Windows 2008 Worm - AT tasks and rundll32
Dear Sirs, I have a server running Windows 2008 Standard SP1, I noticed tasks automatically created At01, At02, At03.... and each task is running something like "rundll32.exe tknqqfg.mfk,dijcwi" and ALOT of rundll32.exe processes are running. I have downlaoded ALL security updates and patches including the security update 958644 After some researches I found KB http://support.microsoft.com/kb/962007 talking about this problem with a solution to use the "Malicious Software Removal tool" I used the procedure step by step, first configure a GPO to prevent the virus from spreading and then downloaded the tool and scanned the server. The tool returned 0 infection and didnt detect anything at all. I moved to the manual removal procedure. Changed the domain administrator password as recommended and logged in the local administrator. Stopped the "Server" service and some registry keys then restarts. in the step where should I look into the svchost netsvcs for services, I noticed that all the listed services are correct and there is no malware service.. So i couldnt continue. Now even that the virus is still there but I had another problem, after reverting everything I did again ("Server" service is now working and all registry values are back again as they were) I am now unable to login with the domain administrator user!! when I try to login with the domain admin it get the error "The User Profile Service service failed the login. User Profile cannot be loaded" The domain admin can successfully login to any other machine except this server, and any other domain user/admin can login to this server sucessfully, even the local user. so ONLY the domain administrator user cannot login to THIS server!!! I logged in with the local admin and checked the Event log to see this: windows cannot log you on because your profile cannot be loaded. check that you are connected to the network, and that your network is functioning correctly. detail - the system cannot find the file specified. I have researched this error and did every single solution i could find with no good results, I have deleted the administrator user profile and deleted its SSID from its registry but with nothing fixed. Please advice to solved at least the administrator login problem then to see how to get rid of this virus. Regards, Ayman Al-Hakim
October 26th, 2010 5:56am
Hi Ayman, for virus infection issue, I suggest you try a free online virus scan on the following site: http://safety.live.com/ Meanwhile, if you need more help with virus-related issues, please contact Microsoft Product Support Services. For support within the United States and Canada, call toll-free (866) PCSAFETY (727-2338). For support outside the United States and Canada, visit the Product Support Services Web page (http://support.microsoft.com/?pr=SecurityHome ).Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
October 28th, 2010 3:07am
Thanks for replying, I am outside US and I have already scanned the server with the Malicious Software Removal tools and it found nothing. Can I at least fix the problem of Administrator user not logging in? Thanks,Ayman Al-Hakim
October 28th, 2010 3:11am