Jump to content

Server 2008 R2 SP1 system_minerd.exe and svchostl.exe keep coming back! Please help


Recommended Posts

We have a Server 2008 R2 SP1 running. We have an RDC connection port.

 

We were told we have a lot of activity by our service provider, and the internet was extremely slow.

 

We saw that two processes were running:

System_Minderd.exe

svchostl.exe

 

We also saw that they were running from the following folders:

C:\Windows\ltc-miner2

C:\Windows\tanechka

 

We stopped both processes from running, as well as renaming those two folders. As soon as we stop the processes, internet looks fine (no slowdown). We have Changed the Windows password, as well as the public port for RDC. We have run MalwareBytes (with the update) with no luck. After a few hours (or after a day or two), the processes run again and the folders are created. We have recently installed Symnatec Endpoint Protection Small Business Edition v12.

 

I've been looking around endlessly for some help online but I haven't found anything.

 

Of course, DDS does not run on this system. Any help would be appreciated!

Link to post
Share on other sites

  • Root Admin

What does Symantec Endpoint find?

 

Part of the issue with a Server is that many of the tools used to scan and clean desktop computers don't run on servers. 

Let's see if this one will.

 

 

Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit
 

  • RogueKiller 32-bit | RogueKiller 64-bit
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes Close the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!!
  • Post back the report which should be located on your desktop.

 

 

Link to post
Share on other sites

Symantec doesn't show anything.

I also should add I believe at some point we have run ComboFix.

 

Here's the log:

 

RogueKiller V8.7.1 _x64_ [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 10/03/2013 16:26:48
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 8 ¤¤¤
[iFEO] HKLM\[...]\notepad.exe : Debugger ("C:\Program Files\Notepad2\Notepad2.exe" /z [-]) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 22 ¤¤¤
[V1][sUSP PATH] At1.job : c:\windows\backup009.cmd [-] -> FOUND
[V1][sUSP PATH] At10.job : c:\windows\backup009.cmd [-] -> FOUND
[V1][sUSP PATH] At11.job : c:\windows\backup009.cmd [-] -> FOUND
[V1][sUSP PATH] At2.job : c:\windows\backup009.cmd [-] -> FOUND
[V1][sUSP PATH] At3.job : c:\windows\backup009.cmd [-] -> FOUND
[V1][sUSP PATH] At4.job : c:\windows\backup009.cmd [-] -> FOUND
[V1][sUSP PATH] At5.job : c:\windows\backup009.cmd [-] -> FOUND
[V1][sUSP PATH] At6.job : c:\windows\backup009.cmd [-] -> FOUND
[V1][sUSP PATH] At7.job : c:\windows\backup009.cmd [-] -> FOUND
[V1][sUSP PATH] At8.job : c:\windows\backup009.cmd [-] -> FOUND
[V1][sUSP PATH] At9.job : c:\windows\backup009.cmd [-] -> FOUND
[V2][sUSP PATH] At1 : c:\windows\backup009.cmd [-] -> FOUND
[V2][sUSP PATH] At10 : c:\windows\backup009.cmd [-] -> FOUND
[V2][sUSP PATH] At11 : c:\windows\backup009.cmd [-] -> FOUND
[V2][sUSP PATH] At2 : c:\windows\backup009.cmd [-] -> FOUND
[V2][sUSP PATH] At3 : c:\windows\backup009.cmd [-] -> FOUND
[V2][sUSP PATH] At4 : c:\windows\backup009.cmd [-] -> FOUND
[V2][sUSP PATH] At5 : c:\windows\backup009.cmd [-] -> FOUND
[V2][sUSP PATH] At6 : c:\windows\backup009.cmd [-] -> FOUND
[V2][sUSP PATH] At7 : c:\windows\backup009.cmd [-] -> FOUND
[V2][sUSP PATH] At8 : c:\windows\backup009.cmd [-] -> FOUND
[V2][sUSP PATH] At9 : c:\windows\backup009.cmd [-] -> FOUND
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) (Standard disk drives) - DELL PERC S100/S300 SCSI Disk Device +++++
--- User ---
[MBR] 4ed4118923ad296bb7a3822a3cf2892b
[bSP] b6d3bf40ddd7634b4b1fc913e02accca : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 3072 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 6373376 | Size: 40960 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 90259456 | Size: 432333 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
 
Finished : << RKreport[0]_S_10032013_162648.txt >>
RKreport[0]_S_10022013_153000.txt
Link to post
Share on other sites

  • Root Admin

You didn't run Combofix on a Server I know for sure as it specifically does not support server.

 

What is with all the old AT tasks?  Server 2008 should be running scheduled tasks not AT tasks. Those are from like back in the old Windows 95 days, still supported but not normal.

 

Look at them and if not legit remove all of them.

 

 

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.



If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.
 
Link to post
Share on other sites

Since I can't reboot the server right now, I will be running it without the loaded modules (I will send you another log when I can reboot it). Also, Symantec FOUND svchostl.exe and blocked it, but system_minerd.exe was running. Here is a screenshot of Symantec finding the svchostl.exe, as well as the attached log of TDSSKiller (although of course I'll be doing it again).

 

post-146350-0-57272600-1380894101_thumb.

TDSSKiller.3.0.0.11_04.10.2013_09.36.15_log.txt

Link to post
Share on other sites

  • Root Admin

I realize this is a server and rebooting it is not a desirable thing but you need to speak with upper management and let them know that the system is infected and could potentially be putting your data at risk of corruption, theft, or possibly compromise other systems connected to it depending on what this infection really is.

 

If needed you might need to run an offline scan if the live antivirus cannot stop it.

 

 

 

You can download the following tool from Kaspersky and burn it to CD from a clean working computer and then boot from it on the affected computer.

 

Make sure you watch this video which describes how to create the CD to use it.

 

How to create the Kaspersky Rescue Disk 10 CD

 

 

Please visit the Kaspersky site and review the information and then download and burn the ISO image to CD to use on the affected computer.

Make sure you update the definitions for Kaspersky before doing the actual scan.  Make sure to also write down what it finds or does as some users have trouble saving and accessing the log afterwards.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.