.59   May 19 2011              "Apache HTTP Server 2.0.59"
DELLPR~1      May 19 2011              "Dell Printers"
EPSONC~1      May 19 2011              "EPSON Creativity Suite"
EPSONP~1      May 19 2011              "EPSON Printers"
EPSONS~1      May 19 2011              "EPSON Speed Dial Utility"
HPMANA~1      May 19 2011              "HP Management Agents"
HPSYST~1      May 19 2011              "HP System Tools"
IMAGEM~1.5Q1  May 19 2011              "ImageMagick 6.3.5 Q16"
LOGMEI~1      May 19 2011              "LogMeIn Hamachi"
MALWAR~1      May 19 2011              "Malwarebytes' Anti-Malware"
MALWAR~2      May 19 2011              "Malwarebytes"
MICROS~1      May 19 2011              "Microsoft Exchange"
MICROS~2      May 19 2011              "Microsoft Office"
MICROS~3      May 19 2011              "Microsoft SQL Server 2005"
MICROS~4      May 19 2011              "Microsoft Visual SourceSafe"
PCTOOL~1      May 19 2011              "PC Tools Security"
PEACHT~1      May 19 2011              "Peachtree Accounting 2011"
SIFIBA~1      May 19 2011              "SIFIBackup"
SIZER         May 19 2011              "Sizer"
SPYBOT~1      May 19 2011              "Spybot - Search & Destroy"
STARTUP       May 19 2011              "Startup"
SUBVER~1      May 19 2011              "Subversion"
TCPVIEW       May 19 2011              "TcpView"
WINDOW~1      May 19 2011              "Windows Support Tools"
WINZIP        May 19 2011              "WinZip"

"C:\temp\smtmp\1\Programs\Accessories\"
ACCESS~1      May 19 2011              "Accessibility"
COMMUN~1      May 19 2011              "Communications"
ENTERT~1      May 19 2011              "Entertainment"
SYSTEM~1      May 19 2011              "System Tools"

"C:\temp\smtmp\1\Programs\Administrative Tools\"
active~2.lnk  Mar 30 2011        2187  "Active Directory Management.lnk"
active~4.lnk  May 19 2011        2279  "Active Directory Users and Computers.lnk"
dhcp.lnk      Mar 30 2011        2393  "DHCP.lnk"
termin~3.lnk  Apr 28 2011        2341  "Terminal Services Manager.lnk"

"C:\temp\smtmp\1\Programs\Apache HTTP Server 2.0.59\"
CONFIG~1      May 19 2011              "Configure Apache Server"
CONTRO~1      May 19 2011              "Control Apache Server"
REVIEW~1      May 19 2011              "Review Server Log Files"

"C:\temp\smtmp\1\Programs\Dell Printers\"
DELL33~1      May 19 2011              "Dell 3330dn Laser Printer"

"C:\temp\smtmp\1\Programs\EPSON Creativity Suite\"
FILEMA~1      May 19 2011              "File Manager"

"C:\temp\smtmp\1\Programs\HP System Tools\"
HPARRA~1      May 19 2011              "HP Array Configuration Utility"
HPARRA~2      May 19 2011              "HP Array Configuration Utility CLI"
HPARRA~3      May 19 2011              "HP Array Diagnostic Utility"

"C:\temp\smtmp\1\Programs\LogMeIn Hamachi\"
logmei~1.lnk  Mar 30 2011         697  "LogMeIn Hamachi.lnk"
uninst~1.lnk  Mar 30 2011        1479  "Uninstall.lnk"

"C:\temp\smtmp\1\Programs\Malwarebytes\"
malwar~1.lnk  May 19 2011         636  "Malwarebytes' Anti-Malware Help.lnk"
malwar~2.lnk  May 19 2011         636  "Malwarebytes' Anti-Malware.lnk"
uninst~1.lnk  May 19 2011         660  "Uninstall Malwarebytes' Anti-Malware.lnk"

"C:\temp\smtmp\1\Programs\Microsoft Exchange\"
ADDITI~1      May 19 2011              "Additional Resources"
DEPLOY~1      May 19 2011              "Deployment"

"C:\temp\smtmp\1\Programs\Microsoft Office\"
MICROS~1      May 19 2011              "Microsoft Office 2010 Tools"
micros~1.lnk  May 17 2011        2008  "Microsoft Excel 2010.lnk"
micros~2.lnk  May 17 2011        2002  "Microsoft PowerPoint 2010.lnk"
micros~3.lnk  May 17 2011        2056  "Microsoft Publisher 2010.lnk"
micros~4.lnk  May 19 2011        2379  "Microsoft Word 2010.lnk"

"C:\temp\smtmp\1\Programs\Microsoft SQL Server 2005\"
ANALYS~1      May 19 2011              "Analysis Services"
CONFIG~1      May 19 2011              "Configuration Tools"
PERFOR~1      May 19 2011              "Performance Tools"

"C:\temp\smtmp\1\Programs\PC Tools Security\"
moreso~1.lnk  May 19 2011        1449  "More solutions from PC Tools.lnk"
spywar~1.lnk  May 19 2011         763  "Spyware Doctor Quick Start Guide.lnk"
spywar~2.lnk  May 19 2011        1676  "Spyware Doctor.lnk"
uninst~1.lnk  May 19 2011         747  "Uninstall Spyware Doctor.lnk"

"C:\temp\smtmp\1\Programs\Peachtree Accounting 2011\"
PEACHT~1      May 19 2011              "Peachtree Resources & Help"

"C:\temp\smtmp\1\Programs\Microsoft Office\Microsoft Office 2010 Tools\"
digita~1.lnk  May 17 2011        2022  "Digital Certificate for VBA Projects.lnk"
micros~1.lnk  May 17 2011        1988  "Microsoft Clip Organizer.lnk"
micros~2.lnk  May 17 2011        1908  "Microsoft Office 2010 Language Preferences.lnk"
micros~3.lnk  May 17 2011        1950  "Microsoft Office 2010 Upload Center.lnk"
micros~4.lnk  May 17 2011        1966  "Microsoft Office Picture Manager.lnk"
    This Trojan moves the files from the %Start Menu% and %Desktop% folders to the created %User Temp%\smtmp folder. The files located in %Start Menu% are moved to the subfolder %User Temp%\smtmp\1, while the files located in %Desktop% are moved to the subfolder %User Temp%\smtmp\2.

    To restore the moved files, open %User Temp%\smtmp and copy the files.

    • For %User Temp%\smtmp\1, copy the files to %Start Menu%
    • For %User Temp%\smtmp\2, copy the files to %Desktop%
    Once done, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 23, 2011
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds