malware on server 2003

Hi all,

my server has not been running exe's lately. The server runs extremely slow, more so than it has ever done in the past.

I recently ran kaspersky's online antivirus scanner. it found a few objects in exchange folders, since the sever in question maintains the exchange database.

Recently my IIS settings as well as other exchange/windows files has gotten corrupted.

Even though the infected objects the online scan found are in the exchange database folders, is it likely I have malware embedded, running in memory?

I can't figure out how to solve my prblm! without being able to run an exe, for SP update.. nor able to install an antivirus prgm to remove the malware..

I'm in for a long wkend, which is when I can boot the server in safe mode to trblshoot. So Here is my question. Given the behavior and limitations of not being able to install prgms... Is there an updated malware program sold out there that can run off cd to clean out this drive?

I can't be spending so much time troubleshooting this beast, I think i have to reinstall exchange because exchange and AD are acting weird. The email addresses tab is gone, IIS is  blank, and OWA is gone... Can malware be the cause of all of these symptoms?

I have hardware based raid... by intel.. if it were raid degradation, upon rebooting, I'd get a message and beeps right?
sonic1394Asked:
Who is Participating?
 
NaturaTekConnect With a Mentor Commented:
Is the computer infected..YES. There are some legit looking item like VNC. Do you use that to remotely connect to that desktop? That said, looks like theres a couple of diff VNC starting up. If so leave it alone, or uninstall/reinstall
The .exe's loading up from the user folders are infections

Is this the cause of your problems, hard to say at this moment. You scanned a users computer and you found those items. Did you scan the server? Servers can get infected.

On your question of hardware raid, it should alert you to a 'degraded' status..or you can use its intel software to check it's status, check the raid documentation.

Antivirus doesn't catch everything. Nothing catches everything. Use the links above, malwarebytes, superantispyware as well. Update them first and scan.

If you didnt load the vnc, as the user if he's remoting into his work station. Malware can cause the symptoms you stated and more. It can also be other factors, corruption or corruption lead by malware, etc.

Scan is your first steps, get rid of all the gunk in any machine. Any backdoor left on the network someone can log in and start to penetrate any open holes, etc.

0
 
NaturaTekCommented:
Download Superantispyware from www.superantispyware.com

Download Malwarebytes from www.malwarebytes.org 

UPDATE them both

Boot into safe mode. Run a scan with malwarebytes first. Remove any findings. exit
Run scan with superantispyware second, remove findings, reboot.

(system restore off when doing this, turn back on when done)

Create a bootable antivirus Kaspersky, step by step instruction here:
http://www.techmixer.com/kaspersky-rescue-disk-load-kaspersky-antivirus-2009-using-dos/
http://dnl-eu10.kaspersky-labs.com/devbuilds/RescueDisk/

Boot from kaspersky cd, run scan. reboot

You should be good.
0
 
sonic1394Author Commented:
Naturatek thanks for the prompt response.. when I ran the kaspersky's online scan.... this is what if found...

Can you tell me if the malware it found is likely causing my problems listed in the initial question???
I will gladly award you the points since your response is complete.. but I'd like confirmation on whether my  problems are likely malware related..

all 5 trojans it detected are in 1 user's folder  sjauregui
I personally don't think it's possible this trojan is running in the server's memory... nor is could it be running within the system. But then again I'm not an expert on viruses, I just know where these trojans are and I want to know how to fix my server.
IMG00228.jpg
IMG00227.jpg
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
sonic1394Author Commented:
Yes this is a server we're looking at.. that user has not existed on the network for a long time. The trojans must have been sitting there. I will run those scans on the wkend when I can boot in safe mode. Thank you for the complete response.
0
 
NaturaTekCommented:
If you don't use VNC, remove it completely. Please Keep us posted if you can.
0
 
sonic1394Author Commented:
I do use VNC. I need it for remote access... I've read online that those files this scanner pted out are legit for vnc to operate... They are not trojans, they allow me to access this machine remotely. VNC requires password authentication.

Other than the few trojans that scanner found, I'm looking forward to using the other scanners you suggested. If not then I'm afraid I need to check other variables such as hard disk integrity.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.