W2K3 server Inject-DN, W32/Rbot-GSK

Discussion in 'Malware Help (A Specialist Will Reply)' started by goatwhisperer, Dec 31, 2008.

  1. goatwhisperer

    goatwhisperer Private E-2

    OK the office Mgr decided to turn off her virus protection and auto updates for windows so she got a trojan, she also gave it to the server. We have never run a Anti Virus program on the server before a it never goes on the internet, and it takes a lot of overhead. Anyway I have spent the last 2 weeks trying everything I know to clean the system to no avail.
    I went through the malware removal tonight step by step the combo fix won't run on the server OS but I have posted all the logs. I got home and remoted back in and once again "it's back" gona call it the Arnold Virus "I'll be back"
    this is what is showing up in the AV program
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\04F86MNX\h[1].x
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\K7HLXI7E\h[1].x
    C:\WINDOWS\system32\lh.exe
    C:\WINDOWS\system32\sp.exe


    It usually adds a 2 letter executable it has also installed (although not there right now) msdll.exe which runs as a service and shows up in the task mgr. and windows spool services which also runs as a service

    Thanks
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Question: Why does a server have 14 user accounts that have Admin priviledges??? A server should have one user account with Admin priviledges. The others should all be restricted user accounts. All administration should be performed by the single Admin account.




    Download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.exe (file missing)

    After clicking Fix, exit HJT.



    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.



    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Bug.txt
    C:\qplayer.exe
    C:\WINDOWS\system32\cmd.execf
    C:\WINDOWS\SYSTEM\MSDDLL.EXE
    C:\WINDOWS\system32\lh.exe
    C:\WINDOWS\system32\sp.exe
    C:\WINDOWS\system32\SYSDRV32.EXE
    C:\WINDOWS\system32\drivers\sysdrv32.sys
    C:\WINDOWS\Temp\pmnmmlmL.bat
    C:\WINDOWS\Temp\TMP57.exe
    C:\WINDOWS\Temp\wvUlKASK.bat
    C:\WINDOWS\Tasks\yewzszwp.job
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\04F86MNX\h[1].x
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\K7HLXI7E\h[1].x
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

    If Killbox does not reboot just reboot your PC yourself.

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Joe Santoro\Local Settings\Temp

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    You are out of date with your version of SUPERAntiSpyware.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this new log when you come back.
    Now run Malwarebytes and first make sure you Update to the current database. Then run a new scan and fix what it finds. Save the log to attach.

    Now run Ccleaner!

    Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.



    Run MGtools.exe then attach the below logs:
    • new SUPERAntiSpyware log
    • new Malwarebytes log
    • new C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Jan 4, 2009

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds