[emeraldnzl]

Hello again toddalmond,

I suspected that the infection detected in icasetup.x86.CAB was a false-positive

Well done that man.

Hopefully there is something else we can try...

Oh yes, just a matter of which is most appropriate tool.

I am suspecting a rootkit that we haven't pinned down yet but just in case this is coming from another computer; is this machine networked? Tell me when you return.

In the meantime:

Please download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

Post the contents of RootRepeal.txt in your next reply.

[Advertisements]

Hi emeraldnzl,
I tried to run the rootrepeal scan earlier this morning and stalled the server, I had to do a hard boot to get it back. I think I will have to pick this up on the weekend, during non-production time; I'll try to run it in safe mode or something. Do you have any idea how long a typical scan takes?

(yes, the server is networked)

[toddalmond]

Hi emeraldnzl,
I tried to run the rootrepeal scan earlier this morning and stalled the server, I had to do a hard boot to get it back. I think I will have to pick this up on the weekend, during non-production time; I'll try to run it in safe mode or something. Do you have any idea how long a typical scan takes?

(yes, the server is networked)

[emeraldnzl]

Hello again toddalmond,

(yes, the server is networked)

Okay, I have not worked with Windows Server 2003 before but it is my understanding that if computers, (computer/server) and server are connected via a network then our regular tools will not work.

Further, some types of infection can be on any one of the connected machines and while cleared on one, may well re-infect from an uncleaned machine.

I suspect this is a work machine.

Generally at this site we are restricted to helping those with home computers for personal use, see Terms of Use and in particular under item 3. Geeks to Go Support Forum Rules, Policies and Disclaimers:

We offer free computer help and tech support for home and personal use. We are not here to support others that work for profit, or to support/replace your company's IT department.

If you are in a work situation you should refer to you companies IT department or you IT support contractor.

Having said that here are a couple of suggestions:

Try running MBAM on all computers.

Go to Open DNS and follow the instructions on the page. That will set you up with your own DNS look up and bypass the router settings. You will need to register but it is free (the basic version - see - Use OpenDns tab) and very simple to set up. Once you have done that then re-run MBAM, re-boot and re-run MBAM again. After that see if the problem still persists. I will be interested to hear back from you.

Link to tutorial on Use of open DNS

https://www.opendns....start/computer/

[toddalmond]

Hi Emerald,

a bump to keep the topic alive.

Me and one other guy are the IT department, we can't seem to nail this thing down. I would love to be able to run these tools myself but I can't really find any meaningful tutorials for any of them, hence the geekstogo posts.

This past weekend saw a different software upgrade happen so no anti-malware was done.

None of the other servers experience the issues this one does but I will try the MBAM plan as soon as possible. I also downloaded a combofix that is said to work in Server 2003, I'll try that too.

[emeraldnzl]

Hi toddalmond,

can't really find any meaningful tutorials

Most tutorials won't be available to the public but this one is:

http://www.geekstogo...It-t277391.html

I should say that there is an amendment to that that I am working on that may be helpful to you. It's a way of deleting bad files from multiple drives. Unfortunately I need to wait for the tool developer to confirm that I have it right before I post it.

In any event I think the Malwarebytes approach may help as will the ComboFix one. Please post the logs. If the MBAM one turns up infection in a modem then we will need to take further action.

Look forward to hearing from you.

[emeraldnzl]

Hello toddalmond,

In reply to your PM about testing with a Virtual Machine and a faulty Master Boot Record.

I don't know about the Virtual Machine although my memory... (which is often faulty lol) tells me that there may be an issue there.

Turning to your real machine.

You really need an IT specialist who understands the 2003 Server but for what it's worth, here are some observations:

Problems with the Master Boot Record can be caused by a number of things including user error (i.e. user trys to do something that the system cannot execute or user changes something that should not be changed), corruption of one sort or another or a virus.

Technical

It is my understanding that Windows 2003 Server that there are technical issues that can cause difficulties in the MBR. This is not to say that your situation is a result of doing something wrong, rather just to alert you that things may not be as simple with that system.

Corruption

Chkdsk may be a useful tool if the problem is caused by corruption although there are some things it can't fix.

To run chkdsk, open a command prompt and enter

CHKDSK /r /f

If your MBR fault is caused by general corruption or by infection, then, if you have the Recovery Console loaded (you have used/attempted to use ComboFix - it's possible CF has installed the RC), try booting to it and running the FIXMBR command. This often works although some infections have a work around...worth a try though.

Logon to the Recovery Console.

1. Restart your computer.
2. Before Windows loads, you will be prompted to choose which Operating System to start.



Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5. At the C:\Windows prompt, type the following bolded entry, and press 'Enter':

fixmbr

After that re-run ComboFix if you have been able to run it. Post the log back here.

Malware

Today there are a number of rootkit infections that infect the MBR. Some of the latest ones are very hard to detect. Depending on what sort of infection it is there are tools to deal with them on a standard machine but again I say some of ours may not work in your situation and in any case it is risky to use them on a machine they are not designed for.

[emeraldnzl]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.