Guest Andreas Posted December 19, 2008 Posted December 19, 2008 I really need big help on this one. I have an SBS2003 Premium installation with ISA installed and configured as FW. After a year of normal operation, I found the server non-operational (all services down and not starting - giving message that path cannot be found if you attempt to start). The server had NO antivirus installed (that was out of my control). All operations are very strange. If you try to run add/remove programs to remove software, it freezes. If you try to download something, the download stays somewehere in the middle. If I plug my memory stick on the server, a file (game.exe) is copied on the MS. The same happens on other clients in the network but they have kasperky installed which doesn't detect anything. I installed nod32 on the server just to check but it still doesn't detect anything. On the server and clients, I find at many locations a file (marioforever.exe) The event log was full of SAM errors right before this happened. Right after this, all services stopped and all operations died. Here is the error: Event Type: Error Event Source: SAM Event Category: None Event ID: 12294 Date: 19/12/2008 Time: 10:05:54 User: VOLNA\SUser Computer: VOLNASRV Description: The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: a5 02 00 c0 ?..A Quote
Guest Malke Posted December 19, 2008 Posted December 19, 2008 Andreas wrote: <span style="color:blue"> > I really need big help on this one. > > I have an SBS2003 Premium installation with ISA installed and configured > as FW. After a year of normal operation, I found the server > non-operational (all services down and not starting - giving message that > path cannot be found if you attempt to start). The server had NO antivirus > installed (that was out of my control). > > All operations are very strange. If you try to run add/remove programs to > remove software, it freezes. If you try to download something, the > download stays somewehere in the middle. > If I plug my memory stick on the server, a file (game.exe) is copied on > the MS. The same happens on other clients in the network but they have > kasperky installed which doesn't detect anything. I installed nod32 on the > server just to check but it still doesn't detect anything. On the server > and clients, I find at many locations a file (marioforever.exe) > > The event log was full of SAM errors right before this happened. Right > after this, all services stopped and all operations died. Here is the > error: > > Event Type: Error > Event Source: SAM > Event Category: None > Event ID: 12294 > Date: 19/12/2008 > Time: 10:05:54 > User: VOLNASUser > Computer: VOLNASRV > Description: > The SAM database was unable to lockout the account of Administrator due to > a resource error, such as a hard disk write failure (the specific error > code is in the error data) . Accounts are locked after a certain number of > bad passwords are provided so please consider resetting the password of > the account mentioned above.</span> There's lots of information about the marioforever trojan: http://www.google.com/search?hl=en&q=mario...exe&btnG=Search Ditto game.exe: http://www.google.com/search?hl=en&q=game.exe&btnG=Search So your USB key, your server, and your workstations are now infected. I'd run Malwarebytes Antimalware from www.malwarebytes.org on the workstations, format the USB key, and since it's a server I'd flatten that and apply your image. If you need more help on the workstations and the USB key, you can get guided help at one of the specialty forums below. I wouldn't take a chance on a server. PLEASE DO NOT POST LOGS IN THE MS NEWSGROUPS. http://aumha.org/downloads/hijackthis.zip http://aumha.net/ - Click on the HijackThis forum. Read the announcement and the stickies first . http://www.atribune.org/forums/index.php?showforum=9 http://aumha.net/viewforum.php?f=30 http://www.bleepingcomputer.com/forums/forum22.html http://www.dslreports.com/forum/cleanup http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html http://www.malwarebytes.org/forums/index.php?showforum=7 http://gladiator-antivirus.com/forum/index.php?showforum=170 http://spywarewarrior.com/viewforum.php?f=5 http://forums.techguy.org/54-security/ http://forums.tomcoyote.org/ http://www.thespykiller.co.uk/index.php?board=3.0 http://forums.subratam.org/index.php?showforum=7 Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ Quote
Guest David H. Lipman Posted December 19, 2008 Posted December 19, 2008 From: "Andreas" <ayiangoullis@hotmail.com> | All operations are very strange. If you try to run add/remove programs to | remove software, it freezes. If you try to download something, the download | stays somewehere in the middle. | If I plug my memory stick on the server, a file (game.exe) is copied on the | MS. The same happens on other clients in the network but they have kasperky | installed which doesn't detect anything. I installed nod32 on the server | just to check but it still doesn't detect anything. On the server and | clients, I find at many locations a file (marioforever.exe) Please submit a sample of "game.exe" Virus Total -- http://www.virustotal.com/flash/index_en.html The submission will then be tested against many different AV vendor's scanners. That will give you an idea what it is and who recognizes it. In addition Virus Total will provide the sample to all participating vendors. You can also submit a suspect, one at a time, via the following email URL... mailto:scan@virustotal.com?subject=SCAN When you get the report, please post back the exact results. Now disable AutoPlay/AutoRun on your server. Remember, this is a server, not a workstation and you must treat it as such in the central role it plays in your organization. DO NOT plug unsafe Flash Drives or Memory Cards into it ! ONLY use "trusted" devices that are known to be clean and never used with unsafe systems. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Andreas Y. Posted December 20, 2008 Posted December 20, 2008 Thanks, that was very helpful. This utility cleared all malware that antivirus software like kaspersky couldn't detect. However the damage is still there. Do you thing it's possible to repair this? My full system backup fails to restore with inconsistency errors so, it's like having no backup. Re-installing and re-config would take days since I cannot restore even active directory due to this inconsistency and they deleted all my images and older system backups. "Malke" <malke@invalid.invalid> wrote in message news:%23$GZW7hYJHA.5828@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > Andreas wrote: ><span style="color:green"> >> I really need big help on this one. >> >> I have an SBS2003 Premium installation with ISA installed and configured >> as FW. After a year of normal operation, I found the server >> non-operational (all services down and not starting - giving message that >> path cannot be found if you attempt to start). The server had NO >> antivirus >> installed (that was out of my control). >> >> All operations are very strange. If you try to run add/remove programs to >> remove software, it freezes. If you try to download something, the >> download stays somewehere in the middle. >> If I plug my memory stick on the server, a file (game.exe) is copied on >> the MS. The same happens on other clients in the network but they have >> kasperky installed which doesn't detect anything. I installed nod32 on >> the >> server just to check but it still doesn't detect anything. On the server >> and clients, I find at many locations a file (marioforever.exe) >> >> The event log was full of SAM errors right before this happened. Right >> after this, all services stopped and all operations died. Here is the >> error: >> >> Event Type: Error >> Event Source: SAM >> Event Category: None >> Event ID: 12294 >> Date: 19/12/2008 >> Time: 10:05:54 >> User: VOLNASUser >> Computer: VOLNASRV >> Description: >> The SAM database was unable to lockout the account of Administrator due >> to >> a resource error, such as a hard disk write failure (the specific error >> code is in the error data) . Accounts are locked after a certain number >> of >> bad passwords are provided so please consider resetting the password of >> the account mentioned above.</span> > > There's lots of information about the marioforever trojan: > http://www.google.com/search?hl=en&q=mario...exe&btnG=Search > > Ditto game.exe: > http://www.google.com/search?hl=en&q=game.exe&btnG=Search > > So your USB key, your server, and your workstations are now infected. I'd > run Malwarebytes Antimalware from www.malwarebytes.org on the > workstations, > format the USB key, and since it's a server I'd flatten that and apply > your > image. > > If you need more help on the workstations and the USB key, you can get > guided help at one of the specialty forums below. I wouldn't take a chance > on a server. > > PLEASE DO NOT POST LOGS IN THE MS NEWSGROUPS. > > http://aumha.org/downloads/hijackthis.zip > http://aumha.net/ - Click on the HijackThis forum. Read the announcement > and > the stickies first . > http://www.atribune.org/forums/index.php?showforum=9 > http://aumha.net/viewforum.php?f=30 > http://www.bleepingcomputer.com/forums/forum22.html > http://www.dslreports.com/forum/cleanup > http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 > http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html > http://www.malwarebytes.org/forums/index.php?showforum=7 > http://gladiator-antivirus.com/forum/index.php?showforum=170 > http://spywarewarrior.com/viewforum.php?f=5 > http://forums.techguy.org/54-security/ > http://forums.tomcoyote.org/ > http://www.thespykiller.co.uk/index.php?board=3.0 > http://forums.subratam.org/index.php?showforum=7 > > Malke > -- > MS-MVP > Elephant Boy Computers - Don't Panic! > FAQ - http://www.elephantboycomputers.com/#FAQ > </span> Quote
Guest Malke Posted December 20, 2008 Posted December 20, 2008 Andreas Y. wrote: <span style="color:blue"> > Thanks, that was very helpful. This utility cleared all malware that > antivirus software like kaspersky couldn't detect. > However the damage is still there. Do you thing it's possible to repair > this? My full system backup fails to restore with inconsistency errors so, > it's like having no backup. Re-installing and re-config would take days > since I cannot restore even active directory due to this inconsistency and > they deleted all my images and older system backups.</span> I'm sorry to hear that you don't image your workstations and your server. Imaging is different from using a "full system backup". My preference is for Acronis enterprise products. Restoring a server image takes less than an hour for instance. You store the images on an external hard drive or another server. I strong suggest you look into this for the future. From your description of the symptoms, I would say that it you might be able to do a repair install on the workstations, but I'm doubtful that would work on the server. Certainly it is worth a try. I'm completely sympathetic to you and understand the amount of work it takes to rebuild a server. However, you asked my opinion - and I must stress that this is just my opinion about a machine that I've never seen - so I must be honest with you. I would never put a compromised server back in action. My feeling is that it is impossible to ever trust it again and only flattening and clean-installing would make me happy. But that's just me. Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.