Jump to content
Josefresca

HELP REMOVING MALWARE INFECTION ON WINDOWS SERVER 2003 Terminal Server

Recommended Posts

Hello,

It seems that my terminal server is infected with dwm.exe, shell.exe and svchost.exe. I run malwarebytes and it removes it but when I reboot and my users log back in the files come back. Any help will be greatly appreciated. Here is the MBAM log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4927

Windows 5.2.3790 Service Pack 2

Internet Explorer 8.0.6001.18702

10/28/2010 10:07:34 PM

mbam-log-2010-10-28 (22-07-34).txt

Scan type: Quick scan

Objects scanned: 860020

Time elapsed: 1 hour(s), 41 minute(s), 1 second(s)

Memory Processes Infected: 11

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 15

Memory Processes Infected:

C:\Documents and Settings\aimee\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.

C:\Documents and Settings\coolera\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.

C:\Documents and Settings\coolerb\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.

C:\Documents and Settings\LECTURA5\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.

C:\Documents and Settings\PSalidas\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.

C:\Documents and Settings\natuflora\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully.

C:\Documents and Settings\aimee\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully.

C:\Documents and Settings\coolera\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully.

C:\Documents and Settings\coolerb\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully.

C:\Documents and Settings\LECTURA5\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully.

C:\Documents and Settings\PSalidas\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\natuflora\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\RECYCLER\S-1-5-21-1993962763-1606980848-725345543-4133\Dc5.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\natuflora\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\aimee\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\coolera\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\coolerb\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\LECTURA5\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\PSalidas\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\natuflora\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.

C:\Documents and Settings\aimee\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.

C:\Documents and Settings\coolera\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.

C:\Documents and Settings\coolerb\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.

C:\Documents and Settings\LECTURA5\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.

C:\Documents and Settings\PSalidas\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.

C:\Documents and Settings\aimee\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\aimee\Start Menu\Programs\Startup\chkntfs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Share this post


Link to post
Share on other sites

Hello,

I would like to try to remove these infections please let me know how to go about doing this.

Thanks,

Jose

Hi and welcome to Malwarebytes.

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Share this post


Link to post
Share on other sites

Okay.

Are you a corporate customer??

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.