windows server 2003 security?

Question:

mat c

2009-03-28 00:56:20 UTC

we have a windows server 2003 and it was infected with the sowar virus..folder options registry editor and task were all disabled..and the default home page was changed to a pornographic site..how can i remove the virus..i hope it doesn't involve reformatting the server..and what are the antivirus softwares available to be used on the server?pls help

Five answers:

2009-03-28 01:17:15 UTC

Sounds like something I've had before. Bloody annoying virus, not the same but similar.

Okay. What you should do is get gpedit.exe, or gpedit.msc up

(if you still have access to that) then change what disables task manager (User Confin.\Administrative Templates\System\Ctrl+alt+del Options). Next you change what is disabling folder options (somewhere in User Confin.\Administrative Templates\Windows Components\Windows Explorer).

I'm not sure about the anti-virus applications for server but try threatfire (it might work). There is a cmd script application for a virus like this.

Actually I have a better idea, I'll give you the vbs code. Put the following code into nodepad and save it as a vbs file. Do not insert the hyphens at beginning & end, they are to separate the code from my writing.

--------------------------------------------------------------------------------

on Error Resume Next

Dim objShell, objFileSystem, objTextStream, objRegex

Dim colRegexMatches1, colRegexMatches2

Dim nReturnCode

Dim strIpFileText

Dim element, i

Dim Lista

Lista=array("n1de?ect.com","nide?ect.com","nlde?ect.com","j*.bat","m*.com","d*.com","copy.exe","host.exe",_

"a0*.com","ntdeiect.com","ntdelect.com", "u?de*.com","ntde1ect.com", "x*.com", "tio*.*",_

"80*.com","semo*.exe","autorun*.*","x*.exe","yl*.exe","qd*.cmd")

Set geekside=WScript.CreateObject("WScript.Shell")

Set objShell = WScript.CreateObject("WScript.Shell")

Set objFileSystem = CreateObject("Scripting.FileSystemObject")

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set colDrives = objFSO.Drives

Wscript.Echo "Software provided by MyGeekSide.com to remove malicious software amvo, avpo, n1detect y variants"

Wscript.Echo "Proccess of search and removing can take some seconds. Please be patient."

i=0

For Each objDrive in colDrives

If objDrive.IsReady = True Then

nret=geekside.Run("cmd /C attrib -s -h -r "&objDrive.DriveLetter&":\autorun.inf",0,TRUE)

Set objTextStream = objFileSystem.OpenTextFile(objDrive.DriveLetter&":\autorun.inf",1)

strIpFileText = objTextStream.ReadAll

objTextStream.Close

End If

Next

Set objRegex = new RegExp

objRegex.Pattern = "=\w+(.com|.bat|.exe|.pif|.scr|.svd|.dat|.tmp|.cmd)"

objRegex.Global = True

objRegex.IgnoreCase = True

Set colRegexMatches1 = objRegex.Execute(strIpFileText)

i=0

For Each element In colRegexMatches1

element = Replace(element,"=","")

WScript.Echo "Proceeding to remove file of virus :" & element

For Each objDrive in colDrives

If objDrive.IsReady = True Then

Wscript.Echo "Clean drive: " & objDrive.DriveLetter

nret=geekside.Run("cmd /C taskkill /f /im amvo.exe",0,TRUE)

nret=geekside.Run("cmd /C taskkill /f /im avpo.exe",0,TRUE)

nret=geekside.Run("cmd /C taskkill /f /im semo2x.exe.tmp",0,TRUE)

nret=geekside.Run("cmd /C taskkill /f /im semo2x.exe",0,TRUE)

nret=geekside.Run("cmd /C taskkill /f /im help.exe.tmp",0,TRUE)

nret=geekside.Run("cmd /C attrib -s -h -r " &objDrive.DriveLetter&":\" & element &"",0,TRUE)

nret=geekside.Run("cmd /C cd \ & del "&objDrive.DriveLetter&":\" & element & "/f /q /a",0,TRUE)

nret=geekside.Run("cmd /C cd \ & del "&objDrive.DriveLetter&":\autorun.inf",0,TRUE)

End If

Next

i = i + 1

Next

Set objRegex= Nothing

Set objTextStream = Nothing

Set objFileSystem = Nothing

Set objShell = Nothing

nret15=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\amvo*.*",0,TRUE)

nret16=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\avpo*.*",0,TRUE)

nret20=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\help.exe.tmp",0,TRUE)

nret56=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\semo*.*",0,TRUE)

nret60=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\semo*.*.*",0,TRUE)

nret23=geekside.Run("cmd /C del /f c:\windows\system32\amvo*.*",0,TRUE)

nret24=geekside.Run("cmd /C del /f c:\windows\system32\avpo*.*",0,TRUE)

nret57=geekside.Run("cmd /C del /f c:\windows\system32\semo*.*.*",0,TRUE)

nret59=geekside.Run("cmd /C del /f c:\windows\system32\semo*.*",0,TRUE)

WScript.Echo "Proceeding to restore registry to see Hidden Files"

nret31=geekside.Run("cmd /C reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v amva /f",0,TRUE)

nret32=geekside.Run("cmd /C reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v avpo /f",0,TRUE)

nret68=geekside.Run("cmd /C reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v avpa /f",0,TRUE)

nret33=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Hidden /t REG_DWORD /d 1 /f",0,TRUE)

nret43=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v SuperHidden /t REG_DWORD /d 1 /f",0,TRUE)

nret44=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v ShowSuperHidden /t REG_DWORD /d 1 /f",0,TRUE)

nret45=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Hidden /t REG_DWORD /d 1 /f",0,TRUE)

nret46=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v SuperHidden /t REG_DWORD /d 1 /f",0,TRUE)

nret47=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v ShowSuperHidden /t REG_DWORD /d 1 /f",0,TRUE)

nret34=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\ /v CheckedValue /t REG_DWORD /d 2 /f",0,TRUE)

nret35=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\ /v DefaultValue /t REG_DWORD /d 2 /f",0,TRUE)

nret36=geekside.Run("cmd /C reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\ /v CheckedValue /f",0,TRUE)

nret37=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\ /v CheckedValue /t REG_DWORD /d 1 /f",0,TRUE)

nret38=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\ /v DefaultValue /t REG_DWORD /d 2 /f",0,TRUE)

nret39=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\ /v CheckedValue /t REG_DWORD /d 0 /f",0,TRUE)

nret40=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\ /v DefaultValue /t REG_DWORD /d 0 /f",0,TRUE)

nret48=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ /v Type /t REG_SZ /d Group /f",0,TRUE)

nret61=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v NoFolderOptions /t REG_DWORD /d 0 /f",0,TRUE)

nret62=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v NoFolderOptions /t REG_DWORD /d 0 /f",0,TRUE)

nret63=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableRegistryTools /t REG_DWORD /d 0 /f",0,TRUE)

nret78=geekside.Run("cmd /C taskkill /f /im explorer.exe",0,TRUE)

nret79=geekside.Run("cmd /C start explorer.exe",0,TRUE)

nret15=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\amvo*.*",0,TRUE)

nret16=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\avpo*.*",0,TRUE)

nret20=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\help.exe.tmp",0,TRUE)

nret56=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\semo*.*.*",0,TRUE)

nret60=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\semo*.*",0,TRUE)

nret23=geekside.Run("cmd /C del /f c:\windows\system32\amvo*.*",0,TRUE)

nret24=geekside.Run("cmd /

2016-08-24 04:15:59 UTC

saathoff

2016-12-01 14:44:49 UTC

extra virus carriers than maximum non Microsoft OSs. extra matters with spyware, there-by ability of making robbery-of-secrets and techniques ... Oh - you advise to analyze one MS OS with yet another, do no longer you. they are ALL so insecure. Who cares?

Tram

2009-03-29 02:33:38 UTC

O.o

2009-03-28 05:31:32 UTC

http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en

http://www.clamwin.com/

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese