Jump to content

Recommended Posts

15 minutes ago, Kso said:

Let me know if you need more information.

Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues....

  1. FIRST: Create and obtain Farbar Recovery Scan Tool (FRST) logs
  2. Download FRST and save it to your desktop
    NOTE: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
  3. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
  4. Press the "Scan" button
  5. This will product two files in the same location (directory) as FRST: FRST.txt and Addition.txt
    NOTE: These two files will be collected by the MB-Check Tool and added to the zip file for you
  6. NEXT: Create and obtain an mb-check log
  7. Download MB-Check and save to your desktop
  8. Double-click to run MB-Check and within a few second the command window will open, then click "OK"
  9. This will produce one log file on your desktop: mb-check-results.zip
  10. Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area
Link to post
Share on other sites

1 minute ago, Porthos said:

Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues....

Hey there Porthos, I already attached mb-check-results.zip in the first post.

Edited by Kso
Link to post
Share on other sites

  • Root Admin

Hello @Kso and :welcome:

The computer appears to probably be infected. I'm going to move your topic to the Malware Removal section and assist you.

Are other computers on your  network affected? Are they able to access the Internet or our keystone server okay?

 

 

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

PC Winvids - How to run Kaspersky TDSSKiller

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

Thank you

Ron

 

 

Link to post
Share on other sites

15 hours ago, AdvancedSetup said:

Hello @Kso and :welcome:

The computer appears to probably be infected. I'm going to move your topic to the Malware Removal section and assist you.

Are other computers on your  network affected? Are they able to access the Internet or our keystone server okay?

 

 

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

PC Winvids - How to run Kaspersky TDSSKiller

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

Thank you

Ron

 

 

Thanks AdvancedSetup for the advice!

No other computers are affected on our network, but this is our last remaining Windows Server 2003 machine, so that is most likely the reason.

I will be away for a week from today, but I will pass this onto my colleague to do after hours.

I will report back on it's result. :)

Edited by Kso
Link to post
Share on other sites

20 minutes ago, Kso said:

Thanks AdvancedSetup for the advice!

No other computers are affected on our network, but this is our last remaining Windows Server 2003 machine, so that is most likely the reason.

I will be away for a week from today, but I will pass this onto my colleague to do after hours.

I will report back on it's result. :)

@AdvancedSetup Actually, he did the scan just now, and no threats were found. Any other ideas on how to proceed?

To give you a little bit of background on this server, it was running fine up until last week but all of the sudden it got infected with what I believe is trojan.bitcoinminer. This page here best describes the infection and symptoms - https://www.hybrid-analysis.com/sample/b2dcb91ee68104ba728a2dfc2d35db25602d8f73ec26abebcb4719216257f24e?environmentId=100

We restored the server (only the system drive) back to a day before the infection and we installer Kaspersky anti-virus. It picked up infected files and removed them (however, kaspersky couldn't update it's definitions) it ran fine for 2 days before it got infected again - same behaviour as above.

Again, we restored the server (only the system drive), but this time to a July image, and this time we installed Cylance (our organisation is now running Cylance, however at the time of implementation it didn't have a Server 2003 32-bit installer).Cylance installed fine, but it could not contact the Cylance cloud. But again, the server seemed ok for 2 days before it got infected again - same behaviour as above.

Now we're onto a 3rd image restore, this time, a system drive image from April. We purchased Avast (and we also had a spare licence for Malwarebytes), installed both but cannot get either to activate. We scanned with Malwarebytes did not pick up any threats, ran CCleaner, and also scanned with Avast, which picked up an seemingly unrelated threat on our D:\ - which we have cleaned.

This is where we're at right now.

Link to post
Share on other sites

  • Root Admin

You don't need a license to scan, or remove threats with Malwarebytes. You only need the license for live active protection. After the fact then using it as an on-demand scanner will do scan and clean for free. But, obviously preventing the infection from happening in the first place is the point.

Okay, well if we don't find anything, and Avast does not either - it seems odd it would come back, unless it is being somehow re-infected from another system or someone browsing, email, etc from this computer.

I've not tried this, but since you've removed Kaspersky, this tool should still hopefully install, scan, and remove for free too.

Please download and run the following tool to remove any found threats

Kaspersky Virus Removal Tool

 

Let me get some FRST logs too please.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
Link to post
Share on other sites

8 minutes ago, AdvancedSetup said:

Let me get some FRST logs too please.

Attached the 2 files.

12 minutes ago, AdvancedSetup said:

Please download and run the following tool to remove any found threats

Kaspersky Virus Removal Tool

I ran this, and it didn't find anything. Could very well be that the April image of the server doesn't contain the virus, but it's just worrying that we cannot activate.

13 minutes ago, AdvancedSetup said:

You only need the license for live active protection.

Yes, because the server is seemingly re-infecting itself randomly is why I want Malwarebytes activated for the live active protection. But not sure why the server cannot contact any https sites (which is most probably why it cannot activate?)

Addition.txt

FRST.txt

Link to post
Share on other sites

  • Root Admin

Not sure if this will run on server or not but give it a try

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files


Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

Link to post
Share on other sites

  • Root Admin

Okay, notice how your DNS server is unknown. That is not normal in a local company network. Most computers should know their DNS server. There are cases where one would hide a DNS server name but again, not normal.

For now, on this computer please try changing the DNS server to the Google Public DNS servers and try again.

 

Link to post
Share on other sites

3 minutes ago, AdvancedSetup said:

Okay, notice how your DNS server is unknown. That is not normal in a local company network. Most computers should know their DNS server. There are cases where one would hide a DNS server name but again, not normal.

For now, on this computer please try changing the DNS server to the Google Public DNS servers and try again.

 

I'll get my sysadmin to look into it.

Thanks for all the help, really appreciate it.

 

Link to post
Share on other sites

18 minutes ago, AdvancedSetup said:

Please download MiniToolBox save it to your desktop and run it.

Attached the file.

 

3 minutes ago, AdvancedSetup said:

Okay, sounds good.

So are all web pages not showing https correctly?

 

Yes, anything starting with https I get "Internet Explorer cannot display the webpage". Non https websites are loading.

MTB.txt

Link to post
Share on other sites

7 minutes ago, AdvancedSetup said:

Okay, since you have a backup image of the server, please run the following.

 

Post back the logs

 

Thanks @AdvancedSetup I will forward this to the sysadmin to do as it will result in an outage. 

I'm away for a week after today, so I'll report back when I'm back at the office.

Thanks for all your help.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.