Solved

removing malware and trojan

Posted on 2010-09-06
10
1,027 Views
Last Modified: 2013-11-22
Okay, I am a bit confused as to what my next step should be.  I am a network administrator/network security person for my company.  We have three servers, DC01, DC02 and EX01.  We use Windows 2003 for our servers, XP for workstations and Exchange 2003 for exchange services.  Last week we had someone do a baseline config on the HDD (servers).  When they returned and we put back online we noticed some issues.  When you double click to open the shared drive (on DC02) we get a DOS window that says at the top left PjSiEq.eXe.  I looked this up and noted it to be malware.  So, I ran malwarebytes on each server and workstation.  On the workstations I get "hijack.connectioncontrol" and on the server (DC02) I found a trojan (trojan.vundo) in the shared drive.  I quarantined both things but am having the same issue.  how do I return my system back to normal?

I ran my Norton and found nothing on servers or workstations.  I ran the Malwarebytes again and now find nothing on servers but still have the "hijack.connectioncontrol" on the workstations.  My users need the share drive.  Any assistance will be greatly appreciated.

This is a difficult one.
0
Comment
Question by:lpetrowicz
10 Comments
 
LVL 2

Expert Comment

by:kaar
Comment Utility
you could download the Avira rescue boot CD and run on the workstations, choosing the rename options on threats found.

Cheers
Fabio
0
 
LVL 65

Expert Comment

by:rockiroads
Comment Utility
have u tried running mb in safe mode?
0
 
LVL 65

Expert Comment

by:rockiroads
Comment Utility
ha, wait a mo. I checked mb forums and it seems it might be a false positive. Something to do with group policy.
See this http://forums.malwarebytes.org/index.php?showtopic=45986
0
 
LVL 4

Expert Comment

by:bigg_oil
Comment Utility
check the registry key

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\ConnectionsTab (Hijack.ConnectionControl) -> Bad: (1) Good:

malwarebytes belives this to be a false positive
0
 
LVL 65

Expert Comment

by:rockiroads
Comment Utility
mb has reported it to be a false positive so maybe you could try running another spyware checker and see what that produces. There is no harm in having two, Maybe run hijack this as well
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:lpetrowicz
Comment Utility
I have read that and that only solves the minor workstation thing.  What about the bigger problem; when I click on my share drive and a DOS window opens reading PJSIEQ.EXE?  How do I indentify what the cause of this is if I have already run Antivirus and Malwarebytes?
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
0
 
LVL 65

Expert Comment

by:rockiroads
Comment Utility
you have tried running full scan in safe mode right?
as I said before, it might be worth trying out another spyware like superantispyware (has a free version). one of their pages also mentions PJSIEQ.EXE. http://www.superantispyware.com/malwaredailyfiles/2010-03-01.html
0
 
LVL 29

Accepted Solution

by:
Sudeep Sharma earned 500 total points
Comment Utility

If the exe PJSIEQ.EXE is in your user profile and then probably your system is infected by virus named DunDun (W32/DunDun.a) (W32.SillyFDC).

Click on Start --> Run --> Type %UserProfile% and click ok. A window would open and you would see exe named PJSIEQ.EXE there (make sure that you select Show Hidden and System File in Explorer Folder Option)

More details:
http://www.threatexpert.com/report.aspx?md5=605787093d636b0f3c4720a88c9e5a89

Sudeep
0
 

Author Closing Comment

by:lpetrowicz
Comment Utility
we did find a W32.Silly in one of our profiles.  Thanks.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now