TechSpot

Windows Server 2008, Sirfef.b/y and zeroaccess

Solved
By avenged187
Aug 9, 2012
  1. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    in addition to the security check thing, I've also noticed that commands in the command prompt, like ipconfig and netstat, are no longer working. not sure if that could be part of this infection.
     
  2. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    From the command prompt

    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.
    C:\Users\frank>ipconfig
    'ipconfig' is not recognized as an internal or external command,
    operable program or batch file.
    C:\Users\frank>
     
  3. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    I'm pretty sure thats what security check is saying in the command prompt box that appears, and probably why no notepad is opened when it closes.
     
  4. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Download Windows Repair (all in one) from this site

    Install the program then run

    Go to step 2 and allow it to run Disc check

    [​IMG]



    Once that is done then go to step 3 and allow it to run SFC

    [​IMG]


    On the the Start Repairs tab click Start button.

    [​IMG]


    Please ensure that items seen in the image below are ticked as indicated:

    [​IMG]

    Click on box next to the Restart System when Finished. Then click on Start
     
  5. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    SFC is running now.
     
  6. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    The version of Windows Repair downloaded from your link is actually different from the one that you show in your screenshots above. there are a few different options on the repair screen that I wasn't sure about. those would be "Repair Windows Snipping Tool" and "Repair .lnk (shortcuts) File Association." Should these be checked?
     
  7. Broni

    Broni Malware Annihilator Posts: 47,022   +255

  8. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    Ran start repairs, except now the server does not recognize the network. It knows it is attached to one, but I have no internet access from it.
     
  9. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Post new FSS log.
     
  10. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    Never mind. Fixed it. Forgot to mention that our server had its NIC set to a specific internal IP. Looks like Windows Repair cleared those setting, but I fixed the ip, subnet, and default gateway and am once again connected.
     
  11. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    Farbar Service Scanner Version: 06-08-2012
    Ran by frank (administrator) on 09-08-2012 at 19:31:38
    Running from "C:\Users\frank\Desktop"
    Microsoft Windows Server 2008 R2 Standard (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.

    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    Windows Update:
    ============
    BITS Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
    RpcSs Service is not running. Checking service configuration:
    The start type of RpcSs service is OK.
    The ImagePath of RpcSs service is OK.
    The ServiceDll of RpcSs service is OK.

    Other Services:
    ==============

    File Check:
    ========
    ATTENTION!=====> d:\Windows\System32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\dhcpcore.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\drivers\afd.sys FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\Drivers\tcpip.sys FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\dnsrslvr.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\vssvc.exe FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\wbem\WMIsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\wuaueng.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\qmgr.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\es.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\cryptsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\svchost.exe FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\rpcss.dll FILE IS MISSING AND SHOULD BE RESTORED.

    **** End of log ****
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    OK, I don't think FSS is fully compatible with Server 2008 so....what is not working?
     
  13. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    Well, the firewall is back on, which is good. But I got a strange error when trying to update MSE. And Windows Update is telling me that It's searching for update, but that it has never checked for updates before, and it is continually searching.
     
  14. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    OK, here is a small problem.
    Since we don't see Server 2008 too often I'm not sure if registry keys reported by FSS are for real or not.

    Do you have an access to another Server 2008 computer?
     
  15. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    exact message from MSE is an error 0x80240022: Security Essentials couldn't download the update. This might be caused by a missing system file, an incorrect system setting, or a problem with a registry file.
     
  16. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    Unforunately I don't. This is the only one I've had both experience and an issue with.
     
  17. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    OK, hold on, we have to proceed with caution here.
     
  18. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    Well, I think I may have an Idea. it appears that my windows firewall rules have been wiped out, both on the inbound and outbound sides.
     
  19. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Server 2008 has a same kernel (6.1) as Windows 7, so hopefully it'll work.

    Since we're experimenting a little it'll be very important to create new restore point.
    I can see that one missing registry key is actually affecting system restore so I'm not sure if you can do it.

    Give it a shot and let me know if you can create new restore point.
     
  20. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    As I said, take it easy.
    One thing at a time.
     
  21. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    Windows Server 2008 doesn't have restore points
     
  22. Broni

    Broni Malware Annihilator Posts: 47,022   +255

  23. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    Ok, registry backup completed. Though, thinking about it, Windows Repair made a "restore point" (though I think it was a volume shadow copy service backup) before it ran chkdsk
     
  24. Broni

    Broni Malware Annihilator Posts: 47,022   +255

  25. avenged187

    avenged187 TS Rookie Topic Starter Posts: 68

    Farbar Service Scanner Version: 06-08-2012
    Ran by frank (administrator) on 09-08-2012 at 20:16:21
    Running from "C:\Users\frank\Desktop"
    Microsoft Windows Server 2008 R2 Standard (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.

    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    Windows Update:
    ============
    BITS Service is not running. Checking service configuration:
    The start type of BITS service is OK.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.

    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
    RpcSs Service is not running. Checking service configuration:
    The start type of RpcSs service is OK.
    The ImagePath of RpcSs service is OK.
    The ServiceDll of RpcSs service is OK.

    Other Services:
    ==============

    File Check:
    ========
    ATTENTION!=====> d:\Windows\System32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\dhcpcore.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\drivers\afd.sys FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\Drivers\tcpip.sys FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\dnsrslvr.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\vssvc.exe FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\wbem\WMIsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\wuaueng.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\qmgr.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\es.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\cryptsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\svchost.exe FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> d:\Windows\System32\rpcss.dll FILE IS MISSING AND SHOULD BE RESTORED.

    **** End of log ****
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.