i8computers
2012-08-23, 12:29
I have a Windows 2003 Standard R2 server that had no anti virus (expired avg business edition).
On friday 17th august I installed ESET Endpoint Antivirus Version 5.0.2126.0 and after the initial scan, it found safesurf.exe and safeguard.exe
in the system32/SD folder I had the files "SafeSurf.exe" and "surfguard.exe".
I quarantined the files through ESET and removed them but couldnt remove the sd folder and some text files. (Trying to delete the folder came up with a message stating a file was in use so couldnt perform that task and the text files kept coming back after i deleted them). I eventually deleted the folder after stopping a process called xstarter.
I thought that was it until the next day when at around 8am the server had frozen (RDP displayed a grey screen) and a hard reboot was the only option to fix. The server came back up but since then it freezes once every morning between 8am and 9am and after a reboot is ok until the next day when it freezes again.
I tried installing Malwarebytes but tells me 'windows cannot access the specified device path or file you may not have appropriate permissions'
I have run the mbam chameleon program with the mbam-setup.exe in the same folder and copied mbam.exe renamed as iexplorer.exe in there too with the following output:
MBAM-Chameleon ver. 1.62.0
Press any key to continue
Driver is already loaded
Enabling driver...
...Done!
Trying to update Malwarebytes Anti-Malware, please wait..
...Done!
Killing known malicious processes, please wait...
...Done!
Trying to run Malwarebytes Anti-Malware , please wait...
Failed to run Malwarebytes Anti-Malware
Disabling protection driver...
...Done!
Press any key to continue
I dont know if there is something still lurking but i can find no other reason for this behavior so any help would be appreciated! If ive posted in the wrong place, i apologise. Ive just joined!
Attached is the aswMBR log file. I couldnt run DDS as it isnt supported on server 2003.
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-23 10:53:07
-----------------------------
10:53:07.881 OS Version: Windows 5.2.3790 Service Pack 2
10:53:07.881 Number of processors: 4 586 0x1A05
10:53:07.881 ComputerName: MANNICK UserName: administrator
10:53:12.381 Initialize success
10:54:29.568 AVAST engine defs: 12082201
10:55:13.271 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\MegaSR1Port2Path2Target0Lun0
10:55:13.271 Disk 0 Vendor: LSI_____ 1.0_ Size: 475883MB BusType: 8
10:55:13.506 Disk 0 MBR read successfully
10:55:13.506 Disk 0 MBR scan
10:55:14.725 Disk 0 Windows XP default MBR code
10:55:14.740 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 475878 MB offset 63
10:55:14.834 Disk 0 scanning sectors +974599290
10:55:15.068 Disk 0 scanning C:\WINDOWS\system32\drivers
10:55:28.146 Service scanning
10:55:54.068 Modules scanning
10:55:58.100 Disk 0 trace - called modules:
10:55:58.115 ntkrnlpa.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll MegaSR.sys tcpip.sys NDIS.sys e1q5132.sys ndisuio.sys ipsec.sys ipnat.sys TDTCP.SYS termdd.sys
10:55:58.131 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b6d6ab8]
10:55:58.131 3 CLASSPNP.SYS[f71ba601] -> nt!IofCallDriver -> \Device\Scsi\MegaSR1Port2Path2Target0Lun0[0x8b710030]
10:55:59.225 AVAST engine scan C:\WINDOWS
10:56:03.287 AVAST engine scan C:\WINDOWS\system32
10:58:36.584 File: C:\WINDOWS\system32\fsproflt.exe **HIDDEN**
11:00:09.162 AVAST engine scan C:\WINDOWS\system32\drivers
11:00:30.193 AVAST engine scan C:\Documents and Settings\Administrator
11:03:49.631 AVAST engine scan C:\Documents and Settings\All Users
11:04:06.803 Scan finished successfully
11:04:19.256 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
11:04:19.256 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
On friday 17th august I installed ESET Endpoint Antivirus Version 5.0.2126.0 and after the initial scan, it found safesurf.exe and safeguard.exe
in the system32/SD folder I had the files "SafeSurf.exe" and "surfguard.exe".
I quarantined the files through ESET and removed them but couldnt remove the sd folder and some text files. (Trying to delete the folder came up with a message stating a file was in use so couldnt perform that task and the text files kept coming back after i deleted them). I eventually deleted the folder after stopping a process called xstarter.
I thought that was it until the next day when at around 8am the server had frozen (RDP displayed a grey screen) and a hard reboot was the only option to fix. The server came back up but since then it freezes once every morning between 8am and 9am and after a reboot is ok until the next day when it freezes again.
I tried installing Malwarebytes but tells me 'windows cannot access the specified device path or file you may not have appropriate permissions'
I have run the mbam chameleon program with the mbam-setup.exe in the same folder and copied mbam.exe renamed as iexplorer.exe in there too with the following output:
MBAM-Chameleon ver. 1.62.0
Press any key to continue
Driver is already loaded
Enabling driver...
...Done!
Trying to update Malwarebytes Anti-Malware, please wait..
...Done!
Killing known malicious processes, please wait...
...Done!
Trying to run Malwarebytes Anti-Malware , please wait...
Failed to run Malwarebytes Anti-Malware
Disabling protection driver...
...Done!
Press any key to continue
I dont know if there is something still lurking but i can find no other reason for this behavior so any help would be appreciated! If ive posted in the wrong place, i apologise. Ive just joined!
Attached is the aswMBR log file. I couldnt run DDS as it isnt supported on server 2003.
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-23 10:53:07
-----------------------------
10:53:07.881 OS Version: Windows 5.2.3790 Service Pack 2
10:53:07.881 Number of processors: 4 586 0x1A05
10:53:07.881 ComputerName: MANNICK UserName: administrator
10:53:12.381 Initialize success
10:54:29.568 AVAST engine defs: 12082201
10:55:13.271 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\MegaSR1Port2Path2Target0Lun0
10:55:13.271 Disk 0 Vendor: LSI_____ 1.0_ Size: 475883MB BusType: 8
10:55:13.506 Disk 0 MBR read successfully
10:55:13.506 Disk 0 MBR scan
10:55:14.725 Disk 0 Windows XP default MBR code
10:55:14.740 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 475878 MB offset 63
10:55:14.834 Disk 0 scanning sectors +974599290
10:55:15.068 Disk 0 scanning C:\WINDOWS\system32\drivers
10:55:28.146 Service scanning
10:55:54.068 Modules scanning
10:55:58.100 Disk 0 trace - called modules:
10:55:58.115 ntkrnlpa.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll MegaSR.sys tcpip.sys NDIS.sys e1q5132.sys ndisuio.sys ipsec.sys ipnat.sys TDTCP.SYS termdd.sys
10:55:58.131 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b6d6ab8]
10:55:58.131 3 CLASSPNP.SYS[f71ba601] -> nt!IofCallDriver -> \Device\Scsi\MegaSR1Port2Path2Target0Lun0[0x8b710030]
10:55:59.225 AVAST engine scan C:\WINDOWS
10:56:03.287 AVAST engine scan C:\WINDOWS\system32
10:58:36.584 File: C:\WINDOWS\system32\fsproflt.exe **HIDDEN**
11:00:09.162 AVAST engine scan C:\WINDOWS\system32\drivers
11:00:30.193 AVAST engine scan C:\Documents and Settings\Administrator
11:03:49.631 AVAST engine scan C:\Documents and Settings\All Users
11:04:06.803 Scan finished successfully
11:04:19.256 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
11:04:19.256 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"