• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 429
  • Last Modified:

Virus on Windows Small Business Server 2003

Hi

I have a Windows SBS 2003 server fully uptodate and also have all the usual stuff (Exchange & Symantec AV 10.2) The hard drive is split into two partitions C (Windows) & D (Data) - 50Gb & 450Gb

The server is working fine, however a few days ago I noticed very little space left in the C partition - 250Mb - and when I checked the folder C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5 was filling up with approx 40Gb+ of junk - I thought nothing of it and deleted it freeing up the space.

Today the same thing happened same file filled with 40Gb+ of junk within a few hours. I also noticed an index.dat file in the same location and CANNOT delete it.

I perfromed a full virus scan which turned up nothing but when I looked in the event logs I found two errors:

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\WINDOWS\system32\CBA\pds.exe
Event Info:  Terminate Process
Action Taken:  Blocked
Actor Process:  C:\WINDOWS\system32\taskmgr.exe (PID 2836)
Time:  20 February 2009  09:48:18

and


Security Risk Found!Risk: Backdoor.Singu in File:

But yet the virus scan ISN'T picking anything up.....All I can currently do is delete the folders in the ContentIE5 folder but a minutes later they appear again....

Any help is greatly appreciated!

Regards
0
TangarineIT
Asked:
TangarineIT
  • 3
  • 3
1 Solution
 
TangarineITAuthor Commented:
I have also noticed that in add and remove progamss - i am unable to actually uninstall anything has the button has disappeared.... it seems that something or someone has tried to take over the server.....
0
 
Mohamed OsamaSenior IT ConsultantCommented:
Take a lok at this post please
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Server_Anti-Virus/Q_24089228.html
SQL injection attack that was done en masse a few months back, there is some sort of automated tools runnning around, so it is being abused alright.
0
 
Mohamed OsamaSenior IT ConsultantCommented:
Wrong post , Please ignore my previous post :)
the file you mentioned seems genuine
http://www.greatis.com/appdata/a/_/_sysdir__cba_pds.exe.htm
can you please post a hijack this log ? 
also running Malwarebyte antimalware scan will not hurt.

0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Mohamed OsamaSenior IT ConsultantCommented:
alos you can check in the system for the existence of files or registry entries as described in Symantec write up
http://www.symantec.com/security_response/writeup.jsp?docid=2002-102512-5455-99&tabid=2
0
 
TangarineITAuthor Commented:
Ok thanks for your posts.

I checked the symantec website and found none of the keys mentioned in the registry.

The pds.exe file is apparently: Intel Ping Discovery Service installed either with the Intel LANDesk management suite, or installed as part of a Symantec Norton AntiVirus Corporate Edition solution (NAV CE) which would have included the Intel Alert Management System (AMS). This task allows your PC, and its components and software, to be "discovered" and "interacted with", by the LANDesk or AMS software - the company has Symantec Corporate Antivirus so hence why this is on....

If it is important - there was an extra user on the server named ADMINISTRETOR.... this user was NOT added by the company......

I will install spyware and do a check tomorrow.

Thanks for your replies
0
 
TangarineITAuthor Commented:
Ok - I used Malwarebyte and perfromed a full scan - which found 2 dubious registry keys but nothing else.....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now