jbobst
asked on
How to remove a Dubrute virus from Server
We have a Windows 2003 server (member server of a domain) that is used for terminal service connections (remote desktop). About once a week, the cable internet slow down to a crawl. We rebooted the server the first couple of weeks, but last week I was trying to figure out why it was slow before we rebooted it. I logged into it via remote desktop, looked at a few things like event viewer and Anti Virus status things then logged out of the remote desktop. When I logged out, I got a strange little window that said something to effect of dubrute.exe closing. It appeared as if my logging out forced this dubrute application to force itself to shutdown. When my session logged, out, the internet jumped back up to normal speeds and the remote users worked fine for a few days. Yesterday, the internet went back down to a crawl, and after I logged back into the server remotely again, the same thing happened when I logged out. The dbrute little window popped open and I clicked OK to close it (I presume) and the internet jumped back up to normal speeds.
I have AVG Server edition installed on this server, and while it has found problems in the past, all the scans I run on it now are clean. I ran malwarebytes as well, and that comes up clean. I have checked the startup services and startup apps in the MSCONFIG window, and nothing is out of the ordinary. I did a search in the registry for dubrute and nothing came up. I checked all installed applications in add/remove programs and everything looks normal in there. I checked the task manger yesterday when the internet was really slow and didn't see anything called dubrute running as a server. I am thinking about running combofix, but because this is a server, I am nervous about doing that. Any ideas???
I have AVG Server edition installed on this server, and while it has found problems in the past, all the scans I run on it now are clean. I ran malwarebytes as well, and that comes up clean. I have checked the startup services and startup apps in the MSCONFIG window, and nothing is out of the ordinary. I did a search in the registry for dubrute and nothing came up. I checked all installed applications in add/remove programs and everything looks normal in there. I checked the task manger yesterday when the internet was really slow and didn't see anything called dubrute running as a server. I am thinking about running combofix, but because this is a server, I am nervous about doing that. Any ideas???
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There are malware variants that infect the MBR, hidden partitions on the HDD, and even the BIOS ROM. A new hard drive would solve for the first two examples, but not for the third.
This is from an earlier post here on EE:
http://www.globalnet-iti.com/innovations/blog/1st-virus-that-infects-a-computer-s-bios-is-discovered/
Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, giv[en] the fact that even if antivirus detect(s) and clean(s) the MBR infection,
This is from an earlier post here on EE:
http://www.globalnet-iti.com/innovations/blog/1st-virus-that-infects-a-computer-s-bios-is-discovered/
Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, giv[en] the fact that even if antivirus detect(s) and clean(s) the MBR infection,
A complete system rebuild is not sufficient to eliminate some malware variants and it is better to use the tools that can get the job done right.
That's absolutly wrong. Furthermore, leaving a malware-infected production server connected to the network after "cleaning" the malware is in direct opposition to security best practices.
Not one of my corporate customers would stand for such a response. A once-compromised system is an unnaceptable risk to the entire organization.
BTW - there's un underlying root cause analysis that should be done any time a server is infected with malware. Are your server admins browsing the Internet from the server console with elevated privs? Either an unpatched vulnerability was exploited, or this is the result of poor practice. If you don't take the time to figure out - and correct - the root cause, you'll be doing this again... soon.
jbobst,
I stand by the comments I made and I think the link I provided (more if needed) is ample proof that there is existing malware that cannot be removed by formating/replacing a hard drive.
Malware discussions are often joined by those with differing opions, some more obnoxious than others.
I stand by the comments I made and I think the link I provided (more if needed) is ample proof that there is existing malware that cannot be removed by formating/replacing a hard drive.
Malware discussions are often joined by those with differing opions, some more obnoxious than others.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry for the delay in closing this question. Thanks for the information!
ASKER