Announcement

Collapse
No announcement yet.

Urgent please help...unknown viruses infected W2K3 DCs.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Urgent please help...unknown viruses infected W2K3 DCs.

    Dear All,
    Please help...I'm running windows 2003 DCs. Three DCs are now infected. I a unable to install Antivirus software on any of these machines. The following are symtoms i'm facing.

    1. Unable to access to SafeMode
    2. Unable to execute Antivirus apps when trying to install.
    3. Tried boot up with AVG (rmslt.exe), downloaded from AVG website, it notified that virus cannot be scanned because it is active on memory. It will complete scanning after reboot. I performed as supervised, after 2-3 hours scanning there was nothing found. I'm stuck not sure what kind of viruses these are.
    4. When map this domain c: & d: drives scanned from another PC it found numerous of Win32/Sality.gen type of viruses.
    5. C:\Windows\Temp folder is increasing numerous of *.exe files being created itself. Only way to delete is to end task and delete but the same files kept growing again and again.
    6. Inside Windows firewall, it enable itself with tons of ipsec checked box.

    Above are the characteristic of this type of virus. I am not sure what type please help urgent.

    Thank you so much in advance,
    dykirin

  • #2
    Re: Urgent please help...unknown viruses infected W2K3 DCs.

    It sounds like you're going to have to take drastic mesaures. Here's what you can try:

    1. Shut all infected computers off.
    2. Build a BartPE or UBCD4WIN CD and add AV plugins.
    3. Boot up one computer at a time with aforementioned CD and perform AV scan.

    If you're lucky you'll be able to get them clean with this method.

    http://www.ubcd4win.com/

    http://www.nu2.nu/pebuilder/

    Comment


    • #3
      Re: Urgent please help...unknown viruses infected W2K3 DCs.

      IMHO:
      1) Pull the network cables on all your DCs (shut down the network)
      2) Download the bootable versions of as many AVs as you can
      3) Burn to bootable CDs
      4) Run all of them on all your DCs -- clean each one "offline"
      5) Bring up known clean DCs in turn and monitor very closely

      Do you have any existing AV software on the DCs?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Urgent please help...unknown viruses infected W2K3 DCs.

        Hi gentlemen,
        Thank you so much for prompt response. My mistake was, I did not install AV on each of these DC. I had NOD32 on all of those, but uninstalled them to change to McAfee 8.7i. I let the time fly for 2 weeks this is how the viruses got infected. I need to follow the instruction joeqwerty gave me right? I will take action on it asap. Once again, thank you so much for both of you; i will let you know upon completion.

        Rgds,
        dykirin

        Comment


        • #5
          Re: Urgent please help...unknown viruses infected W2K3 DCs.

          More info on what you are facing: http://www.threatexpert.com/report.a...913b50a8f52ef8

          Have you followed the removal instructions as per this site: http://www.avg.com/virus-removal.ndi-67769

          I know you mention about using rmslt.exe already but you don't mention anything about "Update your AVG after restart and run a complete test. Should any infected files be found, delete them or restore from backup"
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment


          • #6
            Re: Urgent please help...unknown viruses infected W2K3 DCs.

            Hi L4ndy,
            I am lost what this mean -->
            "Update your AVG after restart and run a complete test. Should any infected files be found, delete them or restore from backup."

            Is this mean after running rmslt.exe during w2k3 startup completed then then logon to w2K3 and need to update the AVG? if I understand this correctly, I have no AVG installed on my DC. therefore, the only way to running the scanning is during the restart, the DC unable to execute rmslt.exe on windows. What i did was, I copied rmslt.exe to c:\rmslt.exe and then go to DOS c:\>rmslt.exe ENTER then the file execute prompt up with message that i must reboot the server. During the restart and scanning there are no found viruses.

            thanks,
            dykirin

            Comment


            • #7
              Re: Urgent please help...unknown viruses infected W2K3 DCs.

              Hi,

              I was under the impression you were using AVG but I can see you were using Mcafee since the alias was W32/Sality.gen
              The utility in question is provided by AVG and it should work in conjunction with their AV software.
              It'll probably be fine with any other AV but I'd personally use AVG with that particular utility since they are saying it'll remove it.
              Viruses that are memory residents can't be removed until the system is rebooted.
              But removing the virus is only the tip of the iceberg. Getting rid of the aftermath caused by its payload is the problem.
              That's why I'd suggest, after a full virus scan doing several Antispyware scans, checking for any rootkits etc.
              Caesar's cipher - 3

              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

              SFX JNRS FC U6 MNGR

              Comment


              • #8
                Re: Urgent please help...unknown viruses infected W2K3 DCs.

                40 posts and you still add to the thread Title, Urgent please help...

                This is NOT helpful, NOT descriptive of your problem and NOT acceptable. Please do NOT make a Title like that again. Thank you.
                1 1 was a racehorse.
                2 2 was 1 2.
                1 1 1 1 race 1 day,
                2 2 1 1 2

                Comment


                • #9
                  Re: please help...unknown viruses infected W2K3 DCs.

                  Administrator,
                  First of all, I didn't know if I had to eliminate the topic "urgent" i thought I shouldn't not touch the topic to keep on track. Anyways, i apologize for "urgent".

                  L4ndy,
                  FYI - Currently I have no AV installed on my DCs. I used to have NOD32 installed then I uninstalled. I left three DCs without any AV installed for 2 weeks that is how I got 3 DCs infected viruses.

                  I will work on your original suggestion tomorrow during working hour. I'm off work now..

                  thanks,
                  dykirin

                  Comment


                  • #10
                    Re: Urgent please help...unknown viruses infected W2K3 DCs.

                    ComboFix

                    VundoFix

                    Google them, I find mainstream AV products to be garbage once you actually have an infection.

                    Comment


                    • #11
                      Re: Urgent please help...unknown viruses infected W2K3 DCs.

                      Hi Garen,
                      I found information below that I am afraid to download your suggestion. I found it at -->> http://www.softpedia.com/get/Antivirus/VundoFix.shtml

                      VundoFix description


                      A useful application that will clean Virtumonde viruses from your computer
                      VundoFix.exe is a removal tool developed to remove Virtumonde infections.

                      If you are infected, you will be bombarded with popups for WinFixer, Amaena, WinAntiVirus, ErrorSafe, SystemDoctor and DriveCleaner.

                      Downloading and running these Fraudware applications will result in a fake scan telling you that you are infected with malware then telling you that you need to buy their program to remove the malware that it found. DO NOT BUY THESE PROGRAMS. They are scams and will not remove anything but could possibly make your infection worse.
                      A slowdown in PC performance may also be noticed when Vundo is running as well as the possibility of random BSOD's.

                      Comment


                      • #12
                        Re: Urgent please help...unknown viruses infected W2K3 DCs.

                        IF you have Vundo you WILL get the popups
                        The fix posted will remove them
                        It is safe
                        Tom Jones
                        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                        PhD, MSc, FIAP, MIITT
                        IT Trainer / Consultant
                        Ossian Ltd
                        Scotland

                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment

                        Working...
                        X