2003 Server w/spyware...

c16621

Yeah - I'm ghetto.

I'm running a standalone 2003 server o.s. as my desktop at home - gotta be different. Was going to get around learning the ropes on 2003 server, but ended up working w/Unix and Linux at work, and never got around to it...

Well, enough about that. The real issue is I inadvertently got myself infected with some malware. Even though I clean up my box, the malware re-installs itself upon soft-boot.

Now, I know that XP has a system restore location that you're supposed to check to make sure there's no malware located there to reinstall itself, but I never got around with getting familiar enough with 2003 server to learn the corresponding location on it, that serves a similar purpose.

Does anybody know the corresponding location for 2003 server, so I can check it out and ensure it is clean?

Thx
Signed, officially p*ssed at malware

(ps. - I already asked the people over in the malware section, but since this involved server 2003, was unsure where to ask, so I posted here, too...)

Leonardo

(ps. - I already asked the people over in the malware section, but since this involved server 2003, was unsure where to ask, so I posted here, too...)

Normally we discourage double posting, but in your case, I think it's appropriate. Please though, if one of your threads proves to be productive, concentrate on that particular thread. Post in the other thread to let members know that progress is being so that we can avoid duplication of effort.

primesuspect

You can treat a win2k3 server spyware infestation exactly the same as a windows xp or 2000 spyware infestation, that is, run the normal suite of tools (spybot, adaware, ewido, etc.), a full virus scan, and the post a HJT log in our spyware/virus/trojan discussion area and have an expert take a look at it to complete the cleaning.

c16621

Ok - thanks! I already visited the other thread and let them know.

Alrighty then - I'll go home tonight and bring my HijackThis log in and post it up tomorrow. I didn't hard boot during any of my cleanup steps last night, so I'll redo the steps with hard boots instead. I will post up the resulting HijackThis log tomorrow......

....I am in .dll helllllllllll

Trogan

I'll take a look at your HijackThis log once its posted.

c16621

OK - Here is my logfile. I tried to run some of the other freeware recommended on this site, but they choked on 2003 server.

Please note, all the winmx.com hostfile entries are ok and were manually added by me, to keep my winmx working after the company went down in flames.

Also, all the malware and spyware you see in the HKEY_Local_Machine keys are what is re-spawning. I clean it all up, and it comes back...this is the problem:

Logfile of HijackThis v1.99.1
Scan saved at 8:49:11 AM, on 10/11/2006
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\NuCam\CamCheck\CamCheck.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jucheck.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
O1 - Hosts: 82.195.155.5 c3528.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1306.winmx.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pwinkpex.exe GEN001
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [{6C-C5-50-0B-ZN}] C:\windows\system32\ojdsregj.exe GEN001
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\testtestt.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_17.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_17.exe
O4 - HKLM\..\Run: [ixszbbhA] C:\WINDOWS\ixszbbhA.exe
O4 - HKLM\..\Run: [jom202a1] RUNDLL32.EXE w477c924.dll,n 0042029d00000003477c924
O4 - HKLM\..\Run: [w477defe.dll] RUNDLL32.EXE w477defe.dll,I2 0042029d0477defe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_17.exe
O4 - HKLM\..\Run: [Ilfzl] C:\Program Files\Qedqd\Fgnq.exe
O4 - HKLM\..\Run: [jtxvjkh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\jtxvjkh.dll,igdxyid
O4 - HKLM\..\Run: [ms05721181518] C:\WINDOWS\ms05721181518.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\testtestt.exe
O4 - HKCU\..\Run: [Weps] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\MANTEC~1\fast.exe" -vt yazb
O4 - HKCU\..\Run: [Ziykgiho] C:\Program Files\?ymantec\?xplorer.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
O23 - Service: Blink2PnP - Unknown owner - C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe



The million dollar question is - what is respawning this junk, and where can I find it? Cuz I wanna "get a torch and some pliers and go midieval on its hiney".....

primesuspect

these are evil:

O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pwinkpex.exe GEN001
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [{6C-C5-50-0B-ZN}] C:\windows\system32\ojdsregj.exe GEN001
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\testtestt.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_17.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_17.exe
O4 - HKLM\..\Run: [ixszbbhA] C:\WINDOWS\ixszbbhA.exe
O4 - HKLM\..\Run: [jom202a1] RUNDLL32.EXE w477c924.dll,n 0042029d00000003477c924
O4 - HKLM\..\Run: [w477defe.dll] RUNDLL32.EXE w477defe.dll,I2 0042029d0477defe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_17.exe
O4 - HKLM\..\Run: [Ilfzl] C:\Program Files\Qedqd\Fgnq.exe
O4 - HKLM\..\Run: [jtxvjkh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\jtxvjkh.dll,igdxyid
O4 - HKLM\..\Run: [ms05721181518] C:\WINDOWS\ms05721181518.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"

O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\testtestt.exe
O4 - HKCU\..\Run: [Weps] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\MANTEC~1\fast.exe" -vt yazb
O4 - HKCU\..\Run: [Ziykgiho] C:\Program Files\?ymantec\?xplorer.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"

O23 - Service: Blink2PnP - Unknown owner - C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe

c16621

The very last entry is my camera - so that one is fine. However you would be 1000% correct in your estimation of the funkey keys.

Now, I clean those up, and delete the apps in the listed paths, but - THEY KEEP COMING BACK!!

Something is spawning them, that Ad-aware and HijackThis can't get rid of. I hard-boot in Safe Mode to keep anything bad from loading in memory, so I can get a good wiping of my system, but as soon as I finish and boot normally, that crap has returned, like a bad case of halitosis......

Where is it spawning from? The depths of hell?

Trogan

Hi,

There are different infections on the computer, that require specific tools to clean up.

The main reason why your infected is cause there is no Anti-virus or Firewall protection. Here are some Free programs for personal use, please select one - I'm not sure which will work for your OS.

AV
AVG Free Edition << I recommend this
AntiVir
avast! 4 Home Edition

Firewall
Zone Alarm << I recommend this
Sunbelt Kerio PF
Outpost Firewall


Next, I would like to see another log from HijackThis.

• Run Hijackthis.
• Click on Open the Misc Tools section.
• Next click on Open uninstall manager.
• Press the Save list button. It will open a Notepad file.
• Save the file to your desktop, with the default name of uninstall_list
• Copy & Paste the entire contents of that file in your in your next post.

Post a new HijackThis log, along with the Uninstall list please.

primesuspect

I know for a fact that avg free will not install on Windows server. Can't speak for zonealarm, but generally you need server-specific versions of antivirus and security software for Win2K/2K3 server.

He's right though, c16621. Running a server without antivirus is a step next to inexcusible. Chances are you have a nice fat virus on that machine. You need to invest in corporate-version AV software. I recommend Symantec AntiVirus Corporate (do not confuse this product with Norton Antivirus - NAV is crap, but Symantec's enterprise stuff is pretty decent).

Trogan

...or Kaspersky!?!?

primesuspect

The server version of Kaspersky is not as easy to set up as SAVCE. The server version of AVG is a nightmare to setup. I speak from experience

c16621

Thanks for the recommendations. I actually spent some good time researching all of the manuals and how-to's in the malware section of this site, and created my own General Guderian-like panzer blitz program for the box.

I manually looked up each executable in the HijackThis log.

I recorded every listed fix, and downloaded a list of fixes that would cover all the bases:

SpywareBlaster
Vundo
Killbox
Prevx1

Based on my readings and printouts here, I designed a temp directory blitzing subroutine into the war on my self-inflicted "Axis of Evil" (Spyware, Trojans, Viruses)

I loaded the stuff up, immediately updated all applicable def files, booted into safe mode, and put on my best pair of crotch-kickers, and went to town on those suckers. :necro: (I'm female, so I get to choose between steel-toed boot or pointy-toed flats to begin the gonad kickin' )

Ad-Aware was junk for me, so I replaced it with Prevx. (I like that better. Will be buying a serial number for that software as soon as payday rolls around).

After I ran Vundo and Killbox, I initiated the second part of my "pincer movement" - I cleaned every temp directory I could find.

That crap was spawning from a temp directory!

I also double-verified that all the internet security configurations were compliant with an "IE security How-To" tutorial one of you fine gentlemen or ladies prepared for this site. (I'm big on reading your tutorials and "How-Tos".... )

After I finished my bit, I gave my box the "Full Monty" and hardbooted.

My box is clean now!!!! Thanks Everybody!!!!!

Leonardo

General Guderian, welcome to Short-Media. Do you happen to associate with Field Marshall Von Rundstedt? Both of you are more than welcome to visit as often as you wish and present to us your battle strategy and tactics to defeat malware. Ha ha...guess you can tell, I enjoyed your post.

c16621

LOL - I'd prefer to think of myself as an Acolyte of Sun Tzu....

But glad you liked the blow-by-blow of my "war on terror", er, I mean malware.

I forgot to mention I still got minor cleanup to do, so I'm just gonna clean up my registry - there are some keys trying to load some dlls, that just aren't there anymore, so I gotta take a toilet-bowl brush to it and scrub off the crud ....

The good thing is that I learned something. Its forced me to go back and "book up" on all the registry nonsense I've forgotten over the years.

Ahhh, I'm still trying to determine if Windows servers are a Trick or a Treat....

c16621

I know for a fact that avg free will not install on Windows server. Can't speak for zonealarm, but generally you need server-specific versions of antivirus and security software for Win2K/2K3 server.

He's right though, c16621. Running a server without antivirus is a step next to inexcusible. Chances are you have a nice fat virus on that machine. You need to invest in corporate-version AV software. I recommend Symantec AntiVirus Corporate (do not confuse this product with Norton Antivirus - NAV is crap, but Symantec's enterprise stuff is pretty decent).

...I'm getting the email administrator to cut me a serial-less Norton Corporate for me as we speak.

That 2003 box is my home PC. Its so barebones, I don't even have Office on it. I just use it to hit a couple of boards, to get my .mp3s, and for monster and dice.com....

This is why I was lax in getting the proper protection for it....I should have a fresh CD in my hands in about 10 minutes...

....I knew all those BBQ ribs I was bringing the email admin during the summer would pay off one day!:bigggrin:

Trogan

Want to post a new HJT log for us to check?