2003 exchange server infected with....RONTOKBRO@mm worm
it seems that a user plugged an infected flash drive into their computer and a few machines got infected with the RONTOKBRO worm.
i am running symantec on all my machines and a few of them had popups within a day saying that they were infected. each time i saw a PC infected, i updated the definitions, scanned the pc, then deleted the infected files. after i cleaned up the PCs, i scanned every other PC including my file server. nothing was found, which is a good sign.
however, last night i was doing some work remotely, on my exchange server, when i noticed some of the symptoms of the RONTOKBRO worm...
no more folder options in the view menu, certain folders had folder icons named sometypeoffile.exe which was normally a .txt or .jpg extension. this is what i saw on the other PCs on the network that had the worm, so i am certain that my exchange 2003 server is infected.
i wont be able to do any real work on the server until Saturday. this server has not been backed up in quite some time due to tape drive issues, but the company only has 15 users and i have and can get the latest copy of everyones .pst file, not a problem there...
all this computer does is run exchange 2003, i dont want to reformat, but as a last resort, i will have no choice.
symantec and other people from google searches say that it is possible to delete registry entries, but on the PCs that were infected, if i went to start, run, and typed in regedit, it tells me that i don't have admin privileges. so i cant do that...i need to clean the registry and remove the worm asap.
this server has symantec mail security, but that is just for the mailboxes/exchange, it never had any AV protection on it.
this computer has public folders with contacts, but i was able to save all that this morning, so i am not worried about losing the contacts.
this is a real bummer, not sure what to do at this point.
i am running symantec on all my machines and a few of them had popups within a day saying that they were infected. each time i saw a PC infected, i updated the definitions, scanned the pc, then deleted the infected files. after i cleaned up the PCs, i scanned every other PC including my file server. nothing was found, which is a good sign.
however, last night i was doing some work remotely, on my exchange server, when i noticed some of the symptoms of the RONTOKBRO worm...
no more folder options in the view menu, certain folders had folder icons named sometypeoffile.exe which was normally a .txt or .jpg extension. this is what i saw on the other PCs on the network that had the worm, so i am certain that my exchange 2003 server is infected.
i wont be able to do any real work on the server until Saturday. this server has not been backed up in quite some time due to tape drive issues, but the company only has 15 users and i have and can get the latest copy of everyones .pst file, not a problem there...
all this computer does is run exchange 2003, i dont want to reformat, but as a last resort, i will have no choice.
symantec and other people from google searches say that it is possible to delete registry entries, but on the PCs that were infected, if i went to start, run, and typed in regedit, it tells me that i don't have admin privileges. so i cant do that...i need to clean the registry and remove the worm asap.
this server has symantec mail security, but that is just for the mailboxes/exchange, it never had any AV protection on it.
this computer has public folders with contacts, but i was able to save all that this morning, so i am not worried about losing the contacts.
this is a real bummer, not sure what to do at this point.
ASKER
i saw this post in another thread, but that wasnt for a server, that was for a workstation.
although you might have posted this for a server issue, the one i read was a workstation.
these programs work on a server OS as well correct?
thanks and i WILL post the log, but i wont be able to do this until saturday or some time this week if i am able to stay late. it is kind of tough for me to stay late because our users do not work the typical 9-5 business hours.
although you might have posted this for a server issue, the one i read was a workstation.
these programs work on a server OS as well correct?
thanks and i WILL post the log, but i wont be able to do this until saturday or some time this week if i am able to stay late. it is kind of tough for me to stay late because our users do not work the typical 9-5 business hours.
ASKER
server seems to be stable right now, but i have not tried to make any changes.
i will update if anything happens before. i will be here on Saturday for sure.
thanks again.
i will update if anything happens before. i will be here on Saturday for sure.
thanks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Its good to hear.... but my solution worked out.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php
If you can't access the above link then use this link:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
If problem persists, use combofix and show us the log.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.