ndidomenico
asked on
is this process valid in sbs 2003
I think I might have a virus/spyware infection on my sbs2003 server and would like to verify a few services I am not sure about. I compared to a few other sbs2003 servers and I don't see these. Do they look like normal/valid apps ? The server was almost stalled this morning even after having shutdown most of the non-essential services.
- Appication Layer Gateway Server 21115012 (C:\WINDOWS\system32\svcho st.exe /k netsvcs)
- Appication Layer Gateway Service (C:\WINDOWS\system32\alg.e xe)
- Appication Layer Gateway Serviec (C:\WINDOWS\temp\svehost.e xe)
(this last one worries me a lot: misspelling, temp folder, svehost.exe)
I am running a scan on these with malwarebytes/hijackthis/su perantispy ware
- Appication Layer Gateway Server 21115012 (C:\WINDOWS\system32\svcho
- Appication Layer Gateway Service (C:\WINDOWS\system32\alg.e
- Appication Layer Gateway Serviec (C:\WINDOWS\temp\svehost.e
(this last one worries me a lot: misspelling, temp folder, svehost.exe)
I am running a scan on these with malwarebytes/hijackthis/su
Yeah... that's not good. I would be booting to a Win7/Vista/2008/2008R2/UBC D4WIN boot CD and then RENAMING (NOT DELETING) that file so it couldn't start. However, if it is Malware (and I strongly suspect it is), it's probably somewhere else on the system as well waiting to reinstall itself. Malware bytes and you should probably switch antiviruses if it didn't catch this... (You ARE running one on the server, right?)
Yeah... that's not good. I would be booting to a Win7/Vista/2008/2008R2/UBC D4WIN boot CD and then RENAMING (NOT DELETING) that file so it couldn't start. However, if it is Malware (and I strongly suspect it is), it's probably somewhere else on the system as well waiting to reinstall itself. Malware bytes and you should probably switch antiviruses if it didn't catch this... (You ARE running one on the server, right?)
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
That's right, delete it so you can bring down your whole system.
Renaming it means you can easily restore it if necessary. Deleting it means you could spend hours MORE trying to recover the system.
I've seen malware embed itself so thoroughly then when deleted, the system becomes UNUSABLE. Hopefully, this is not the case - it's USUALLY not the case... but it can happen. Don't make the infection worse by deleting it and potentially making the system unusable. If the anti-malware products correctly identify it, they SHOULD know how to remove it safely. Otherwise, by renaming, if it doesn't come back, you're PROBABLY clena and if it causes a complete failure you can rename it back and make sure you can run for a short time until you can rebuild the server.
Renaming it means you can easily restore it if necessary. Deleting it means you could spend hours MORE trying to recover the system.
I've seen malware embed itself so thoroughly then when deleted, the system becomes UNUSABLE. Hopefully, this is not the case - it's USUALLY not the case... but it can happen. Don't make the infection worse by deleting it and potentially making the system unusable. If the anti-malware products correctly identify it, they SHOULD know how to remove it safely. Otherwise, by renaming, if it doesn't come back, you're PROBABLY clena and if it causes a complete failure you can rename it back and make sure you can run for a short time until you can rebuild the server.
ASKER
Thanks all for your help. Ran Malwarebytes and it did detect 4 files infected The svehost.,exe was indeed a Trohan.Backdoor. It also found a "Memory Module Infected" Trojan.ServiceHijacker ?? (never saw this one before), and some registry keys infected. It was able to unload them but I will need to reboot the server to complete the deletion (delete on reboot), but will have to do this later tonight.
When the server would crawl down, the memory usage was way up (8 Gb when compare to 3 normally) but surprisingly the cpu utilization was still very loaw (1-5%). The memory usage now seems back to a normal usage now with minimum services loaded (file server, Exchange), and I will start the required other services slowly one by one (Bes, backup, antivirus, etc).
Looks like our Trend didn't catch this one. A bit worrying. Will scan with a few other tools (hijackthis, otl, superantispyware) to confirm there is nothing left.
When the server would crawl down, the memory usage was way up (8 Gb when compare to 3 normally) but surprisingly the cpu utilization was still very loaw (1-5%). The memory usage now seems back to a normal usage now with minimum services loaded (file server, Exchange), and I will start the required other services slowly one by one (Bes, backup, antivirus, etc).
Looks like our Trend didn't catch this one. A bit worrying. Will scan with a few other tools (hijackthis, otl, superantispyware) to confirm there is nothing left.
Trend doesn't rank very high at catching malware. Eset, Sophos, and Vipre do a better job.
Ooops, forgot to mention Kaspersky. I've installed it in dozens of places and had very good results with it. There have been some pc's with lingering problems where Kaspersky was able to pull out the malware tenterhooks over the space of a few days.