2003 exchange server infected with....RONTOKBRO@mm worm
Posted on 2009-02-23
it seems that a user plugged an infected flash drive into their computer and a few machines got infected with the RONTOKBRO worm.
i am running symantec on all my machines and a few of them had popups within a day saying that they were infected. each time i saw a PC infected, i updated the definitions, scanned the pc, then deleted the infected files. after i cleaned up the PCs, i scanned every other PC including my file server. nothing was found, which is a good sign.
however, last night i was doing some work remotely, on my exchange server, when i noticed some of the symptoms of the RONTOKBRO worm...
no more folder options in the view menu, certain folders had folder icons named sometypeoffile.exe which was normally a .txt or .jpg extension. this is what i saw on the other PCs on the network that had the worm, so i am certain that my exchange 2003 server is infected.
i wont be able to do any real work on the server until Saturday. this server has not been backed up in quite some time due to tape drive issues, but the company only has 15 users and i have and can get the latest copy of everyones .pst file, not a problem there...
all this computer does is run exchange 2003, i dont want to reformat, but as a last resort, i will have no choice.
symantec and other people from google searches say that it is possible to delete registry entries, but on the PCs that were infected, if i went to start, run, and typed in regedit, it tells me that i don't have admin privileges. so i cant do that...i need to clean the registry and remove the worm asap.
this server has symantec mail security, but that is just for the mailboxes/exchange, it never had any AV protection on it.
this computer has public folders with contacts, but i was able to save all that this morning, so i am not worried about losing the contacts.
this is a real bummer, not sure what to do at this point.