• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 487
  • Last Modified:

Windows 2003 Server with Fake AV

I got hit with the FakeMS malware on a 2003 server. The one that creates a bunch of exes and hides the folders.

The first "shocker" was MalwareBytes. Maybe it is because I am running it on a server but .... on several of the servers I manage Malwarebytes causes the server to boot but all you get is a blank blue screen and the server locks up. The fix is always to boot in to safe mode and uninstall MalwareBytes.

Anyway... the server is still messed up. Malwarebytes found the hueristics the first time and removed them but all of the folders are still showing up as .exe I think the fake av is gone but the "view" on the folders is still messed up. Does anyone know a malware package I can use to scam a 2003 server that is know to clean up this fake av and return the folders to their normal names (no .exe appended to it)?
0
LockDown32
Asked:
LockDown32
5 Solutions
 
JohnBusiness Consultant (Owner)Commented:
That could be a tough one.  Take a look at this article that offers some advice.

http://forums.spybot.info/showthread.php?t=66303

.... Thinkpads_User
0
 
Darr247Commented:
Try http://maliprog.geekstogo.com/explorer.exe 
Save it to your desktop and double-click it.
Run it from Task Manager (using File->New Task) if everything you try to run is redirected.

It can unhide your folders and shortcuts, and stop rogue processes...  so after you let it do that, run MalwareBytes again and TDDSKiller BEFORE exiting TheKiller.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
ded9Commented:
Sounds user profile is corrupted..you can create a new user account and check.

http://support.microsoft.com/mats/windows_file_and_folder_diag/en-us



Ded9
0
 
e_adamsCommented:
I would try Spybot Search and Destroy, and you will have to manually look for any left over files, including hidden files.  If MalwareBytes found them, there is a possibility that is did not delete them, or place them in a "quarantine status".  I would disable any service, from startup, that is not required (msconfig, startup).  I would also look in services.msc, or run task manager and verify that these programs are not starting up.  Since you can start in safe mode, is telling me it is a program that is starting up when you log into the server.

Please let us know!

Thanks,

Regards,

Elliot
0
 
Tony GiangrecoCommented:
Any update on your situation?
0
 
JohnBusiness Consultant (Owner)Commented:
@LockDown32 - Thank you and I was happy to help you with this.

.... Thinkpads_User
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now