Virus Issue-Urgent

Discussion in 'ESET NOD32 Antivirus' started by trbal, May 23, 2012.

Thread Status:
Not open for further replies.
  1. trbal

    trbal Registered Member

    Joined:
    Sep 3, 2008
    Posts:
    43
    Hi

    Iam running SBS 2003 Std with SP2. AV is eset AV4.Suddenly SQL started behaving strangely ppl were unable to connect to DB. On running process explorer i find sqlserv.exe trying to execute secedit.exe with high cpu usage then starts cmd.exe trying to execute a bat file which creates folders like i4241 in c:\system32 folder then opens up ftp.exe. Eset detected lib32woaqexe and deletes it just that. I have run sophos/malwarebytes/superantispyware etc nothing is detected but process explorer still shows the same sequence of events i have stated above. I had a same issue in a diff site and had to reformat the server.is that the only option.Any help is highly appreciated. I have uploaded a screenshot.
     

    Attached Files:

    Last edited: May 23, 2012
  2. dwomack

    dwomack Eset Staff Account

    Joined:
    Mar 2, 2011
    Posts:
    588
    You mentioned scanning with Sophos. Do you happen to have a current license with ESET? If so, what product/version are you running on your SBS? If not, have you tried running an online scan with ESET?
     
  3. trbal

    trbal Registered Member

    Joined:
    Sep 3, 2008
    Posts:
    43
    Hi Thx for your reply

    I have eset smart security Business edition lic. For the server i have installed eset AV 4.2.67.10. No i havent tried online bcoz when i connect online the ftp tries to download files. I downloaded sophos tool to a local machine then copied it to the server for scan.
     
  4. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Nothing in this looks like a virus in the traditional sense. I'm guessing someone hit you with an sql injection attack to issue arbitrary commands to dump the contents of your DB to a remote ftp site. I would use autoruns to find the startup entries and purge them from the system.
     
  5. trbal

    trbal Registered Member

    Joined:
    Sep 3, 2008
    Posts:
    43
    hi thx for the time

    I havent seen anything in the startup(msconfig) or in hijackthis. It def looks like sql injection but it does run from somewhere which iam not able to find. As i had explained in my OP when its sqlservrexe runs cmd.exe it creates folders in system 32 to which it downloads files like a10.exe etc. Since i have taken it offline it just keeps running cmd and creates folders (folder properties show permission for unknown user)

    Thx again
     
  6. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    In that case, I would check to see if there are SQL maintenance events scheduled within the instance that are triggering it. Those should be fairly easy to disable.
     
  7. trbal

    trbal Registered Member

    Joined:
    Sep 3, 2008
    Posts:
    43
    Nothing there too. It just creates folders and runs secedit.exe and cmd.exe and ftp.exe one after other. I have also run autoruns nothing in that too.
     
  8. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Try looking at the details of the sqlsvr.exe process to see if there is a thread from some unknown dll hooked in that might be triggering it. If that doesn't work, do a search of the hard drive for any new dll and exe files modified in that time period when the infection started which might point you in the right direction.
     
  9. trbal

    trbal Registered Member

    Joined:
    Sep 3, 2008
    Posts:
    43
    Thx smacky

    I first edited the registry and removed entries from muicache (secedit.exe and cmd.exe).then removed a firewall rule wan to lan which i had created to allow access to db port.now the thing is gone. As i had mentioned earlier the server is running a updated version of eset and i have scanned it with multiple syware/virus/rootkit tools. WIll keep a tab and see if something crops up again.
     
Thread Status:
Not open for further replies.