Jump to content

Citrix Server Compromised - Help


Recommended Posts

I posted this in BleepingComputers.com. I see that they have been swamped and provide very useful information, however; the lead time right now seems to be at least a week or two. I have a production server that picked up some stuff and generally I run MalwareBytes every 2 weeks to 30 days, however; with this infection, I am not having success. So, trying to figure out next steps. Any help you can provide, I am totally grateful for.

Thoughts on next steps:

Reset all user sessions

Disconnect from the Network

Boot into SafeMode and Run MalwareBytes

If this is not successful, considering removing my Symantec Endpoint Anti-Virus and installing AVG Free to run a scan on the box. Not ideal, but getting frustrated.

Here's the post from Bleepingcomputers.com if it sheds more light.

THanks.

My server is a Dell Poweredge running Windows 2000 SP4, Citrix Metaframe XP and Symantec Endpoint Virus protection, with limited space and though it isn't the ideal situation and have some issues which have been posted in other questions, it's been hobbling along ok until today.

To try and fix have tried MalwareBytes Anti-Malware, but it freezes about 12 seconds into the scan, the timer keeps going but it sits in this state for hours. Process utilization stopped, just hung, let it sit and sit. I rebooted the system and tried the same in Safe Mode, wouldn't work here. Tried again later after I noticed that IEXPLORE.EXE was spawning on it's own. I terminated the IE windows and seemed it was running better but still hung up.

Started Super Anti-Spyware since Malwarebytes was hanging.

Super Anti-Spyware ran but got hung on c:\pogra~1\common~1\symant~1\RCEMLPXY.DLL. It did find Adware.Vundo Variant/ACE. This is where it's been for 3 hours now as it won't let me move forward in the scan, cancel the scan or kill the scan.

I termintated the IE sessions again as there was no browser activity and it failed on the same file again.

I originally posted in the wrong forum, so have run the script as recommended. Posted are the results from the DDS.txt file. The Attach file is attached.

I apologize if I am still doing something wrong here. Just desperate to get my users working again.

Thanks in advance for your help.

Below are the DDS Logs....

DDS (Ver_09-02-01.01) - NTFSx86

Run by jnordeng at 9:56:42.19 on Thu 03/12/2009

Internet Explorer: 6.0.2800.1106

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Company

uInternet Settings,ProxyOverride = <local>

mSearchURL = hxxp://www.google.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.