W2K3 server Inject-DN, W32/Rbot-GSK

goatwhisperer · Dec 31, 2008

OK the office Mgr decided to turn off her virus protection and auto updates for windows so she got a trojan, she also gave it to the server. We have never run a Anti Virus program on the server before a it never goes on the internet, and it takes a lot of overhead. Anyway I have spent the last 2 weeks trying everything I know to clean the system to no avail.
I went through the malware removal tonight step by step the combo fix won't run on the server OS but I have posted all the logs. I got home and remoted back in and once again "it's back" gona call it the Arnold Virus "I'll be back"
this is what is showing up in the AV program
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\04F86MNX\h[1].x
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\K7HLXI7E\h[1].x
C:\WINDOWS\system32\lh.exe
C:\WINDOWS\system32\sp.exe

It usually adds a 2 letter executable it has also installed (although not there right now) msdll.exe which runs as a service and shows up in the task mgr. and windows spool services which also runs as a service

Thanks

chaslang · Jan 4, 2009

Welcome to Major Geeks!

Question: Why does a server have 14 user accounts that have Admin priviledges??? A server should have one user account with Admin priviledges. The others should all be restricted user accounts. All administration should be performed by the single Admin account.

Download HostsXpert and then follow the below steps.

Unzip HostsXpert.zip

It will create a folder named HostsXpert in whatever folder you extract it to.

Run HostsXpert.exe by double clicking on it.

Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).

Click Restore Microsoft's Hosts File and then click OK.

Click the X to exit the program

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.exe (file missing)

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe

select File, Cleanup, Delete All Backups

Choose Tools > Delete Temp Files and click Delete Selected Temp Files.

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Bug.txt
C:\qplayer.exe
C:\WINDOWS\system32\cmd.execf
C:\WINDOWS\SYSTEM\MSDDLL.EXE
C:\WINDOWS\system32\lh.exe
C:\WINDOWS\system32\sp.exe
C:\WINDOWS\system32\SYSDRV32.EXE
C:\WINDOWS\system32\drivers\sysdrv32.sys
C:\WINDOWS\Temp\pmnmmlmL.bat
C:\WINDOWS\Temp\TMP57.exe
C:\WINDOWS\Temp\wvUlKASK.bat
C:\WINDOWS\Tasks\yewzszwp.job
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\04F86MNX\h[1].x
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\K7HLXI7E\h[1].x

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Joe Santoro\Local Settings\Temp

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\system\controlset001\services\msddll]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysdrv32]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysdrv32]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32]
Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

You are out of date with your version of SUPERAntiSpyware.

Please uninstall your current version (this is necessary).

Then download this SUPERAntiSpyware

Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.

After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.

Now run a new full scan of your system. And attach this new log when you come back.

Now run Malwarebytes and first make sure you Update to the current database. Then run a new scan and fix what it finds. Save the log to attach.

Now run Ccleaner!

Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe then attach the below logs:

new SUPERAntiSpyware log

new Malwarebytes log

new C:\MGlogs.zip

Make sure you tell me how things are working now!

Log in or Sign up

W2K3 server Inject-DN, W32/Rbot-GSK

goatwhisperer Private E-2

Attached Files:

SASScan Log - 12-31-2008 - 16-08-17.log

server mbam-log-2008-12-31 (17-41-34).txt

ServerMGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member