Just wondering if anyone had any ideas about this as im stumped!
One of the windows 2003 servers i setup last year for a company recently started behaving wierd, backups not running correctly and the like. Turned out when I went on there were wierd processes running as infected and wierd DLL's in the system32 folder.
The system is running McAfee enterprise virus scan, did a full scan and it reported no infections, full up-to-date also...Also had similar silly behaviour with iexplore and explorer just randomly hanging and crashing, and internet popups coming up too quite frequently.
After some searching around it turns out some of the registry keys associated with the wierd dll's in system32 were created by an application run by a company that supplies them with their accounting software...as they usually remotely dial in to fix problems, update software, etc. So I guess one of their files was infected...
I guessed it would be spyware, so AdAware and Spybot Search and Destroy were installed, updated both and scanned the system fully, it found tons of registry keys and DLL's, and told me it had 'fixed' these problems. After following the paths it had gave me for the dll's, it appeared that they were still present, and upon trying to delete them got the usual 'file is in use' etc.
Every time the two spyware applications were run, the same problems were found, so obviously it wasnt getting rid as it said it was. I got hold of a program called 'Unlocker', to see what processes were using the wierd DLL's in system32, it showed that they were explorer.exe, lsass.exe and winlogon.exe. The application allowed you to select the DLLs and they would be deleted on the next reboot, which i was hoping would work as they wouldnt have got a hook on the processes yet. I wasnt so lucky.
I thought il search google for the DLL names, but they returned No results whatsoever, none of them...So I thought they must be randomly generated file names. I had a play with regedit, using Find to search for any keys associated with the DLL file names, every time i found one, deleted it, it came back, which i expected.
Oh, and I treid safe mode before all this, but for some reason, the system would startup, show the CTRL+ALT+DEL login, as soon as you logged in the system would reboot, so I had to use normal mode all the way through...
I thought there was no way I would get rid of these files through windows, so I used a Linux LiveCD, booted onto it, mounted the harddrive and removed the DLL's, worked perfect. Booted back into windows, the files were gone, left the system for half an hour and had another look, they had gone for good. Now i set about cleaning the crap out of the registry, got rid of all the keys assocated with the DLL's that were deleted....Then ran AdAware and Spybot again, AdAware returned nothing, and SpyBot a few keys i had missed. Cleaned them and scanned with SpyBot again, which this time returned a clean system.
It was left a few hours then I decided to run SpyBot again, and it found more registry keys....which is the bit i dont understand at all. It didnt find any DLL's or other files, nor did AdAware on another scan. I did a full system scan with McAfee also, returned nothing. No dodgy folders inside the WINDOWS folder, or its subfolders, and nothing wierd in Program Files...
Just wondering if anyone has any idea how the hell these registry keys are coming back when there are no DLL's present, or executables etc?
One of the windows 2003 servers i setup last year for a company recently started behaving wierd, backups not running correctly and the like. Turned out when I went on there were wierd processes running as infected and wierd DLL's in the system32 folder.
The system is running McAfee enterprise virus scan, did a full scan and it reported no infections, full up-to-date also...Also had similar silly behaviour with iexplore and explorer just randomly hanging and crashing, and internet popups coming up too quite frequently.
After some searching around it turns out some of the registry keys associated with the wierd dll's in system32 were created by an application run by a company that supplies them with their accounting software...as they usually remotely dial in to fix problems, update software, etc. So I guess one of their files was infected...
I guessed it would be spyware, so AdAware and Spybot Search and Destroy were installed, updated both and scanned the system fully, it found tons of registry keys and DLL's, and told me it had 'fixed' these problems. After following the paths it had gave me for the dll's, it appeared that they were still present, and upon trying to delete them got the usual 'file is in use' etc.
Every time the two spyware applications were run, the same problems were found, so obviously it wasnt getting rid as it said it was. I got hold of a program called 'Unlocker', to see what processes were using the wierd DLL's in system32, it showed that they were explorer.exe, lsass.exe and winlogon.exe. The application allowed you to select the DLLs and they would be deleted on the next reboot, which i was hoping would work as they wouldnt have got a hook on the processes yet. I wasnt so lucky.
I thought il search google for the DLL names, but they returned No results whatsoever, none of them...So I thought they must be randomly generated file names. I had a play with regedit, using Find to search for any keys associated with the DLL file names, every time i found one, deleted it, it came back, which i expected.
Oh, and I treid safe mode before all this, but for some reason, the system would startup, show the CTRL+ALT+DEL login, as soon as you logged in the system would reboot, so I had to use normal mode all the way through...
I thought there was no way I would get rid of these files through windows, so I used a Linux LiveCD, booted onto it, mounted the harddrive and removed the DLL's, worked perfect. Booted back into windows, the files were gone, left the system for half an hour and had another look, they had gone for good. Now i set about cleaning the crap out of the registry, got rid of all the keys assocated with the DLL's that were deleted....Then ran AdAware and Spybot again, AdAware returned nothing, and SpyBot a few keys i had missed. Cleaned them and scanned with SpyBot again, which this time returned a clean system.
It was left a few hours then I decided to run SpyBot again, and it found more registry keys....which is the bit i dont understand at all. It didnt find any DLL's or other files, nor did AdAware on another scan. I did a full system scan with McAfee also, returned nothing. No dodgy folders inside the WINDOWS folder, or its subfolders, and nothing wierd in Program Files...
Just wondering if anyone has any idea how the hell these registry keys are coming back when there are no DLL's present, or executables etc?
infected you
