malware on server 2003

Hi all,

my server has not been running exe's lately. The server runs extremely slow, more so than it has ever done in the past.

I recently ran kaspersky's online antivirus scanner. it found a few objects in exchange folders, since the sever in question maintains the exchange database.

Recently my IIS settings as well as other exchange/windows files has gotten corrupted.

Even though the infected objects the online scan found are in the exchange database folders, is it likely I have malware embedded, running in memory?

I can't figure out how to solve my prblm! without being able to run an exe, for SP update.. nor able to install an antivirus prgm to remove the malware..

I'm in for a long wkend, which is when I can boot the server in safe mode to trblshoot. So Here is my question. Given the behavior and limitations of not being able to install prgms... Is there an updated malware program sold out there that can run off cd to clean out this drive?

I can't be spending so much time troubleshooting this beast, I think i have to reinstall exchange because exchange and AD are acting weird. The email addresses tab is gone, IIS is  blank, and OWA is gone... Can malware be the cause of all of these symptoms?

I have hardware based raid... by intel.. if it were raid degradation, upon rebooting, I'd get a message and beeps right?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Download Superantispyware from

Download Malwarebytes from 

UPDATE them both

Boot into safe mode. Run a scan with malwarebytes first. Remove any findings. exit
Run scan with superantispyware second, remove findings, reboot.

(system restore off when doing this, turn back on when done)

Create a bootable antivirus Kaspersky, step by step instruction here:

Boot from kaspersky cd, run scan. reboot

You should be good.
sonic1394Author Commented:
Naturatek thanks for the prompt response.. when I ran the kaspersky's online scan.... this is what if found...

Can you tell me if the malware it found is likely causing my problems listed in the initial question???
I will gladly award you the points since your response is complete.. but I'd like confirmation on whether my  problems are likely malware related..

all 5 trojans it detected are in 1 user's folder  sjauregui
I personally don't think it's possible this trojan is running in the server's memory... nor is could it be running within the system. But then again I'm not an expert on viruses, I just know where these trojans are and I want to know how to fix my server.
Is the computer infected..YES. There are some legit looking item like VNC. Do you use that to remotely connect to that desktop? That said, looks like theres a couple of diff VNC starting up. If so leave it alone, or uninstall/reinstall
The .exe's loading up from the user folders are infections

Is this the cause of your problems, hard to say at this moment. You scanned a users computer and you found those items. Did you scan the server? Servers can get infected.

On your question of hardware raid, it should alert you to a 'degraded' status..or you can use its intel software to check it's status, check the raid documentation.

Antivirus doesn't catch everything. Nothing catches everything. Use the links above, malwarebytes, superantispyware as well. Update them first and scan.

If you didnt load the vnc, as the user if he's remoting into his work station. Malware can cause the symptoms you stated and more. It can also be other factors, corruption or corruption lead by malware, etc.

Scan is your first steps, get rid of all the gunk in any machine. Any backdoor left on the network someone can log in and start to penetrate any open holes, etc.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

sonic1394Author Commented:
Yes this is a server we're looking at.. that user has not existed on the network for a long time. The trojans must have been sitting there. I will run those scans on the wkend when I can boot in safe mode. Thank you for the complete response.
If you don't use VNC, remove it completely. Please Keep us posted if you can.
sonic1394Author Commented:
I do use VNC. I need it for remote access... I've read online that those files this scanner pted out are legit for vnc to operate... They are not trojans, they allow me to access this machine remotely. VNC requires password authentication.

Other than the few trojans that scanner found, I'm looking forward to using the other scanners you suggested. If not then I'm afraid I need to check other variables such as hard disk integrity.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
System Utilities

From novice to tech pro — start learning today.