Jump to content

Recommended Posts

Morning all,

I have already created a ticket in the business support section where it said 3 to 4 days for a reply - well we're down - no one is working and the program we paid money for won't run as well.

The rootkit errors out with DB error, Chameleon hangs on killing known processes, file assassin does not work, even ran TDSSkiller and a couple others.  

 

I know dllhost.exe, and dllhst3g.exe  COM Surrogate are on the server and can not be removed as of yet by any of the above.

 

Does this product run on virt sys's? 

 

 

Link to post
Share on other sites

Thanks for your help Ron.

You said 3 logs in your post but the link only had two log sets? Which I have attached. One user in particular seems to be more in the middle of things then the others - CLS.

Malwarebytes was uninstalled with the MBAM-CLEAN app and not reinstalled yet. dllhst3g.exe and dllhost.exe*32 seem to show up in here processes but not in huge numbers, maybe 4 or 5 instances at most at a time, only ever just one of dllhst3g.exe. When I could get Mbam to run a scan and any other virus or malware scans I've done do not pick or flag either of those two files as even false positives, the scans come back clean.  

 

 

FRST.txt

CheckResults.txt

Link to post
Share on other sites

  • Root Admin

The reason there is not a 3 file is because someone already ran FRST on this server before. Now you have to manually place a check mark in the Additions.txt check box to get the 2nd Additions log file.

Please download and run RKILL and post back the log.

http://www.bleepingcomputer.com/download/rkill/

Make sure you have a backup of the Server as malware removal can potentially be dangerous and possibly break networking or booting. Rare but it happens and you don't want to be caught with your pants down so to speak.

Then run the following with your antivirus temporarily disabled.

Please download Malwarebytes Anti-Rootkit from HERE

If needed there is a self help tutorial here: MBAR tutorial

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
Link to post
Share on other sites

Hello Alowishus,

 

Currently Malwarebytes Anti-Malware is not supported on server operating systems. We hope to have this capability in the future but for the time being it is only supported on client operating systems.

Ron will continue to assist as best since it can be difficult to predict the outcome of Malwarebytes Anti-Malware when installed on an unsupported platform.

 

Thank you for your understanding

Link to post
Share on other sites

Hello Alowishus,

 

Currently Malwarebytes Anti-Malware is not supported on server operating systems. We hope to have this capability in the future but for the time being it is only supported on client operating systems.

Ron will continue to assist as best since it can be difficult to predict the outcome of Malwarebytes Anti-Malware when installed on an unsupported platform.

 

Thank you for your understanding

So do you mean the product we bought Malwarebytes Anti-Malware for Business it will not run on server OS's (like that of a virt 2008 term server running on a 2012 box) or that you just do not have support for that product in place yet? Obviously I must have misread the website because I thought it said it run on server platforms beside 2003 of course. 

 

Thanks 

Link to post
Share on other sites

The reason there is not a 3 file is because someone already ran FRST on this server before. Now you have to manually place a check mark in the Additions.txt check box to get the 2nd Additions log file.

Please download and run RKILL and post back the log.

http://www.bleepingcomputer.com/download/rkill/

Make sure you have a backup of the Server as malware removal can potentially be dangerous and possibly break networking or booting. Rare but it happens and you don't want to be caught with your pants down so to speak.

Then run the following with your antivirus temporarily disabled.

Please download Malwarebytes Anti-Rootkit from HERE

If needed there is a self help tutorial here: MBAR tutorial

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

 

Ron,

We've done a restore to before the issue started with the user, then locked down all apps from running on the box except for any already allowed by machine policy. So now nothing that isn't already approved can run, they maybe downloaded but they can not get installed. That, going forward, will be the new policy for anyone on the server.   

I haven't tried reinstalling Malwarebytes Anti-Malware for Business yet but based upon Oscar's post I'm not sure I want or need too if it is not functional for our purposes.

Just an FYI - before when all this was happening I did try to run the MBAMrootkit and that errored out with the DB error that others have posted about.

I'll post the logs you requested ASAP.

Again, thank you for your help and your time with this matter. 

Link to post
Share on other sites

Alowishus,

 

I won't get in the middle of troubleshooting efforts with Ron, but I wanted to respond for Oscar (he's out today).

 

Anti-EXPLOIT runs on the platforms you mentioned, but Anti-MALWARE runs only on client operating systems (XP, Vista, 7, 8, 8.1).  Under certain circumstances, it will work but the list of good/not so good results is extremely fuzzy because it has never been fully tested with a server OS.  It will definitely cause serious issues with Terminal Server.  The website requirements are clear, but I think you read the Anti-EXPLOIT requirements.

 

We hope to be able to offer support for servers in the future, but it is not clear what that may entail at this time.  Before anyone reading this asks what the meaning of "future" is, there is no projected date of availability as of this time.

 

I hope this helps.

Link to post
Share on other sites

Alowishus,

 

I won't get in the middle of troubleshooting efforts with Ron, but I wanted to respond for Oscar (he's out today).

 

Anti-EXPLOIT runs on the platforms you mentioned, but Anti-MALWARE runs only on client operating systems (XP, Vista, 7, 8, 8.1).  Under certain circumstances, it will work but the list of good/not so good results is extremely fuzzy because it has never been fully tested with a server OS.  It will definitely cause serious issues with Terminal Server.  The website requirements are clear, but I think you read the Anti-EXPLOIT requirements.

 

We hope to be able to offer support for servers in the future, but it is not clear what that may entail at this time.  Before anyone reading this asks what the meaning of "future" is, there is no projected date of availability as of this time.

 

I hope this helps.

Thanks Mike, love the avatar btw.

I misunderstood, where it said supported OS's, I took that to mean the app would run/work on that OS, not that it was just for the mgment console. My mistake, too bad too - the upper mgment as well as the IT staff love your product and it was the 1st we went for when looking for something to throw on the term server.

 

Ron, I ran RKILL and the only thing it found was the HOSTS file entries which are all as should be. I couldn't get the rootkit to run before and still can not, it errors out with "can't initialize database". 

Based upon everything, I think you can close this ticket. The app won't run as we need/want it too on the box we need/want it too, the bugs that were there are gone now. Although I would love to have you work on getting this to run on our server, it doesn't sound like it can/will or will even be made to any time soon - and I'm sure your time is very limited so I don't want to waste anymore of it.

Again thank you all for your time and help.       

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.