Virus Clean-up issues

Posted on 2006-11-03
Medium Priority
Last Modified: 2010-03-06

A few weeks ago, one of my clients' Win2K3 SBS server (running Exchange 2003) got infected with a virus (they had ignored my pleas for installing A/V software, so it never got done. Lo and behold, they finally got a virus infection...go figure!). Of course, your truly was left to clean up the mess, but that's why they hired me in the first place. It took a long time, and I don't know the name of the virus, since it ran on the server undetected, even AFTER installing A/V software with updated vdefs, and running multiple scans. However, I eventually located the offending EXE (it was a re-generating mutex), and was eventually able to kill it using a tool called "KillBox." This trojan had turned the server into  a spamming Zombie [server] and was sending out thousands of spam messages at once. My client is not totally convinced that the server is totally clean, in part because every night around 10-11PM the Exchange information store (store.exe) process runs a higher RAM utilitzation, which triggers an e-mail event to us (the administrators) - this time of day was usually when the trojan would kick-up its spam-sending activity before we "cleaned" it. below is the Alert message that is send nightly:

"Alert on <servername> at 10/28/2006 11:10:10 PM
The store.exe process is allocating more memory than usual.
Check to see if you are having problems with e-mail. If so, stop and then restart the Microsoft Exchange Information Store service.
You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad."

Ok, after all that "background" information, here's my ACTUAL question:

Do you know of a utility (Microsoft OR third-party) that can create a report of the number of outbound messages on an hourly schedule, and possibly show me the outbound message numbers over the past 24 hours, to where we can see a trend in elevation of the outbound mail queue. I would like to see if there are message spikes at certain times of the day.

Any help would be greatly appreciated.

Question by:ethernet69
  • 2
LVL 104

Expert Comment

ID: 17869275
SBS can do that on its own. There are reporting functions built in.

Otherwise you could enable Message Tracking and then run some processes against the logs it processes.

However I would start with the built in reporting and see what that says.


Author Comment

ID: 17869599

I don't want to do message tracking, but rather I want to check the 'state' of the SMTP queue - I checked SBS reporting, but found nothing obvious in the Performance/Usage reports section that would show what I want to know :-(

LVL 104

Accepted Solution

Sembee earned 1000 total points
ID: 17869677
There is definitely something in the SBS reports because it crops up on here every so often with people asking how "administrator" could send 2500 in 24 hours. SBS queries though are best put in the SBS topic area, where I expect Jeff will be able to confirm.

The only other way you would get something is to use logging on the SMTP virtual server, then something to process those logs. They are standard IIS formatted logs so are easily processed by any number of applications.

If that was one of my servers that had been compromised I wouldn't have repaired it. It would have had its data lifted and then been wiped. You cannot be sure what else has got on there.

I doubt whether this is bot related at all. Bots, trojans whatever you want to call them just don't use any applications on the host for sending their stuff. That makes them easy to spot.
Furthermore in my experience, if the Exchange server is being used to send email then it leaves a mess behind in the form of lots of undeliverable messages. Spammers lists are not known for being very clean.

As for the message you are getting, you do know that Exchange is designed to use as much RAM as it requires. You are also aware that Exchange runs nightly maintenance on its database. One of the time windows you can use for that starts at 11pm. You may want to check the maintenance window setting in ESM to see when this server is set to run.


Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question