hack problem

Posted on 2004-08-30
Last Modified: 2010-04-14

this morning, I found the D drive of our exchange server is 13 GB data more than usual.
Someone upload a lot of music file...

I also fould folder called emule...there is a thread is system called emule.exe, and I can not stop I could not delete the files on my hard disk

Please help me!
Question by:robinyanwang
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
LVL 32

Expert Comment

ID: 11936035
Hi robinyanwang,

yes, it sure looks like you've been hacked :(

Please download Killbox:

And set it to delete emule.exe on the next reboot, this will make sure it isn't running on your system after a reboot.
Now, try deleting the mess.

Afterwards, you will have to check if you're still having any problems, maybe a backdoor was installed.
Try a tool like trojan hunter =>
The free trial will do fine for identifying.

If that doesn't work, do a full virusscan using one of the online virusscanners (don't trust on your installed one at this moment) 



Expert Comment

ID: 11936069

yes this is a downloader for Kazza and others, first i would look the remove and install programs for eMule and try to remove it. if that doesn't work let us know.

hope that this helps

Author Comment

ID: 11936478

just 5 mins, it is gone!!!

I deleted some files, folders under that folder (the hacker created),..

maybe he noticed that, so , just 5 mins ago, all 13 GB is gone!

also I can not find the emule.exe in the system thread.

Will he come back? how to stop it? he seems a good man, right?
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.


Expert Comment

ID: 11936503
1. have you got all the latest MS updates
2. are you running any antivirus software
3. are you using a firewall

let us know
LVL 32

Expert Comment

ID: 11936505
But as that was possible still indicates that someone has full control on your server :(
So what I still suggest you is to check your system for trojans, virusses etc.

Author Comment

ID: 11936565
ok, I will do it after working hours in the night.

I will let you guys know if I have any thing wrong.

thanks a lot for your quick reply!

Assisted Solution

BigC666 earned 150 total points
ID: 11936569
you bet

just let us know
LVL 32

Accepted Solution

LucF earned 350 total points
ID: 11936590
Ditto :)

If you're unsure, let us check your running processes.
(as it's 0:17 here I'm going to sleep soon, but I'm sure BigC666 will be able to help you in the time between)

Good luck,


Expert Comment

ID: 11936974
I wouldn't take the chance, rebuild that box from scratch.  

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Adprep 12 102
Just changed my 2000 Server DCs IP now what 3 411
Windows 2000, Ghost 2003, disk1 disk 2 mirroring 17 374
Corrupted W2K  serverregistry 2 164
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
By reading this blog, MSPs will gain insight into how to improve communications with their clients as well as establish a more profitable business.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question