Solved

Windows 2003 Server with Fake AV

Posted on 2013-01-12
7
455 Views
Last Modified: 2013-11-22
I got hit with the FakeMS malware on a 2003 server. The one that creates a bunch of exes and hides the folders.

The first "shocker" was MalwareBytes. Maybe it is because I am running it on a server but .... on several of the servers I manage Malwarebytes causes the server to boot but all you get is a blank blue screen and the server locks up. The fix is always to boot in to safe mode and uninstall MalwareBytes.

Anyway... the server is still messed up. Malwarebytes found the hueristics the first time and removed them but all of the folders are still showing up as .exe I think the fake av is gone but the "view" on the folders is still messed up. Does anyone know a malware package I can use to scam a 2003 server that is know to clean up this fake av and return the folders to their normal names (no .exe appended to it)?
0
Comment
Question by:LockDown32
7 Comments
 
LVL 93

Accepted Solution

by:
John Hurst earned 100 total points
ID: 38770916
That could be a tough one.  Take a look at this article that offers some advice.

http://forums.spybot.info/showthread.php?t=66303

.... Thinkpads_User
0
 
LVL 44

Assisted Solution

by:Darr247
Darr247 earned 100 total points
ID: 38771007
Try http://maliprog.geekstogo.com/explorer.exe 
Save it to your desktop and double-click it.
Run it from Task Manager (using File->New Task) if everything you try to run is redirected.

It can unhide your folders and shortcuts, and stop rogue processes...  so after you let it do that, run MalwareBytes again and TDDSKiller BEFORE exiting TheKiller.
0
 
LVL 25

Assisted Solution

by:Tony Giangreco
Tony Giangreco earned 100 total points
ID: 38771140
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 30

Assisted Solution

by:ded9
ded9 earned 100 total points
ID: 38771216
Sounds user profile is corrupted..you can create a new user account and check.

http://support.microsoft.com/mats/windows_file_and_folder_diag/en-us



Ded9
0
 
LVL 1

Assisted Solution

by:e_adams
e_adams earned 100 total points
ID: 38772660
I would try Spybot Search and Destroy, and you will have to manually look for any left over files, including hidden files.  If MalwareBytes found them, there is a possibility that is did not delete them, or place them in a "quarantine status".  I would disable any service, from startup, that is not required (msconfig, startup).  I would also look in services.msc, or run task manager and verify that these programs are not starting up.  Since you can start in safe mode, is telling me it is a program that is starting up when you log into the server.

Please let us know!

Thanks,

Regards,

Elliot
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 38774316
Any update on your situation?
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 38789136
@LockDown32 - Thank you and I was happy to help you with this.

.... Thinkpads_User
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question