Video ActiveX Trojan on my Server

Status
Not open for further replies.
T

TimberJon

Posts: 9   +0
This is the one that I think is causing my memory to reload, and causing my explorer.exe in my processes to keep refreshing.

Located: HK_LM:Run, UserFaultCheck
command: %systemroot%\system32\dumprep 0 -u
file: C:\WIN2K3\system32\dumprep.exe
size: 15872
MD5: 3d05342f42a06fe5ca6ac8a102a46900

Its difficult to install the suggested softwares because I only get a second or two before it refreshes the windows explorer or browser windows. Managed to get spybot and hijackthis working. Will work on others soon, Adaware SE, Outpost, AVG, Avgas, and Trojanhunter. Maybe that Panda scan something if I can find a link to it and if it is necessary.

Spybot says it cant get rid of the ActiveX one, and its always in memory.
This is on my Primary server at work and I need it gone. I cannot reboot the thing all the time, because my network users lose their connections. So I gotta try to oust this during working hours.
 
Hi TimberJon and welcome to techspot. =)

I notice you have not renamed your HijackThis executable file. Please do so before following the next few instructions.

#You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O4 - Startup: Server Management.lnk = ?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sbs.sbravo.com
O17 - HKLM\Software\..\Telephony: DomainName = sbs.sbravo.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sbs.sbravo.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sbs.sbravo.com
O22 - SharedTaskScheduler: damkjernite - {5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef} - C:\WIN2K3\system32\ckimzeb.dll

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WIN2K3\system32\ckimzeb.dll

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of TimberJon only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Not sure if this happens alot...

But I fixed the ActiveX, and got rid of the other programs controlling it or using it. I think the AVG one found the .exe in the system32 folder, and I recognized it from your post. As soon as I shredded that, the explorer refreshing stopped, and I was able to complete other functions. I shredded the activeX folder in the programs folder and rescanned with everything I had.

Thanks for the Help! I will repost here again (w/new thread) if I find anything else these proggies cant fix.
 
Hi,

I would recommend you still post your logs in case your system is not fully clean. If it is, I can also provide you some final cleaning instructions, and advice to prevent future infections.


Regards,
Your friendly momok =)

This thread is for the use of TimberJon only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Renaming logs and from what proggies

Good idea.

What programs do you want my logs from?

And do I still have to boot into safe mode and open hidden files, then run the scans?

Which programs do you want me to run the scan in safe mode with? just HjK?

Please list the progs to be run under safe mode, and any progs to be run in normal windows so I know.

Also, other than HjK, please post a link to download any other programs you want me to use.

I cannot safe mode or reboot the server until this afternoon, at 3:30 pm PST. And one of my Raid5 drives has failed, so I have to run the WD diagnostic tool on it before I can start the safe mode scans.

So in the meantime, while the server is up and running, is there anything I can do to post logs while it is running standard windows?

Thanks!
 
Hi,

I would require ComboFix, AVG Antispyware and HijackThis logs, all from normal mode please. The programs can all be downloaded from the links in my signature.

No hurries over the logs. It's night time for me here, and I'll be going to bed soon anyway. ;)


Regards,
Your friendly momok =)

This thread is for the use of TimberJon only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Just a note: be careful about installing firewalls. The server at work crashed when somebody tried to install ZoneAlarm on it. It couldn't finish booting into Windows. They had to wipe the hard drive and reinstall everything.

If programs give you warnings about your OS, you should be careful.
 
Firewalls

I know enough to not install 2 firewall programs on a desktop pc. So I definately would not do so to a server as a permanent solution, however, if a firewall softie has a built in scan, then It doesnt hurt to use every scan you can get your greedy hands on. I only have a corporate version of symantec antivirus installed on my systems. While I used to also have the client 2.0 build of pc protection installed on my clients as well. When I upgraded the server, I ditched that and favored the services provided by SonicWall paired up with my router. While no solution is a sure solution, I think im pretty good.

I never had a software firewall on my server, just the antivirus, but I dont think it was updating itself and running scheduled scans like It was supposed to. Something wrote into it as half its functions are gone, so I will have to uninstall/resinstall it, then run rescans to see if something will try to modify it again. Now Im keeping the AVGas running in real-time.

There was another bug in my system.. but looks like AVGas cleaned it. Here are my logs from spybot (shortened it), AVGas and HJT. In order, I ran HJT, then AVGas which found the bug, cleaned it. Then ran Spybot over it.

initially, AVGas froze on a scan and wiped out my clients. But I think its fine now. If theres another good scanner you want me to get just in case, let me know. NOTE: ComboFix is incompatible with my OS. program says 2000 or XP only and rejects the install attempt.
 
Logs

I was told to rename them. I assumed this meant that txt or log files were unacceptable.. mybad.

Read my txt logs then.
 
Hi,

Please follow these instructions carefully.

1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached "avengerscript.txt" (from my attachment) and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the attachment avengerscript.txt you have just downloaded, click on it and press open.
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT, ComboFix and AVG Antispyware log.


Regards,
Your friendly momok =)

This thread is for the use of TimberJon only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
no combofix.

Remember, I am running Small business server 2k3 premium, which is vastly different than XP Pro or other OS's in terms of services and overall attitude.

I have a reservation about using a 3rd party program with a custom built script that will take charge of my systems reboot. This is the central server for my company and I cannot afford to have any data loss. If this program and/or script was made specifically to be used for home users or on an XP Pro operating system, I will have to deny it. Please provide information in this regard.

It takes a while to reboot, and I cannot kick my users off the network for 2 hours during business hours. I also cannot stay late and get paid O/T to run a double boot/scan project.

I will try to find a night that I can stay and do this, but I have some fears.
The server has been acting up lately because its a Raid5 stripe over 3 Raptors and one of the drives has failed. Until I get a new one back in there and the entire data stripe has been resolved, I do not feel comfortable rebooting any more than I have to. I feel that there is a strong possibility that it will not start up correctly or give me another BSOD on startup. I don't need that. SO! Other than the combofix, which again, doesnt work with my OS, I'll post the other 2 as soon as I can.
 
Hi,

My bad about ComboFix.
Have HijackThis fix this entry please:
O22 - SharedTaskScheduler: damkjernite - {5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef} - C:\WIN2K3\system32\ckimzeb.dll (file missing)

Then post a fresh HJT log. Your AVG log is also clean so I do not need it anymore. Sorry about that.


Regards,
Your friendly momok =)

This thread is for the use of TimberJon only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hi,

Your logs look clean now. Have HijackThis fix this though.
O4 - Startup: Server Management.lnk = ?

Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of TimberJon only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks alot Momok. I appreciate it. Are there any Symantec experts here somewhere? I got another small prob I cant figure out.
 
No problems. Just post your question here if you believe it to be related to our Web and Security forum.

Regards,
Your friendly momok =)
 
Status
Not open for further replies.

Similar threads

C
Solved Malware \ProductData + possibly more, on two devices
Replies
4
Views
7K
Broni
Broni
P
  • Locked
Inactive Laptop shutting down before scan complete (logs inside)
Replies
2
Views
2K
Broni
Broni
venkatbollu
Solved Suspecting a malware on my laptop
2
Replies
26
Views
7K
Broni
Broni

Latest posts

Back