Solved

Windows 2003 Server with Fake AV

Posted on 2013-01-12
7
449 Views
Last Modified: 2013-11-22
I got hit with the FakeMS malware on a 2003 server. The one that creates a bunch of exes and hides the folders.

The first "shocker" was MalwareBytes. Maybe it is because I am running it on a server but .... on several of the servers I manage Malwarebytes causes the server to boot but all you get is a blank blue screen and the server locks up. The fix is always to boot in to safe mode and uninstall MalwareBytes.

Anyway... the server is still messed up. Malwarebytes found the hueristics the first time and removed them but all of the folders are still showing up as .exe I think the fake av is gone but the "view" on the folders is still messed up. Does anyone know a malware package I can use to scam a 2003 server that is know to clean up this fake av and return the folders to their normal names (no .exe appended to it)?
0
Comment
Question by:LockDown32
7 Comments
 
LVL 93

Accepted Solution

by:
John Hurst earned 100 total points
ID: 38770916
That could be a tough one.  Take a look at this article that offers some advice.

http://forums.spybot.info/showthread.php?t=66303

.... Thinkpads_User
0
 
LVL 44

Assisted Solution

by:Darr247
Darr247 earned 100 total points
ID: 38771007
Try http://maliprog.geekstogo.com/explorer.exe 
Save it to your desktop and double-click it.
Run it from Task Manager (using File->New Task) if everything you try to run is redirected.

It can unhide your folders and shortcuts, and stop rogue processes...  so after you let it do that, run MalwareBytes again and TDDSKiller BEFORE exiting TheKiller.
0
 
LVL 25

Assisted Solution

by:Tony Giangreco
Tony Giangreco earned 100 total points
ID: 38771140
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 30

Assisted Solution

by:ded9
ded9 earned 100 total points
ID: 38771216
Sounds user profile is corrupted..you can create a new user account and check.

http://support.microsoft.com/mats/windows_file_and_folder_diag/en-us



Ded9
0
 
LVL 1

Assisted Solution

by:e_adams
e_adams earned 100 total points
ID: 38772660
I would try Spybot Search and Destroy, and you will have to manually look for any left over files, including hidden files.  If MalwareBytes found them, there is a possibility that is did not delete them, or place them in a "quarantine status".  I would disable any service, from startup, that is not required (msconfig, startup).  I would also look in services.msc, or run task manager and verify that these programs are not starting up.  Since you can start in safe mode, is telling me it is a program that is starting up when you log into the server.

Please let us know!

Thanks,

Regards,

Elliot
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 38774316
Any update on your situation?
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 38789136
@LockDown32 - Thank you and I was happy to help you with this.

.... Thinkpads_User
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OfficeMate Freezes on login or does not load after login credentials are input.
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question