Solved

SBS 2008 public share drive folder spawning

Posted on 2013-01-11
4
437 Views
Last Modified: 2013-11-22
Hello Experts,

Yesterday I noticed the our shared "public" drive has beed automatically spawning 2 character folder names with a long hexadecimal file inside.

I can delete some of them, but several are read only.
After i delete the ones i can they will respawn on there own.

My guess is a virus but nothing is detected.

Thanks in advance,
0
Comment
Question by:Micarta46
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38769810
Could be some Virus or something .. hope the AV is set and did someone try to remove and readd or who else does manage the server ?

- Rancy
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 38769905
You can check out this
http://pcworld.about.net/magazine/2307p164id120795.htm

can use process explorer to see which process  (and eventually application) is creating or owning that folder and trace back. if it is some svchost and windows services then this highly suspicious and probably already on it mode of propagating itself (extract) or siphoning data (central repository) .

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
http://windowsxp.mvps.org/processlock.htm

 Another is to check for any unknown listening ports and trace back to process and if they are same of refer to same appl then something is really suspicious

http://searchmidmarketsecurity.techtarget.com/tip/Using-NetStat-commands-and-Microsoft-Port-Reporter-tool-to-find-network-connections
http://searchsecuritychannel.techtarget.com/tip/Use-Netstat-to-determine-which-ports-to-open-on-a-Windows-firewall

just a few cents
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 38770792
What are you using to detect virus/malware on the server?

The truth is that most likely the server is compromised at a low level and probably needs to be flattened and reinstalled...that's the only true way to know that you got it.

Put the data on a portable drive that you can scan with Malwarebytes or SuperAntiSpyware (or both)   Once you know it's clean, you can copy back to the newly installed server
0
 

Author Closing Comment

by:Micarta46
ID: 38788851
This gave me something to think about. It ended up being my current AV solutions definitions were out of date. A new AV scan caught & cleared the issue.
0

Featured Post

RoboForm Secure Password Management System

RoboForm Everywhere - Superb Browser Support
Windows / Apple / IOS / Android / Linux / Chrome OS
Use different complex passwords everywhere
Best Secure Password Management by far
Synchronize all of your devices instantly
Safe, Secure & Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question