I support a SBS 2003 server that is fully updated and patched. It was hacked into 9 days ago and used as a Spam relay. I have fixed that situation and cleared out over 200K messages that backed up in the queues.
I loaded always on Malwarebytes and saw it blocked outgoing connections for the first 4 days, but has not had any since then. I also blocked several sites in AU and at the Watchguard firewall that kept trying to get into the server. I have run several programs to look for rootkits, but found none.
Right now, The Exchange queues are fine, except maybe 4 or 5 random 'bogus' sites that appear daily with messages from our postmaster. The problem is: after about two days, activity on the LAN crawls to a halt. When you try to login to the server console, it takes over 15 minutes to show the desktop (either at the server or via TS.) After rebooting the server, login at the server is back to normal (within 30 seconds), and LAN traffic is fine. Maybe a day or two later, back to a crawl and server must be rebooted again.
I'm going onsite again right now to work on it. What would be my next steps?
One other oddity: In Exchange System Manager, when I go into properties of the Exchange server, and I click on the Diagnostics Logging tab (to look at something I read must be adjusted after this type of attack), the program completely hangs.