Solved

Windows 2003 Server with Fake AV

Posted on 2013-01-12
7
464 Views
Last Modified: 2013-11-22
I got hit with the FakeMS malware on a 2003 server. The one that creates a bunch of exes and hides the folders.

The first "shocker" was MalwareBytes. Maybe it is because I am running it on a server but .... on several of the servers I manage Malwarebytes causes the server to boot but all you get is a blank blue screen and the server locks up. The fix is always to boot in to safe mode and uninstall MalwareBytes.

Anyway... the server is still messed up. Malwarebytes found the hueristics the first time and removed them but all of the folders are still showing up as .exe I think the fake av is gone but the "view" on the folders is still messed up. Does anyone know a malware package I can use to scam a 2003 server that is know to clean up this fake av and return the folders to their normal names (no .exe appended to it)?
0
Comment
Question by:LockDown32
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 94

Accepted Solution

by:
John Hurst earned 100 total points
ID: 38770916
That could be a tough one.  Take a look at this article that offers some advice.

http://forums.spybot.info/showthread.php?t=66303

.... Thinkpads_User
0
 
LVL 44

Assisted Solution

by:Darr247
Darr247 earned 100 total points
ID: 38771007
Try http://maliprog.geekstogo.com/explorer.exe 
Save it to your desktop and double-click it.
Run it from Task Manager (using File->New Task) if everything you try to run is redirected.

It can unhide your folders and shortcuts, and stop rogue processes...  so after you let it do that, run MalwareBytes again and TDDSKiller BEFORE exiting TheKiller.
0
 
LVL 25

Assisted Solution

by:Tony Giangreco
Tony Giangreco earned 100 total points
ID: 38771140
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 30

Assisted Solution

by:ded9
ded9 earned 100 total points
ID: 38771216
Sounds user profile is corrupted..you can create a new user account and check.

http://support.microsoft.com/mats/windows_file_and_folder_diag/en-us



Ded9
0
 
LVL 1

Assisted Solution

by:e_adams
e_adams earned 100 total points
ID: 38772660
I would try Spybot Search and Destroy, and you will have to manually look for any left over files, including hidden files.  If MalwareBytes found them, there is a possibility that is did not delete them, or place them in a "quarantine status".  I would disable any service, from startup, that is not required (msconfig, startup).  I would also look in services.msc, or run task manager and verify that these programs are not starting up.  Since you can start in safe mode, is telling me it is a program that is starting up when you log into the server.

Please let us know!

Thanks,

Regards,

Elliot
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 38774316
Any update on your situation?
0
 
LVL 94

Expert Comment

by:John Hurst
ID: 38789136
@LockDown32 - Thank you and I was happy to help you with this.

.... Thinkpads_User
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question