wint100
asked on
Server Virus - d.vbs, run.vbs, youtou.sys
I have a virus on a server that seems to be running somewhere on the server, accessing an external ftp site and downloading more files to the server.
Common files i find are in the system32 folder:
1.bat
2.bat
1.txt
2.txt
youtou.sys
d.vbs
run.vbs
sysme.bat
ntdos87.bat
There are more. I found a txt file called. cc1.txt that had an ftp site listed with username and password and it was getting files all.exe and 2.exe.
Anyone seen this and know how I can remove it?? I have Trend Micro Worry-free security installed, malwarebytes, spyware doctor and prevx, but none can pick it up.
Common files i find are in the system32 folder:
1.bat
2.bat
1.txt
2.txt
youtou.sys
d.vbs
run.vbs
sysme.bat
ntdos87.bat
There are more. I found a txt file called. cc1.txt that had an ftp site listed with username and password and it was getting files all.exe and 2.exe.
Anyone seen this and know how I can remove it?? I have Trend Micro Worry-free security installed, malwarebytes, spyware doctor and prevx, but none can pick it up.
Have you done the MalwareBytes scan in safe mode?? or normal mode?? I suggest you try a scan in safe mode if you haven't already before trying out the below instructions. In safe mode, it will pick up a lot more than you would normally think. Lots of in-memory viruses are not loaded in background in safe mode and hence, can be caught by scanners. Following this, you should scan with Trend Micro scanner.
If the above doesn't work then, I would suggest downloading ComboFix from http://download.bleepingcomputer.com/sUBs/ComboFix.exe , saving it with a completely different filename like jabba.exe and then rebooting your server in safe mode. Then, disable all your antivirus, firewall and antispyware programs and run ComboFix, it will scan and create a log. After the log is created, please re-activate your security programs and send the log to us.
Further instructions are here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
I suggest that you scan the server with MalwareBytes in safe mode right after ComboFix is done, you should see MalwareBytes picking up infections now.
Hope it helps.
If the above doesn't work then, I would suggest downloading ComboFix from http://download.bleepingcomputer.com/sUBs/ComboFix.exe , saving it with a completely different filename like jabba.exe and then rebooting your server in safe mode. Then, disable all your antivirus, firewall and antispyware programs and run ComboFix, it will scan and create a log. After the log is created, please re-activate your security programs and send the log to us.
Further instructions are here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
I suggest that you scan the server with MalwareBytes in safe mode right after ComboFix is done, you should see MalwareBytes picking up infections now.
Hope it helps.
ASKER
Tried the bove solutions, it found a registry entry in image for execution option\cscript.exe. This has been removed, but the files still reappeared last night in the system32 folder.
yantou.sys
setuplp.bat
1.txt
yantou.sys
setuplp.bat
1.txt
Did you try ComboFix ?? If yes, can you send us the log to inspect?
ASKER
Combofix doesn't support Windoes 2003 Server.
The infected machine is a Windiws 2003 Domain Controller.
The infected machine is a Windiws 2003 Domain Controller.
Oops, sorry. Could you try Process Explorer and see if you see anything strange running in the background ?
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Alternatively, you can send us a HijackThis log to see the background processes:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Alternatively, you can send us a HijackThis log to see the background processes:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
ASKER
ASKER
Does AutoexNT.exe need to be running or could this be a cloaked virus?
It looks like a legitimate file. I suggest that you download UnHackMe from http://www.greatis.com/unhackme/ and install and run it. It will scan your system and study the boot processes and give a report that contains the name of the suspicious programs that are running at bootup. While operating this program, please have a look at the screenshots to learn how it works:
http://www.greatis.com/unhackme/antirootkit.htm
http://www.greatis.com/unhackme/antirootkit.htm
ASKER
I tried unhackme without much success.
I have been monitoring things with processmonitor and found 2 instances of CMD.exe running under sn sqlserver parent process. The CMD.exe were running with a command string which included the file names that kept appearing in system32 folder. It looks like something is running the command, searching forfiles on a remote ftp server, and dumping files to system32. The virus looks to be in the SQL database.
I am running MSDE, is there a way to find the files in the SQL database?
I have been monitoring things with processmonitor and found 2 instances of CMD.exe running under sn sqlserver parent process. The CMD.exe were running with a command string which included the file names that kept appearing in system32 folder. It looks like something is running the command, searching forfiles on a remote ftp server, and dumping files to system32. The virus looks to be in the SQL database.
I am running MSDE, is there a way to find the files in the SQL database?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What if i backed up the SQL database, unistalled MSDE and install SQL express 2008. I've been meaning to upgrade for weeks anyway to increase my database limit.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK i'll give it a go.
I've connected to the database and 2 tables exist under the master database called:
dbo.resultcmd_cc and dbo.tmpdata.
Should these be there? I've checked another SQL server and they aren't present. All the apps using SQL are using seperate Instances.
I've connected to the database and 2 tables exist under the master database called:
dbo.resultcmd_cc and dbo.tmpdata.
Should these be there? I've checked another SQL server and they aren't present. All the apps using SQL are using seperate Instances.
It doesn't really ring a bell, I haven't used SQL Server much. It might be worth having a look at the data within those tables to see if its relevant to the organisation, moreover, it might also be worth having a quick look at Stored Procedures within SQL Server that use these tables. That might give a clue.
ASKER
Will do cheers. Just running the Online scanner now so I'll view result in the morning.
ASKER
Looks like the virus is now clean. Kaspersky online scanner found nothing after i deleted the 2 suspect tables from the SQL database.
I sent the files I found in the system32 off to Trend Micro and they confirmed it was:
dhcp.exe (799,744 bytes) as TROJ_SERVU.AK
run.vbs (1,082 bytes) as VBS_SMALL.C
Thanks
I sent the files I found in the system32 off to Trend Micro and they confirmed it was:
dhcp.exe (799,744 bytes) as TROJ_SERVU.AK
run.vbs (1,082 bytes) as VBS_SMALL.C
Thanks
That good stuff! Its new for me to see a virus that was sort of embedded in SQL Server or atleast its information/instructions were. Do a full scan with Trend Micro antivirus as a last check and if that comes clean, then you're good to go.
http://www.sophos.com/supp
I had a piece of malware called entuala.dll that was not picked up by NOD32 or Malwarebytes, but Sophos did pick it up.