SBS 2003 hundreds of connection to Russian IP

Discussion in 'Malware Help (A Specialist Will Reply)' started by cowboyGeek, Oct 13, 2012.

  1. cowboyGeek

    cowboyGeek Private E-2

    Only symptom of this infection was slow internet performance intermittently. Reviewing current connections in the router tables, I discovered hundreds of connections to an IP address that resolved to a site in Russia.

    Ran the standard scans (see attached logs) and found:

    Trojan.Pandora
    Trojan.Delf
    Trojan.Agent

    Rebooted after MalwareBytes and received this error: http://i.imgur.com/cM3T1.png

    At this point, I'm not sure how to tell if I'm clean, so request a log review.

    Thanks!
     

    Attached Files:

    cowboyGeek, Oct 13, 2012
    #1
  2. cowboyGeek

    cowboyGeek Private E-2

    A little more information on the situation with this server:

    Since the reboot after the MalwareBytes threat removal, the server will boot and run for 10-60 minutes and then things begin to deteriorate until the server becomes unusable. The UI eventual becomes unresponsive, and shares begin to timeout on workstation requests. It's impossible to gracefully shut the server down, and it must be power cycled. During the limited time available when the server is working, I've seen quite a number of errors in the event log that didn't exist prior to the threat removal.

    Looking pretty grim at the moment...
     
    cowboyGeek, Oct 13, 2012
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please attach the requested log from TDSSKiller. It appears that you did not even download it.

    Also, I want to get a log from a newer version of MGtools. If you see a license agreement for TrendMicro HijackThis, besure to click twice on I Accept if you close your browsers and other applications while running MGtools, you will more likely see this. It does not pop to the top automatically.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • the TDSSKiller log
    • C:\MGlogs.zip
     
    chaslang, Oct 14, 2012
    #3
  4. cowboyGeek

    cowboyGeek Private E-2

    I'm working from the procedure for Windows 2000 & 2003 (http://forums.majorgeeks.com/showthread.php?t=139302) since it's SBS 2003, and it makes no mention of TDSSKiller.

    I downloaded and ran TDSSKiller and attached the log.

    I downloaded the newer MGTools from the link you provided and reran. I'm not sure why, but the HiJackThis dialog was displayed today, but not yesterday. The zip is attached.
     

    Attached Files:

    cowboyGeek, Oct 15, 2012
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ah yes! Sorry about that. We never added it to that procedure because supposedly it would not work with Windows 2000. I see it does run on 2003 though. ;)

    Not seeing any problems in your logs. But I do see lots of Active Connections which is what you are likely referring to. I suggest that you add a good software firewall to help block outgoing connections. Not sure the Win 2003 OS even has a firewall. It may have one but Windows firewall are very ineffective and they do nothing to block outgoing bad connections.


    Also you should delete the below files
    Code:
                                                      
"C:\WINDOWS\Temp\"
ipmf.tmp      Oct 13 2012      175488  "IPMF.tmp"
jna220~1.dll  Oct 13 2012      349255  "jna2205689650124868261.dll"
jna501~1.dll  Oct 13 2012      349255  "jna5019655517122476400.dll"
jna533~1.dll  Oct 13 2012      349255  "jna5330314938595892981.dll"
jna541~1.dll  Oct 13 2012      349255  "jna5414019685336284070.dll"
jna682~1.dll  Oct 13 2012      349255  "jna6823256557908291897.dll"
jna795~1.dll  Oct 14 2012      349255  "jna7957630386327889571.dll"
jna799~1.dll  Oct 13 2012      349255  "jna7998616869893004113.dll"
lb1.tmp       Oct 13 2012      262144  "LB1.tmp"
lb2.tmp       Oct 13 2012      262144  "LB2.tmp"
lb3.tmp       Oct 13 2012      262144  "LB3.tmp"
lb4.tmp       Oct 13 2012      262144  "LB4.tmp"
lb5.tmp       Oct 13 2012      262144  "LB5.tmp"
lb6.tmp       Oct 13 2012      262144  "LB6.tmp"
lb7.tmp       Oct 13 2012      262144  "LB7.tmp"
lb8.tmp       Oct 13 2012      262144  "LB8.tmp"
lb9.tmp       Oct 13 2012      262144  "LB9.tmp"
lba.tmp       Oct 13 2012      262144  "LBA.tmp"
lbb.tmp       Oct 13 2012      262144  "LBB.tmp"
lbc.tmp       Oct 13 2012      262144  "LBC.tmp"
lbd.tmp       Oct 14 2012      262144  "LBD.tmp"
lbe.tmp       Oct 14 2012      262144  "LBE.tmp"
     
    chaslang, Oct 16, 2012
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds