Windows 2003 R2 Ping.exe and others

I have been fighting this thing on a work server for three or four days. I don't know how it got on there, though I admit I had been searching for a fix for a hp printer problem while logged in as Administrator (stupid, I know now). Malwarebytes picked up a problem after I realized there was an issue. It started as one of those fake malware warnings but also had put a bunch of items in the task scheduler. After MWB did its thing and I cleared the scheduler, ping.exe is going for 100% usage and the server is getting rebooted nightly, not by me. I think I am hosed and this will be a major hassle, as it is an application server and I will have to put a lot of work in to retrieve the CAL licenses for Terminal server if I am forced to format and reinstall, plus the aggravation of having to tell the bosses that their cheapness in not paying for a antivirus solution led to this (fun, fun fun). I have attached the three logs that I can run, MWB, Superantispyware and MGTools. Thank you in advance for your help and your time.

 

Hi and welcome to Major Geeks, feetdontfailme!

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• ClamWin Free Antivirus 0.97.3 <--- you can reinstall this after malware removal if you wish
• J2SE Runtime Environment 5.0 Update 11 <-- outdated
• Java(TM) 6 Update 2 <-- outdated
• Java(TM) 6 Update 21 <-- outdated
• Java(TM) 6 Update 3 <-- outdated
• Java(TM) 6 Update 7 <-- outdated

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach this file to your next message. (How to attach)

Put your computer back into Normal Startup Mode and reboot before proceeding to the next step. See >> Use MSconfig to setup for Normal Startup Mode

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  atapi.sys
  c4jdr66aG.com.b
  csrss.exe
  explorer.exe
  lsass.exe
  ping.exe
  regedit.exe
  services.exe
  shell32.dll
  smss.exe
  svchost.exe
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %appdata%\windows\*.* /s
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

Hurray...no ping.exe this morning! Attached are the logs from TDSSKiller, MBRCheck and OTL. It appears that I let in a rootkit on the IPSec service.

 

Great
We still have some work to do.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/12/09 13:11:38 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\j0BEc7h.dat
[2011/12/09 13:11:38 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\c4jdr66aG.com.b
[C:\WINDOWS\$NtUninstallKB20616$] -> Error: Cannot create file handle -> Unknown point type
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
[COLOR="DarkRed"]:files[/COLOR]
C:\WINDOWS\$NtUninstallKB20616$
xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
ipconfig /flushdns /c
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the server is running afterwards.

 

Attached are the logs that you asked for. This forum was giving me problems with uploading the OTL log again so I stuck it in MGLogs.zip. You really saved my *** here. The server seems to be running great. Thank you, and I hope that the holiday season brings you all the best.:-D

 

The logs did not attach properly. Please try again.
Glad to hear the server is running great
And thanks for the good wishes. I hope that the holiday season brings you all the best too

 

Sorry, we were off last week, so I am now reposting those logs.

 

Can you attach the OTL fix log too?

You attached the OTL scan log.

 

I hope that this is the right one and that I haven't messed this up. Thanks again.

 

Whoops, went back and read three posts back. This should be the right thing. A mind is a terrible thing.

 

Are you familiar with this file?

C:\Documents and Settings\All Users\Application Data\0E9F6271-9104-E6F1-DE13-9DCCB56034B3.avi

For some reason I doubt it's actually a video file. You should upload it to Virustotal.com and let us know the results.

Or if you know what it is, leave it alone.

The rest of your logs are clean.
___________________________

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required (If we renamed it please rename it back to Combofix.exe.
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

Take care and be safe!

 

C:\Documents and Settings\All Users\Application Data\0E9F6271-9104-E6F1-DE13-9DCCB56034B3.avi appears to be a virus. I've attached a pdf or virustotal's results. Can something like this just be deleted and the recycle bin emptied right afterwards, or does that risk activating it?

 

Yes

No

___

If it is stubborn to remove let me know and I'll give you a script that should be able to delete it. Otherwise, surf safely!