VPS I'm renting has been hit by viruses, trojans....

Hi, I'm renting a Windows VPS and it's been working pretty well till lately when it has slowed to a crawl. In the Task Manager I find processes like "cpx.exe" (many of these), dataup.32. and others that I don't recognize. I even found an installation of a bulk emailing software called "Turbo Mailer" which I have just uninstalled.
   Googling around I found this page:

http://malwaretips.com/threads/cpx-module-cpx-exe-smart-cpx.48776/

which recommended running Malwarebytes and Farbar Recovery... which I did. Malwarebytes found over 150 infected files and quarantined them, but still CPX.EXE is still there. I've also run TrendMicro HouseCall and it found 5 viruses which it deleted. Still didn't get rid of CPX.EXE though.
  I took a screenshot (attached) of the "Installed Programs" I have on that VPS and there's a Chinese looking entry in there... that was none of my doing. That can't be good.

I didn't uninstall the chinese thing yet...

Can anyone help please?

Thanks!
    Shawn
shawn857Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LesterClaytonCommented:
Do you have the ability to connect to your VPS without RDP?  Like some kind of KVM product?  If you can, then boot the server into Recovery Console and then use the command prompt from that to locate the file and rename it - Don't delete it.  After you have renamed it, to ensure that propogation of the file does not re-occur, create a folder with the same name - this way, if there is a process at log on which recovers the file, it will be unable to do so due to naming conflict.

cd "c:\program files\directory containing cpx.exe"
rename cpx.exe cpx.exe.bad
mkdir cpx.exe

Open in new window


Once these steps are done, reboot the machine normally, and then check for other unknown processes.  use msconfig.exe to view what startup programs there are, and then sniff them out and remove them if they are unknown to you.
0
KimputerCommented:
Sadly, the VPS provider has to have great technical support, or unique features to help you out in these situations. That's because sometimes the only way to remove viruses are to scan and remove them OUTSIDE the system (in a normal hardware situation, it's a boot cd/usb).
With VPS systems, usually you don't have that kind of access (not only because the virtualisation software might now allow you to, you usually only have limited control over it, and there's no user interface even if it was possible)
So best way is to ask for more info on your VPS provider what your options are to scan a VM without really starting the VM.
0
shawn857Author Commented:
Lester - I can log in only with RDP. I tried getting TeamViewer going also, but it gives an error and won't work.

Kimputer - the tech support with this VPS company is quite bad. I dobt they can even SPELL the work "support". I will ask them if they can do some kind of scan though...


Is there not some kind of handy-dandy anti-malware tool that can root out and delete this CPX.EXE ?


Thanks
    Shawn
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

KimputerCommented:
The problem is that CPX.exe has the "upper hand" since it got into the system before it was caught by the antivirus, and now has full control. It's in use, and since it's in use, it can't be removed.
Every command you through against it (be it in safe mode, or a pre-boot removal, or an active removal from a working antivirus) will be undone by the program again (since it's still active). The only way CPX.exe is NOT active, and DOESN'T have the upper hand, is already explained by me (scan when Windows is not started, i.e. boot cd/dvd/usb).
Safe mode is only an option of the CPX program/virus is REALLY REALLY dumb (which happens less and less these days)
0
shawn857Author Commented:
Thanks Kimputer - well it appears the tech support for my VPS responded and successfully cleared out the CPX.EXE problem for me! But still, I remain wide open for another attack as I haven't found a suitable firewall for the VPS yet. Comodo doesn't work on Windows Server 2008, and another one I've just tried - "PrivateFirewall" - blocks all users requests for my webpage (which I am hosting on the VPS using IIS).
   Would anyone have any suggestions for a good (and hopefully free) firewall for a Windows VPS?

Thanks
    Shawn
0
LesterClaytonCommented:
ZoneAlarm is a good product - but it's not free.  The old adage "you get what you pay for" is almost relevant when it comes to computer security.

Glad to see your VPS provider was able to sort out your virus for you :)
0
shawn857Author Commented:
Thanks Lester, but there is in fact, a free ZoneAlarm firewall, isn't there? Wouldn't that work for me? I really only need the firewall and not all the other real-time virus scanning features of the paid version.

Thanks
   Shawn
0
LesterClaytonCommented:
The Free version will do just fine :)  I have friends who use the free version and they are very happy with it.
0
shawn857Author Commented:
Yep, I think I'll try that. But barring that, do you think the built-in Windows Firewall would suffice? It seems to be already activated on my VPS, but didn't seem to very successful at keeping out the viruses and trojans I just had to clean up. Maybe I didn't have it configured correctly or something?

Thanks
   Shawn
0
LesterClaytonCommented:
Generally speaking, the Windows 7 firewall is good enough keeping stuff out - but it won't protect from operator error.  These virusses didn't magically appear on their own - somebody who uses the VPS has downloaded or ran software that has caused this to occur.  The default windows installation does not permit access from external - this has to have been allowed.

There is also a possibility of course that the VPS provider who installed the operating system has a security flaw, permitting remote access - but that would seem to be quite a huge oversight on their part.  

Operator interaction with unknown internet resources (web site, e-mail or other) is by far the main source for virus outbreaks on any machine.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shawn857Author Commented:
Well, I am the only one using my VPS - there are no other users. And the only thing I downloaded and installed was IIS 7 in order to host my small site/PHP script. I have no idea how all those viruses and trojans got on my system. Inspecting the installed programs on the system, there were a couple of rogue programs that had Chinese lettering, and also all these strange Users would show up when I'd check Task Manager (see attachments). Very weird.

Thanks
   Shawn
StrangeUsers.JPG
VPS-Programs.JPG
0
shawn857Author Commented:
Well, with the help of my VPS's tech support, I've cleaned out all the viruses. Now I just need to correctly configure my Windows Firewall to prevent this hacking from ever happening again. Thanks to all who replied!

Thanks
    Shawn
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.