Virus on Windows Small Business Server 2003

Posted on 2009-02-20
Last Modified: 2013-11-22

I have a Windows SBS 2003 server fully uptodate and also have all the usual stuff (Exchange & Symantec AV 10.2) The hard drive is split into two partitions C (Windows) & D (Data) - 50Gb & 450Gb

The server is working fine, however a few days ago I noticed very little space left in the C partition - 250Mb - and when I checked the folder C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5 was filling up with approx 40Gb+ of junk - I thought nothing of it and deleted it freeing up the space.

Today the same thing happened same file filled with 40Gb+ of junk within a few hours. I also noticed an index.dat file in the same location and CANNOT delete it.

I perfromed a full virus scan which turned up nothing but when I looked in the event logs I found two errors:


Target:  C:\WINDOWS\system32\CBA\pds.exe
Event Info:  Terminate Process
Action Taken:  Blocked
Actor Process:  C:\WINDOWS\system32\taskmgr.exe (PID 2836)
Time:  20 February 2009  09:48:18


Security Risk Found!Risk: Backdoor.Singu in File:

But yet the virus scan ISN'T picking anything up.....All I can currently do is delete the folders in the ContentIE5 folder but a minutes later they appear again....

Any help is greatly appreciated!

Question by:TangarineIT
    LVL 1

    Author Comment

    I have also noticed that in add and remove progamss - i am unable to actually uninstall anything has the button has disappeared.... it seems that something or someone has tried to take over the server.....
    LVL 23

    Expert Comment

    Take a lok at this post please
    SQL injection attack that was done en masse a few months back, there is some sort of automated tools runnning around, so it is being abused alright.
    LVL 23

    Expert Comment

    Wrong post , Please ignore my previous post :)
    the file you mentioned seems genuine
    can you please post a hijack this log ? 
    also running Malwarebyte antimalware scan will not hurt.

    LVL 23

    Expert Comment

    alos you can check in the system for the existence of files or registry entries as described in Symantec write up
    LVL 1

    Author Comment

    Ok thanks for your posts.

    I checked the symantec website and found none of the keys mentioned in the registry.

    The pds.exe file is apparently: Intel Ping Discovery Service installed either with the Intel LANDesk management suite, or installed as part of a Symantec Norton AntiVirus Corporate Edition solution (NAV CE) which would have included the Intel Alert Management System (AMS). This task allows your PC, and its components and software, to be "discovered" and "interacted with", by the LANDesk or AMS software - the company has Symantec Corporate Antivirus so hence why this is on....

    If it is important - there was an extra user on the server named ADMINISTRETOR.... this user was NOT added by the company......

    I will install spyware and do a check tomorrow.

    Thanks for your replies
    LVL 1

    Accepted Solution

    Ok - I used Malwarebyte and perfromed a full scan - which found 2 dubious registry keys but nothing else.....

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (, the Zone Advisor for the Virus and …
    The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now