2003 exchange server infected with....RONTOKBRO@mm worm

Posted on 2009-02-23
Last Modified: 2012-05-06
it seems that a user plugged an infected flash drive into their computer and a few machines got infected with the RONTOKBRO worm.

i am running symantec on all my machines and a few of them had popups within a day saying that they were infected.  each time i saw a PC infected, i updated the definitions, scanned the pc, then deleted the infected files.  after i cleaned up the PCs, i scanned every other PC including my file server.  nothing was found, which is a good sign.

however, last night i was doing some work remotely, on my exchange server, when i noticed some of the symptoms of the RONTOKBRO worm...

no more folder options in the view menu, certain folders had folder icons named sometypeoffile.exe which was normally a .txt or .jpg extension.  this is what i saw on the other PCs on the network that had the worm, so i am certain that my exchange 2003 server is infected.

i wont be able to do any real work on the server until Saturday.  this server has not been backed up in quite some time due to tape drive issues, but the company only has 15 users and i have and can get the latest copy of everyones .pst file, not a problem there...

all this computer does is run exchange 2003, i dont want to reformat, but as a last resort, i will have no choice.

symantec and other people from google searches say that it is possible to delete registry entries, but on the PCs that were infected, if i went to start, run, and typed in regedit, it tells me that i don't have admin privileges.  so i cant do that...i need to clean the registry and remove the worm asap.

this server has symantec mail security, but that is just for the mailboxes/exchange, it never had any AV protection on it.

this computer has public folders with contacts, but i was able to save all that this morning, so i am not worried about losing the contacts.  

this is a real bummer, not sure what to do at this point.
Question by:tomdlgns
    LVL 14

    Expert Comment

    by:Dhiraj Mutha
    Have you tried MalwareBytes? If you haven't then try it.
    Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.

    If you can't access the above link then use this link:

    If problem persists, use combofix and show us the log.
    Please download ComboFix by sUBs:

    You must download it to and run it from your Desktop
    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.
    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Author Comment

    i saw this post in another thread, but that wasnt for a server, that was for a workstation.

    although you might have posted this for a server issue, the one i read was a workstation.

    these programs work on a server OS as well correct?

    thanks and i WILL post the log, but i wont be able to do this until saturday or some time this week if i am able to stay late.  it is kind of tough for me to stay late because our users do not work the typical 9-5 business hours.

    Author Comment

    server seems to be stable right now, but i have not tried to make any changes.

    i will update if anything happens before.  i will be here on Saturday for sure.

    thanks again.


    Accepted Solution

    i ended up reformatting instead of trying to clean it out.  i decided that i needed the bigger hard drives since i was running out of space with the old ones, anyway.

    LVL 14

    Expert Comment

    by:Dhiraj Mutha
    Its good to hear.... but my solution worked out.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    Set up iPhone and iPad email signatures to always send in high-quality HTML with this step-by step guide.
    Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
    To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now