Jump to content

Malware infection

shinjite

By shinjite
in Resolved Malware Removal Logs

 Share

Recommended Posts

shinjite

shinjite

Posted
Posted

Hi all,

Recently around last week, my company's server which is running on Windows Server 2008 has been infected by a malware as well as trojans. Not only it affects my server's performance, it also injects itself into various files within the System32 folder and SysWOW64 folder and many other places. Plus for some strange reason, it prevents my server from rebooting into Windows normally with the "Attempting to boot from hard drive C:" every time it restarts (even after a complete scan to completely remove it). I used Kaspersky Anti Virus Removal Tool as well as MBAM (updated to the latest database) to scan the server.

I have successfully cleared it off on Saturday. However, it manages to infect my server again on the next day and it puzzles me. So I am here to seek guidance from the experts to help me solve it as this server is the main operational server in my company. Thanks

Filenames of infection: E001.exe, F001.exe, K001.exe, yoeski.exe, rozhuq.exe and many other funny names

Link to post
Share on other sites
shinjite

shinjite

Posted
  • Author
Posted

Copy of the DDS log

DDS (Ver_10-12-12.02) - NTFS_AMD64

Run by Administrator at 13:49:34.89 on 17/01/2011

Internet Explorer: 8.0.6001.18999

============== Running Processes ===============

============== Pseudo HJT Report ===============

uStart Page = res://iesetup.dll/HardAdmin.htm

uDefault_Page_URL = res://iesetup.dll/HardAdmin.htm

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

uRun: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

mRun: [kavtray] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 For Windows Servers Enterprise Edition\kavtray.exe"

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-explorer: ShowSuperHidden = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

TCP: {620A1AAD-7803-4DFA-B567-F37C091D7C2D} = 208.67.222.222,208.67.220.220

Handler: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files (x86)\Compaq\hpadu\bin\hpapp.dll

LSA: Notification Packages = scecli RASSFM

mASetup: {A509B1A7-37EF-4b3f-8CFC-4F3A74704073} - %systemroot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

mASetup: {A509B1A8-37EF-4b3f-8CFC-4F3A74704073} - %systemroot%\system32\rundll32.exe iesetup.dll,IEHardenUser

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

=============== File Associations ===============

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

=============== Created Last 30 ================

2011-11-01 10:05:21 388608 ----a-w- C:\Windows\SysWow64\runup.dll

2011-11-01 10:05:18 7168 ----a-w- C:\Windows\SysWow64\uk1jdw.dll

2011-11-01 10:04:53 7680 ----a-w- C:\Windows\SysWow64\lruicr.dll

2011-01-17 05:49:37 81 ----a-w- C:\Windows\DelCache.bat

2011-01-17 05:45:56 -------- d-----w- C:\Windows\SysWow64\1JJUHWT0

2011-01-17 05:40:49 -------- d-----w- C:\Windows\SysWow64\0U5FU3NG

2011-01-17 05:22:27 201240 --sh--w- C:\Windows\SysWow64\wairaprnlib.dll

2011-01-17 05:22:27 119988 ----a-w- C:\Windows\SysWow64\acmkyq.exe

2011-01-17 05:06:30 0 ----a-w- C:\Windows\SysWow64\mss.exe

2011-01-17 05:06:26 176128 ----a-w- C:\Windows\SysWow64\mcsql.exe

2011-01-17 01:37:11 18816 ------w- C:\Windows\SysWow64\SAVRKBootTasks.sys

2011-01-17 01:22:41 6144 ------w- C:\Windows\System32\164F.tmp

2011-01-17 01:21:42 6144 ------w- C:\Windows\System32\2F4A.tmp

2011-01-17 01:21:31 -------- d-----w- C:\Program Files (x86)\Sophos

2011-01-17 01:12:20 -------- d-----w- C:\Windows\SysWow64\wbem\Logs

2011-01-16 13:34:26 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-01-16 13:34:21 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-01-16 13:27:57 352 ----a-w- C:\PROGRA~3\123.bat

2011-01-16 13:27:55 25205248 ----a-w- C:\PROGRA~3\lanmao.exe

2011-01-16 13:27:43 -------- d-----w- C:\downloads

2011-01-16 08:14:02 -------- d-----w- C:\Windows\share

2011-01-16 07:04:09 40961 --sh--w- C:\Windows\SysWow64\MiaoshaXP.exe

2011-01-15 04:12:46 -------- d-----w- C:\Program Files\SAP

2011-01-15 01:53:13 24576 ----a-w- C:\Windows\System32\EventLogDLL.dll

2011-01-15 01:53:13 24576 ----a-w- C:\Windows\System32\ErrorLogDLL.dll

2011-01-14 16:44:21 44544 ----a-w- C:\system

2011-01-14 14:39:00 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy

2011-01-14 14:39:00 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy

2011-01-14 14:34:06 -------- d-----w- C:\Program Files (x86)\SpywareBlaster

2011-01-14 14:34:01 -------- d-----w- C:\Users\ADMINI~1\AppData\Roaming\Malwarebytes

2011-01-14 14:33:33 -------- d-----w- C:\PROGRA~3\Malwarebytes

2011-01-14 14:33:25 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-01-14 03:21:19 40464 ----a-w- C:\Windows\System32\drivers\39455142.sys

2011-01-14 03:21:19 352784 ----a-w- C:\Windows\System32\drivers\3945514.sys

2011-01-14 03:21:19 157712 ----a-w- C:\Windows\System32\drivers\39455141.sys

2011-01-11 02:22:34 -------- d-----w- C:\Program Files\WindowsUpdate

2011-01-11 02:22:34 -------- d-----w- C:\Program Files\Realtek

2011-01-10 18:02:27 7680 ----a-w- C:\Program Files\Common Files\System\lruicr.dll

2011-01-10 15:29:04 388608 ----a-w- C:\Program Files\Common Files\System\runup.dll

2011-01-10 15:19:19 387072 ----a-w- C:\Program Files\Common Files\System\gec.dll

2011-01-10 15:19:18 6656 ----a-w- C:\Program Files\Common Files\System\ra5os7.dll

2011-01-10 15:18:54 10240 ----a-w- C:\Program Files\Common Files\System\eow6rl.dll

2011-01-10 15:18:37 7168 ----a-w- C:\Program Files\Common Files\System\uk1jdw.dll

2011-01-10 15:13:02 387072 ----a-w- C:\Windows\SysWow64\gec.dll

2011-01-10 15:13:01 6656 ----a-w- C:\Windows\SysWow64\ra5os7.dll

2011-01-10 15:12:52 10240 ----a-w- C:\Windows\SysWow64\eow6rl.dll

2011-01-10 15:12:47 16384 ----a-w- C:\Program Files\Common Files\System\CLF.dll

2011-01-10 15:12:46 26624 ----a-w- C:\Program Files\Common Files\System\ClassLibrary1.dll

2011-01-10 15:12:05 -------- d-----w- C:\Windows\SysWow64\iSql

2011-01-09 06:09:58 -------- d-----w- C:\Users\ADMINI~1\AppData\Roaming\IsolatedStorage

2011-01-08 11:13:18 -------- d-----w- C:\Users\ADMINI~1\AppData\Local\Downloaded Installations

2011-01-07 03:09:04 -------- d-----w- C:\Program Files\CPUID

==================== Find3M ====================

2010-11-06 11:18:48 500224 ----a-w- C:\Windows\System32\wmicmiplugin.dll

2010-11-06 11:18:27 655872 ----a-w- C:\Windows\System32\taskschd.dll

2010-11-06 11:18:27 410112 ----a-w- C:\Windows\System32\taskcomp.dll

2010-11-06 11:18:13 855040 ----a-w- C:\Windows\System32\schedsvc.dll

2010-11-04 23:58:17 267776 ----a-w- C:\Windows\System32\taskeng.exe

2010-11-04 18:55:38 352768 ----a-w- C:\Windows\SysWow64\taskschd.dll

2010-11-04 18:55:38 270336 ----a-w- C:\Windows\SysWow64\taskcomp.dll

2010-11-04 16:34:06 171520 ----a-w- C:\Windows\SysWow64\taskeng.exe

2010-11-02 06:27:41 1147904 ----a-w- C:\Windows\System32\wininet.dll

2010-11-02 06:24:01 56832 ----a-w- C:\Windows\System32\licmgr10.dll

2010-11-02 06:23:47 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl

2010-11-02 06:23:35 77312 ----a-w- C:\Windows\System32\iesetup.dll

2010-11-02 06:23:35 132096 ----a-w- C:\Windows\System32\iesysprep.dll

2010-11-02 06:01:54 916480 ----a-w- C:\Windows\SysWow64\wininet.dll

2010-11-02 05:57:41 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2010-11-02 05:57:27 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2010-11-02 05:57:11 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll

2010-11-02 05:57:11 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll

2010-11-02 05:25:33 479232 ----a-w- C:\Windows\System32\html.iec

2010-11-02 05:01:31 385024 ----a-w- C:\Windows\SysWow64\html.iec

2010-11-02 04:45:37 162816 ----a-w- C:\Windows\System32\ieUnatt.exe

2010-11-02 04:44:24 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2010-11-02 04:26:10 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2010-11-02 04:24:44 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2010-10-28 16:29:18 48128 ----a-w- C:\Windows\System32\atmlib.dll

2010-10-28 15:44:56 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2010-10-28 14:05:21 367104 ----a-w- C:\Windows\System32\atmfd.dll

2010-10-28 13:56:57 2048 ----a-w- C:\Windows\System32\tzres.dll

2010-10-28 13:27:47 292352 ----a-w- C:\Windows\SysWow64\atmfd.dll

2010-10-28 13:20:12 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

============= FINISH: 13:50:19.70 ===============

Attached.zip

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Glad we could help. :lol:

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.