Windows 2003 Server with Fake AV

I got hit with the FakeMS malware on a 2003 server. The one that creates a bunch of exes and hides the folders.

The first "shocker" was MalwareBytes. Maybe it is because I am running it on a server but .... on several of the servers I manage Malwarebytes causes the server to boot but all you get is a blank blue screen and the server locks up. The fix is always to boot in to safe mode and uninstall MalwareBytes.

Anyway... the server is still messed up. Malwarebytes found the hueristics the first time and removed them but all of the folders are still showing up as .exe I think the fake av is gone but the "view" on the folders is still messed up. Does anyone know a malware package I can use to scam a 2003 server that is know to clean up this fake av and return the folders to their normal names (no .exe appended to it)?
LVL 15
LockDown32OwnerAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
John HurstConnect With a Mentor Business Consultant (Owner)Commented:
That could be a tough one.  Take a look at this article that offers some advice.

http://forums.spybot.info/showthread.php?t=66303

.... Thinkpads_User
0
 
Darr247Connect With a Mentor Commented:
Try http://maliprog.geekstogo.com/explorer.exe 
Save it to your desktop and double-click it.
Run it from Task Manager (using File->New Task) if everything you try to run is redirected.

It can unhide your folders and shortcuts, and stop rogue processes...  so after you let it do that, run MalwareBytes again and TDDSKiller BEFORE exiting TheKiller.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
ded9Connect With a Mentor Commented:
Sounds user profile is corrupted..you can create a new user account and check.

http://support.microsoft.com/mats/windows_file_and_folder_diag/en-us



Ded9
0
 
e_adamsConnect With a Mentor Commented:
I would try Spybot Search and Destroy, and you will have to manually look for any left over files, including hidden files.  If MalwareBytes found them, there is a possibility that is did not delete them, or place them in a "quarantine status".  I would disable any service, from startup, that is not required (msconfig, startup).  I would also look in services.msc, or run task manager and verify that these programs are not starting up.  Since you can start in safe mode, is telling me it is a program that is starting up when you log into the server.

Please let us know!

Thanks,

Regards,

Elliot
0
 
Tony GiangrecoCommented:
Any update on your situation?
0
 
John HurstBusiness Consultant (Owner)Commented:
@LockDown32 - Thank you and I was happy to help you with this.

.... Thinkpads_User
0
All Courses

From novice to tech pro — start learning today.