Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Virus/ Worm on Win2003 Server

Status
Not open for further replies.
Mourad70007

Mourad70007

Programmer
Jan 25, 2009
6
0
0
EG
Hello all,
I have a malware on our server (Windows 2003 with Exchange) that causes the following:
1- I keep getting spam from all the users on the domain
2- When I try to search for "virus" on IE on the server, the search is blocked and no results are displayed !
3- The network is really slow (the server acts as the gateway as well)
I have downloaded ThreatFire, Malware bytes and others, but can't find anything !
Any ideas ?
 
Sort by date Sort by votes
Download HiJackThis, from the TREND MICRO website...

e.g. onto a USB Flash stick...

run it with logging feature, paste the log here for our perusal...

Note: read the log first, and make changes to sensitive data, e.g. IP addies, by replacing them with asterisks ...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.
 
Upvote 0 Downvote
For the record, I've used Bitdefender's rescue disk. It found about 2000 infections and deleted them, but the problem still persists.
Here's the log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:53 AM, on 1/26/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft ISA Server\isastg.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
D:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\locator.exe
D:\Program Files\Avira\AntiVir Exchange\Engine\savapi2s.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SMSUtilityService.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESrv.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\ConsoleAppMgr.exe
D:\Program Files\Symantec\CMaF\2.0\bin\CmafReportSrv.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\tcpsvcs.exe
D:\Program Files\Exchsrvr\bin\exmgmt.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSECtrl.EXE
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSEUI.EXE
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSELog.EXE
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESJM.EXE
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSETask.exe
D:\Program Files\Exchsrvr\bin\mad.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
D:\Program Files\Exchsrvr\bin\store.exe
D:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\Program Files\SPAMfighter\bin\SPAMfighter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SRNMIC~2\SOLOSENT.EXE
C:\PROGRA~1\SRNMIC~2\SOLOCFG.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server:8080
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Downloads\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [SoloSentry] C:\PROGRA~1\SRNMIC~2\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSchedule] C:\PROGRA~1\SRNMIC~2\SOLOCFG.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\PROGRA~1\SRNMIC~2\SYSCHECK.COM
O4 - HKLM\..\Run: [ThreatFire] d:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - D:\Downloads\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Downloads\GetRight\GRbrowse.htm
O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: *.hotmail.com
O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: O15 - ESC Trusted Zone: (HKLM)
O15 - ESC Trusted IP range: O15 - ESC Trusted IP range: O15 - ESC Trusted IP range: O16 - DPF: {475DF11A-2BC2-41A9-8A97-E989E023E517} (SetupComponent Class) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MILMAR.COM.EG
O17 - HKLM\Software\..\Telephony: DomainName = MILMAR.COM.EG
O17 - HKLM\System\CCS\Services\Tcpip\..\{A710B035-825F-4331-A98C-CFB66F6D9AF6}: NameServer = 213.131.66.246,213.131.66.138,10.70.49.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8BF6E49-066B-4DF7-924D-CD25C488D446}: NameServer = 10.70.49.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MILMAR.COM.EG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = MILMAR.COM.EG
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Microsoft Exchange Event (MSExchangeES) - Unknown owner - D:\Program Files\Exchsrvr\bin\events.exe (file missing)
O23 - Service: Savapi-Service - Avira GmbH - D:\Program Files\Avira\AntiVir Exchange\Engine\savapi2s.exe
O23 - Service: Savapi-Update-Service - Unknown owner - D:\Program Files\Avira\AntiVir Exchange\Engine\DwldSvc.exe (file missing)
O23 - Service: Symantec Mail Security Utility Service (SAVFMSESpamStatsManager) - Unknown owner - D:\Program Files\Symantec\SMSMSE\6.0\Server\SMSUtilityService.exe
O23 - Service: Symantec Mail Security for Microsoft Exchange (SMSMSE) - Symantec Corporation - D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESrv.exe
O23 - Service: SPAMfighter - SPAMfighter ApS - C:\Program Files\SPAMfighter\bin\SPAMfighter.exe
O23 - Service: SQLSERVERAGENT - Unknown owner - D:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE (file missing)
O23 - Service: ThreatFire - PC Tools - d:\Program Files\ThreatFire\TFService.exe

--
End of file - 11951 bytes
 
Upvote 0 Downvote
I cannot see anything obvious in the log.
Did you run Malware bytes and the other AV Tools in Safe mode?

Do you have anyway to run a network traffic analysis?

Its possible there is Malware on your network, but not necessarily on the server!







Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
Upvote 0 Downvote
Thanks for your help.
The main problem is that I cannot load in safe mode. Whenever I try to boot in safe mode, I get a blue screen. Is it possible a virus could do that ??
I already did a scan using Malware bytes (in normal mode) but it found nothing.
I went ahead and disabled a lot of the services, and startup programs using HijackThis. Things appear to be normal now but the exchange services stopped working !
 
Upvote 0 Downvote
The main problem is that I cannot load in safe mode. Whenever I try to boot in safe mode, I get a blue screen. Is it possible a virus could do that ??
Click to expand...

Unlikley: Make a note of the exact message that comes up on the blue scree and post it in the forum for your Operting system.

I already did a scan using Malware bytes (in normal mode) but it found nothing.
Click to expand...
Malware bytes is a very highly recomended at present if it finds nothing at all, not even remnants then there probobly isn't anything to find.



I went ahead and disabled a lot of the services, and startup programs using HijackThis. Things appear to be normal now but the exchange services stopped working !
Click to expand...
Hmmm, Viri and other Malware don't usually advertise themselves in the services list or the startup list.
Turn stuff back on one by one, until you get your funtionality back!!




Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
Upvote 0 Downvote
It found about 2000 infections and deleted them, but the problem still persists.
Click to expand...
This is a hell of a lot of stuff... maybe time to redo the server...

especially with all those 0-Day, warez, P2P sites and ad-sites that are listed in your TRUSTED ZONE... a sure fire way of getting malware...

besides that I can only concur with sggaunt...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.
 
Upvote 0 Downvote
To be honest I did wonder about all that stuff on a commercial server! But not for us to comment!


Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
Upvote 0 Downvote
Thanks for all the suggestions.
I have done another scan with BitDefender Rescue disk. It cleaned everything up but the server is still terribly slow.
Frankly, I am starting to doubt there is still malware on the server- I think it's simply corrupted now.
I still get the spam email. But that may as well be coming from outside. The IP in the header is external. But that spam thing (appearing to be coming from users inside our network) only started recently.
 
Upvote 0 Downvote
Somebody needs to get into big trouble because they probably got the malware/virus on the server by surfing the internet FROM the server. That is basically a big NO-NO.

If somebody wasn't surfing the web, was the machine not protected by Anti-malware or A/V or were the definitions not up to date? Again - a punishable offense.
 
Upvote 0 Downvote
sggaunt said:
...But not for us to comment!
Click to expand...

Absolutely incorrect! When someone posts that they have malware or other problems on their SERVER and asks for help it is our duty to advise them that browsing questionable sites is bad enough if you do it from a client, it's a Worst Practice to do it from a server and deserving of comment.

I treat my server like an immune-deficient baby, only browsing the Web when absolutely necessary, protecting it from the world as best I can. If I need something from the Web, I download it on a client, scan for viruses, then store it to a shared folder on the server and install it from there. Safe computing is no accident...

Tony

Users helping Users...
 
Upvote 0 Downvote
Nobody coming onto a technical help forum needs people telling them that heads must roll.

Mourad70007:
It would be worth your time formatting and reinstalling that server, it sounds like a lost cause. The posts referring to browsing from the server are correct, it's not really advised.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
 
Upvote 0 Downvote
Thank you all for your help. I know one shouldn't be browsing the internet from the server (it wasn't me actually)

UPDATE: I discovered we have "Sality.Y" virus all over the network. I can't format and reinstall the server now, it will take a long time and people are using the server.
Other infected computers would not boot in safe mood. Can this virus do this ? I've never seen this before. I am cleaning all the machines one by one.
 
Upvote 0 Downvote
A virus can do a lot of things, especially if it's got domain access rights on a server. You'll need to clean the workstations, and proof them against further infection (what AV are they running). Cleaning out and restoring the server should be done as soon as you can.

For reference, see the following link to that virus:


"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
 
Upvote 0 Downvote
Hey - I'm not trying to be mean or anything, but it's a reality that we are here to help and if helping means solving the problem and suggesting ways for it not be REPEAT OCURRENCE, then that's what I'll do.

Server downtime due to incompetence is not acceptable where I come from. Sure, everybody makes a mistake once in a while, but if in fact (and we don't know this for sure) the malware was gotten first on the server from surfing the web, I'd be real worried.
 
Upvote 0 Downvote
He's explained it wasn't him ...
He's aware of best and worst practices now ...
We don't know where he works, or for whom, or whether they have a decent Internet Acceptable Use Policy ...

"Learn from the mistakes of others, you'll never grow old enough to make them all yourself" --Martin Vann Bee

Paul
------------------------------------
Spend an hour a week on CPAN, helps cure all known programming ailments ;-)
 
Upvote 0 Downvote
Mourad 70007 said:
I can't format and reinstall the server now, it will take a long time and people are using the server.
Click to expand...
If you are only cleaning one computer at a time and that computer is then reconnected to the network then it risks being reinfected by the server or another infected machine since it appears that your anti-virus solution isn't catching it.


Sality.Y has been around since March of 2007. I'm surprised that your anti-virus solution didn't pick up the infection before it spread. Surely it can't have been on your network for almost two years? Sality.Y is a key logger so once you get your entire network clean I would force a change of all passwords.

Cheers.
 
Upvote 0 Downvote
PaulTEG said:
We don't know where he works, or for whom
Click to expand...
MILMAR SHIPPING COMPANY, 8 Ahmed Orabi st, Alexandria, Egypt. Would be my humbly educated guess...

PaulTEG said:
He's aware of best and worst practices now ...
Click to expand...
quite correct, and what he should do as well...

cmeagan656 said:
Sality.Y is a key logger so once you get your entire network clean I would force a change of all passwords.
Click to expand...
GOOD advice...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.
 
Upvote 0 Downvote
Network World has an article about a product called Reimage that might be what you are looking for. I can't vouch for it personally but it might be worth a shot.



James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
102
Oorde
Oorde
Olumighty
  • Locked
  • Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP 1
Replies
1
Views
58
SamBones
SamBones
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
74
goombawaho
goombawaho
andyv2011
  • Locked
  • Question
Looking at Virus Actions
Replies
0
Views
50
andyv2011
andyv2011
kharrison70
  • Locked
  • Question
Meskisift Visaal Studie Virus? 6
Replies
6
Views
82
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top