Solved Windows Server 2008, Sirfef.b/y and zeroaccess

in addition to the security check thing, I've also noticed that commands in the command prompt, like ipconfig and netstat, are no longer working. not sure if that could be part of this infection.
 
From the command prompt

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\frank>ipconfig
'ipconfig' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\frank>
 
I'm pretty sure thats what security check is saying in the command prompt box that appears, and probably why no notepad is opened when it closes.
 
Download Windows Repair (all in one) from this site

Install the program then run

Go to step 2 and allow it to run Disc check

Capture3.gif




Once that is done then go to step 3 and allow it to run SFC

Capture.gif



On the the Start Repairs tab click Start button.

p22001166.gif



Please ensure that items seen in the image below are ticked as indicated:

p22001132.gif


Click on box next to the Restart System when Finished. Then click on Start
 
The version of Windows Repair downloaded from your link is actually different from the one that you show in your screenshots above. there are a few different options on the repair screen that I wasn't sure about. those would be "Repair Windows Snipping Tool" and "Repair .lnk (shortcuts) File Association." Should these be checked?
 
Ran start repairs, except now the server does not recognize the network. It knows it is attached to one, but I have no internet access from it.
 
Never mind. Fixed it. Forgot to mention that our server had its NIC set to a specific internal IP. Looks like Windows Repair cleared those setting, but I fixed the ip, subnet, and default gateway and am once again connected.
 
Farbar Service Scanner Version: 06-08-2012
Ran by frank (administrator) on 09-08-2012 at 19:31:38
Running from "C:\Users\frank\Desktop"
Microsoft Windows Server 2008 R2 Standard (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
RpcSs Service is not running. Checking service configuration:
The start type of RpcSs service is OK.
The ImagePath of RpcSs service is OK.
The ServiceDll of RpcSs service is OK.

Other Services:
==============

File Check:
========
ATTENTION!=====> d:\Windows\System32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\dhcpcore.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\drivers\afd.sys FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\Drivers\tcpip.sys FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\dnsrslvr.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\vssvc.exe FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\wbem\WMIsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\wuaueng.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\qmgr.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\es.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\cryptsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\svchost.exe FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\rpcss.dll FILE IS MISSING AND SHOULD BE RESTORED.

**** End of log ****
 
OK, I don't think FSS is fully compatible with Server 2008 so....what is not working?
 
Well, the firewall is back on, which is good. But I got a strange error when trying to update MSE. And Windows Update is telling me that It's searching for update, but that it has never checked for updates before, and it is continually searching.
 
OK, here is a small problem.
Since we don't see Server 2008 too often I'm not sure if registry keys reported by FSS are for real or not.

Do you have an access to another Server 2008 computer?
 
exact message from MSE is an error 0x80240022: Security Essentials couldn't download the update. This might be caused by a missing system file, an incorrect system setting, or a problem with a registry file.
 
Well, I think I may have an Idea. it appears that my windows firewall rules have been wiped out, both on the inbound and outbound sides.
 
Server 2008 has a same kernel (6.1) as Windows 7, so hopefully it'll work.

Since we're experimenting a little it'll be very important to create new restore point.
I can see that one missing registry key is actually affecting system restore so I'm not sure if you can do it.

Give it a shot and let me know if you can create new restore point.
 
Ok, registry backup completed. Though, thinking about it, Windows Repair made a "restore point" (though I think it was a volume shadow copy service backup) before it ran chkdsk
 
Farbar Service Scanner Version: 06-08-2012
Ran by frank (administrator) on 09-08-2012 at 20:16:21
Running from "C:\Users\frank\Desktop"
Microsoft Windows Server 2008 R2 Standard (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
RpcSs Service is not running. Checking service configuration:
The start type of RpcSs service is OK.
The ImagePath of RpcSs service is OK.
The ServiceDll of RpcSs service is OK.

Other Services:
==============

File Check:
========
ATTENTION!=====> d:\Windows\System32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\dhcpcore.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\drivers\afd.sys FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\Drivers\tcpip.sys FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\dnsrslvr.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\vssvc.exe FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\wbem\WMIsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\wuaueng.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\qmgr.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\es.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\cryptsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\svchost.exe FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> d:\Windows\System32\rpcss.dll FILE IS MISSING AND SHOULD BE RESTORED.

**** End of log ****
 
You must log in or register to reply here.

Similar threads

E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni
J
Solved Win32/Skeeyah.B!rfn and Win32/Fuerboos.D!cl infection
2
Replies
27
Views
7K
Broni
Broni
learninmypc
Solved Slow to boot up & shut down
Replies
6
Views
4K
Broni
Broni

Latest posts

Back