How to remove a Dubrute virus from Server
Posted on 2012-03-22
We have a Windows 2003 server (member server of a domain) that is used for terminal service connections (remote desktop). About once a week, the cable internet slow down to a crawl. We rebooted the server the first couple of weeks, but last week I was trying to figure out why it was slow before we rebooted it. I logged into it via remote desktop, looked at a few things like event viewer and Anti Virus status things then logged out of the remote desktop. When I logged out, I got a strange little window that said something to effect of dubrute.exe closing. It appeared as if my logging out forced this dubrute application to force itself to shutdown. When my session logged, out, the internet jumped back up to normal speeds and the remote users worked fine for a few days. Yesterday, the internet went back down to a crawl, and after I logged back into the server remotely again, the same thing happened when I logged out. The dbrute little window popped open and I clicked OK to close it (I presume) and the internet jumped back up to normal speeds.
I have AVG Server edition installed on this server, and while it has found problems in the past, all the scans I run on it now are clean. I ran malwarebytes as well, and that comes up clean. I have checked the startup services and startup apps in the MSCONFIG window, and nothing is out of the ordinary. I did a search in the registry for dubrute and nothing came up. I checked all installed applications in add/remove programs and everything looks normal in there. I checked the task manger yesterday when the internet was really slow and didn't see anything called dubrute running as a server. I am thinking about running combofix, but because this is a server, I am nervous about doing that. Any ideas???