Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows 2003 Server with Backdoor Trojan


  • Please log in to reply

#151
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Just FYI ... TeamViewer has a feature to Reboot in Safe Mode ... I tried it and it does work ...

I will giver it a shot when I am on site tomorrow around 5pm and let you know ...

Thanks again and if you think of something else, let me know ...

Good night !!!

Edited by rahanna, 09 September 2012 - 11:29 PM.

  • 0

Advertisements


#152
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... I need help ...

I ran OTL [ Scan Fix ] with the text:

:files
C:\windows\system32\sens32.dll

:Commands
[Reboot]

The server rebooted and took a long time to come back ...

When I logged in, it is very slow and doesn't show the icons on the task bar ...

Also, when I launch anything it doesn;t create a tab on the launch bar ...

When Run [ services.msc ] is doesn't load the services ...

I have checked under C:\Windows\System32 and the [ Sens32.dll ] is gone ... Only the [ Sens.dll ] is there ...

So why are things so messed up as I cannot even get Windows Update to run ...

Please help as I will be on site for the next couple of hours ...

Thanks,
  • 0

#153
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

When I tried to run Malwarebytes, I got the attached error

Please help ..

Attached Thumbnails

  • MalewareBytes_Error.JPG

  • 0

#154
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

Users cannot connect to the Network Mapped drives on this Server ...

Even when I try to login from a workstation and type the browse \\192.168.1.130\c$ I get nothing ...

Please help as I am so desperate ...

Thanks,
  • 0

#155
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Reboot.


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.
  • 0

#156
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

Thanks for being there to help ...

I have tried View but it is giving me a Runtime error 462 ... See attached

None of the programs seems to be able to launch ...

Please help ...

Attached Thumbnails

  • RuntimeError.JPG

  • 0

#157
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

I am checking under the Windows Event Viewer and got severla errors ...

Under Application:

Userenv .......... Error ID: 1053

Under System:

Failure Audit [Source Windows Script] .... Event ID 1000

Unfortunately, I cannot access the properties of any error event as double click or right-click and choose properties ...

What can be gone wrong ???
  • 0

#158
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

I am checking under the Windows Event Viewer and got severla errors ...

Under Application:

Userenv .......... Error ID: 1053

Under System:

Failure Audit [Source Windows Script] .... Event ID 1000

Unfortunately, I cannot access the properties of any error event as double click or right-click and choose properties ...

What can be gone wrong ???
  • 0

#159
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

Just FYI ... I cannot launch IE ... Only FireFox ...
  • 0

#160
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Can you boot into Safe Mode with Networking?
  • 0

Advertisements


#161
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

OK ... I am in Safe Mode with Networking now ...
  • 0

#162
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Still not able to launch IE in Safe Mode ...

I am looking at the Task Manager and SmcGui.exe starts and then drops immediately ...

What do you think ???
  • 0

#163
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Can you read the event logs now?

Can you tell the sens service not to run. Open a command prompt and type:

sc config sens start= disabled

Can you run an OTL:

Run OTL (Vista or Win 7 => right click and Run As Administrator)


Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.


Does services.msc work? How about regedit?

When you go into the Safe Mode menu is there a last known good option?
  • 0

#164
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
SmcGui.exe is Symantec. Possibly it has crashed. Can you uninstall it/ reinstall it when you get back to regular mode?

Does regseeker run? Can you have it look for sens32.dll and see if it shows up anywhere else now that it is not there to hide itself?
  • 0

#165
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Do you still have the sens.reg from the good server? Try right clicking and merging it to the registry then rebooting.

If all else fails we can put the file back. It is hiding in C:\_OTL\RemovedFiles\c\windows\system32\sens32.dll(may have a .vir or something on the end.)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP