virus cleanup-advise needed



  • Hi all

    Need some help on cleaning up a server, just got access and told to check.

    Rackspace is managing this server and their report:

    https://www.virustotal.com/en/file/8c2a8af66ca0d1cd1c80fba6fb38f2bd86b148ee08de926b815416709d452835/analysis/
    
    This is the report
    
    Process Monitor identified that the "C:\Program Files\Java\jre6\java.exe" process was malicious.
    The java.exe processes was installed as a service, and it had created dependencies on itself for multiple system services.  I cleared out these dependencies with the following commands:
    sc config RpcSs depend= /
    sc config Dhcp depend= /
    sc config Dnscache depend= /
    sc config gpsvc depend= /
    sc config PolicyAgent depend= /
    sc config Netman depend= /
    sc config Spooler depend= /
    sc config SamSs depend= /
    sc config SENS depend= /
    
    I then stopped and disabled the java service followed by a restart of IIS.  Once complete your site started responding again.
    
    

    Now I am trying to find the right tools to clean this server, any suggestions please. Its a very long time i havent worked on malware cleanup! :)


  • Service Provider

    RS isn't managing very well if they are expecting you to manage it for them!


  • Service Provider

    I never cleanup malware, I always rebuild. So much safer.



  • This is for one of our close contact with the company who asked us to help them, option for a rebuild was suggested but looks like they dont have a healthy backup to start with. So i have to clean this up, get the iis site back up and running and then see what we could do to make it better and avoid issues

    I am checking bleepingcomputer one of my fav old time site for malware removal.



  • Looks like someone clicked a link while working on the server if that java.exe is actually malicious.



  • Just did an online eset scan, its not just java!

    C:\Program Files\Jenkins.zip	multiple threats,a variant of MSIL/Spy.Agent.AES trojan,a variant of Win32/ServU-Daemon.AB potentially unsafe application	
    C:\Program Files\Java\jre6\java.exe	a variant of Win32/ServU-Daemon.AB potentially unsafe application	
    C:\Program Files\Jenkins\java.exe1	a variant of Win32/ServU-Daemon.AB potentially unsafe application	
    C:\Program Files\Jenkins - Copy\java.exe	a variant of Win32/ServU-Daemon.AB potentially unsafe application	
    C:\tmp\1.1	Linux/Setag.B.Gen trojan	
    C:\tmp\20AS	a variant of Linux/ChinaZ.F trojan	
    C:\tmp\20AS.1	a variant of Linux/ChinaZ.F trojan	
    C:\tmp\30AS	a variant of Linux/ChinaZ.F trojan	
    

    And more of this kind!



  • @Ambarishrh Yuck, that thing will probably never be completely clean.



  • I have the same feeling. Informed them to do the rebuild and just take the iis file. Will scan that seperately


  • Service Provider

    @Ambarishrh said in virus cleanup-advise needed:

    I have the same feeling. Informed them to do the rebuild and just take the iis file. Will scan that seperately

    Scanning an IIS file is easy, scanning a whole server is essentially impossible.



  • Can webroot help me here, thinking of using webroot and see if it can clean



  • @Ambarishrh said in virus cleanup-advise needed:

    Can webroot help me here, thinking of using webroot and see if it can clean

    Possibly, but you're dealing only with possibilities. Would be much better if you can rebuild and move/scan the IIS files.... that assumes IIS was the only thing running on the box.


  • Service Provider

    @Ambarishrh said in virus cleanup-advise needed:

    Can webroot help me here, thinking of using webroot and see if it can clean

    Maybe. Anything "might" work. But you'll never know.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.