?
Solved

Virus on Windows Small Business Server 2003

Posted on 2009-02-20
6
Medium Priority
?
427 Views
Last Modified: 2013-11-22
Hi

I have a Windows SBS 2003 server fully uptodate and also have all the usual stuff (Exchange & Symantec AV 10.2) The hard drive is split into two partitions C (Windows) & D (Data) - 50Gb & 450Gb

The server is working fine, however a few days ago I noticed very little space left in the C partition - 250Mb - and when I checked the folder C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5 was filling up with approx 40Gb+ of junk - I thought nothing of it and deleted it freeing up the space.

Today the same thing happened same file filled with 40Gb+ of junk within a few hours. I also noticed an index.dat file in the same location and CANNOT delete it.

I perfromed a full virus scan which turned up nothing but when I looked in the event logs I found two errors:

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\WINDOWS\system32\CBA\pds.exe
Event Info:  Terminate Process
Action Taken:  Blocked
Actor Process:  C:\WINDOWS\system32\taskmgr.exe (PID 2836)
Time:  20 February 2009  09:48:18

and


Security Risk Found!Risk: Backdoor.Singu in File:

But yet the virus scan ISN'T picking anything up.....All I can currently do is delete the folders in the ContentIE5 folder but a minutes later they appear again....

Any help is greatly appreciated!

Regards
0
Comment
Question by:TangarineIT
  • 3
  • 3
6 Comments
 
LVL 1

Author Comment

by:TangarineIT
ID: 23693133
I have also noticed that in add and remove progamss - i am unable to actually uninstall anything has the button has disappeared.... it seems that something or someone has tried to take over the server.....
0
 
LVL 23

Expert Comment

by:Mohamed Osama
ID: 23696150
Take a lok at this post please
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Server_Anti-Virus/Q_24089228.html
SQL injection attack that was done en masse a few months back, there is some sort of automated tools runnning around, so it is being abused alright.
0
 
LVL 23

Expert Comment

by:Mohamed Osama
ID: 23696196
Wrong post , Please ignore my previous post :)
the file you mentioned seems genuine
http://www.greatis.com/appdata/a/_/_sysdir__cba_pds.exe.htm
can you please post a hijack this log ? 
also running Malwarebyte antimalware scan will not hurt.

0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 23

Expert Comment

by:Mohamed Osama
ID: 23696230
alos you can check in the system for the existence of files or registry entries as described in Symantec write up
http://www.symantec.com/security_response/writeup.jsp?docid=2002-102512-5455-99&tabid=2
0
 
LVL 1

Author Comment

by:TangarineIT
ID: 23706449
Ok thanks for your posts.

I checked the symantec website and found none of the keys mentioned in the registry.

The pds.exe file is apparently: Intel Ping Discovery Service installed either with the Intel LANDesk management suite, or installed as part of a Symantec Norton AntiVirus Corporate Edition solution (NAV CE) which would have included the Intel Alert Management System (AMS). This task allows your PC, and its components and software, to be "discovered" and "interacted with", by the LANDesk or AMS software - the company has Symantec Corporate Antivirus so hence why this is on....

If it is important - there was an extra user on the server named ADMINISTRETOR.... this user was NOT added by the company......

I will install spyware and do a check tomorrow.

Thanks for your replies
0
 
LVL 1

Accepted Solution

by:
TangarineIT earned 0 total points
ID: 23754968
Ok - I used Malwarebyte and perfromed a full scan - which found 2 dubious registry keys but nothing else.....
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
If you are like me and like multiple layers of protection, read on!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question