[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

2003 exchange server infected with....RONTOKBRO@mm worm

Posted on 2009-02-23
5
Medium Priority
?
363 Views
Last Modified: 2012-05-06
it seems that a user plugged an infected flash drive into their computer and a few machines got infected with the RONTOKBRO worm.

i am running symantec on all my machines and a few of them had popups within a day saying that they were infected.  each time i saw a PC infected, i updated the definitions, scanned the pc, then deleted the infected files.  after i cleaned up the PCs, i scanned every other PC including my file server.  nothing was found, which is a good sign.

however, last night i was doing some work remotely, on my exchange server, when i noticed some of the symptoms of the RONTOKBRO worm...

no more folder options in the view menu, certain folders had folder icons named sometypeoffile.exe which was normally a .txt or .jpg extension.  this is what i saw on the other PCs on the network that had the worm, so i am certain that my exchange 2003 server is infected.

i wont be able to do any real work on the server until Saturday.  this server has not been backed up in quite some time due to tape drive issues, but the company only has 15 users and i have and can get the latest copy of everyones .pst file, not a problem there...

all this computer does is run exchange 2003, i dont want to reformat, but as a last resort, i will have no choice.

symantec and other people from google searches say that it is possible to delete registry entries, but on the PCs that were infected, if i went to start, run, and typed in regedit, it tells me that i don't have admin privileges.  so i cant do that...i need to clean the registry and remove the worm asap.

this server has symantec mail security, but that is just for the mailboxes/exchange, it never had any AV protection on it.

this computer has public folders with contacts, but i was able to save all that this morning, so i am not worried about losing the contacts.  

this is a real bummer, not sure what to do at this point.
0
Comment
Question by:tomdlgns
  • 3
  • 2
5 Comments
 
LVL 14

Expert Comment

by:Dhiraj Mutha
ID: 23718096
Have you tried MalwareBytes? If you haven't then try it.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php 

If you can't access the above link then use this link:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button 



If problem persists, use combofix and show us the log.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
 

Author Comment

by:tomdlgns
ID: 23718204
i saw this post in another thread, but that wasnt for a server, that was for a workstation.

although you might have posted this for a server issue, the one i read was a workstation.

these programs work on a server OS as well correct?

thanks and i WILL post the log, but i wont be able to do this until saturday or some time this week if i am able to stay late.  it is kind of tough for me to stay late because our users do not work the typical 9-5 business hours.
0
 

Author Comment

by:tomdlgns
ID: 23723101
server seems to be stable right now, but i have not tried to make any changes.

i will update if anything happens before.  i will be here on Saturday for sure.

thanks again.

0
 

Accepted Solution

by:
tomdlgns earned 0 total points
ID: 23776974
i ended up reformatting instead of trying to clean it out.  i decided that i needed the bigger hard drives since i was running out of space with the old ones, anyway.

thanks.
0
 
LVL 14

Expert Comment

by:Dhiraj Mutha
ID: 23777156
Its good to hear.... but my solution worked out.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month17 days, 15 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question