Is the malware removed from our server?

suas

We had a problem with our server where malwarebytes picked up an infection earlier today and deleted it.

The only details I have on that infection are from the MWB log -
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Since then, the networking on the server has gone very inconsistent. It is dropping on and off the network. We have a very simple setup with a drive shared out over a workgroup, and don't use a domain at all.

I've followed the main steps in the 'I think I have a virus' thread, although things like Erunt, TFC and DDS won't run on the Windows SBS 2003 that we have. The superantispyware is running now.

There is an intermittent unusual looking yellow triangle with an exclamation point in the system tray.

What should I do next, please?

suas

So far, after 2 hours, superantispyware hasn't found anything except some cookies, and the AVG scan (paid version) has just a file with a broken digital signature.

I used winsockfixxp, a colleague recommended it, but only after using it did I read that it's not suitable for SBS03. In any case, it seems to have fixed things up and the network connection is stable now for the past 30 minutes or so.

Any other tips please? Is there an equivalent of Hijack This for SBS03, is it any use to run something like that?

suas

The malwarebytes scan completed on the server and found nothing, the AVG (paid) scan also found nothing and the superantispyware also just reported tracking cookies and nothing serious.

Yet, in the system tray, there is this odd looking (non Windows) yellow triangle with an exclamation mark, like this one:


When I clicked on it, it disappeared.

The problem that we're seeing is that the server is randomly dropping off the network, and I suspect malware since all this started when the item was removed by malwarebytes yesterday.

Are there any investigative tools I can safely run on the server, please?

francois

Is there intermittent connectivity? May be a dodgy cable or NIC, do you use a static IP for the server?

suas

That would be my first suspect if this problem hadn't started at exactly the same time as this malware was removed - and also if the odd triangle wasn't appearing.

The NIC may have failed, or the driver for it may be corrupted/buggy. I'll try reinstalling the driver this evening when people have left, and will also replace the ethernet cable.

We do use a static IP. Bizarrely yesterday, something was replying to a ping to that static IP even when the server was physically disconnected from the network, and that confused me!

francois

suas wrote: »

That would be my first suspect if this problem hadn't started at exactly the same time as this malware was removed - and also if the odd triangle wasn't appearing.

The NIC may have failed, or the driver for it may be corrupted/buggy. I'll try reinstalling the driver this evening when people have left, and will also replace the ethernet cable.

We do use a static IP. Bizarrely yesterday, something was replying to a ping to that static IP even when the server was physically disconnected from the network, and that confused me!

Well that sounds like the cause-something else has that IP by the sounds of it, change the server IP and see if you still have problems

suas

I rebooted every computer in the office so that they'd pick up a new IP from the DHCP server (which is the firewall) and also checked the assigned leases to see if that IP had been assigned by the firewall and it hadn't.

I have a niggling suspicion that there are traces of the removed infection causing problems - is there a tool like hijack this or something that I can use to investigate? I'm just not sure which of those tools will run on SBS 03, and how to interpret them.

thx

obrien.cathal

Hi,

Microsoft have a suite of tools called SysInternals which are the job. I use them for manually removing malware and they are excellent and comprehensive. This should not be confused with the 'Sysinternals Antvirus' malware which is floating about. There are quite a few tools in there but Process Explorer and Autoruns should see you right. If you have any questions you can PM me or contact me through the contact section of my webpage.

Cheers,
Cathal