Files infected by Virus in MS Safety Scanner

Personally I would use a backup and restore the server to an ealier date or rebuild and import recent data.  There is no way to ever know if the server is ever clean and secure again.  "Once infected always suspected".

Second RobWill that nobody can give you a 100% garantie, after a Client or Server is infected !
Do you run an Antivirus Software on your Server?

Rob,
  Let me try SFC /scannow.

As mentioned it may not work, but I would remove the virus first.  SFC won't repair a virus, it just looks for damaged Windows files.  I have also found it can cause problems on a DC.

SFC /scannow failed 8% into it.
I looked thru the list of infected folders and I see that WSUS and Windows folders are NOT the only folders. I see all kind of folders  in the infected list.
I will let MS Safety scanner do the repair and go from there.
As you said, I may rebuild the SBS2011 from the scratch.

I'm not surprised the description states it may lock files protecting them from SFC.
Let us know how you make out.
Make sure you backup data first.

I just noticed above I said .ivr file but should read .vir

I will keep you posted.
For now the plan is to backup the files from the server.
They have old server (SBS2003) with same IP, computer name, and folder structure.
I can copy the files (from the current server) back to the same folder locations on old server.
So it won't be bad.
The problem is how to handle Outlook file. I could create PST from each workstation. That will take a few hours for each PC and then once I disjoin the computer and rejoin the old server, I can simply import PST file. I am not going to use Exchange account on Outlook because it is a temporary plan.
I know that each Outlook 2010 keeps OST file in  C:\Users\%username%\AppData\Local\Microsoft\Outlook folder because it is running in Cache mode. Can I somehow use this OST in Outlook and just add POP account (they use local ISP for email) so that I don't have to export and import after attaching workstations to the old server?

The domain name on the old server is different from new server.
That means a new profile will be created; therefore OST file created/maintained by current server may not be usable.

All pc's will have to be disjoined from the network and joined to the new.  When you do so the .ost file will no longer be accessible or usable, without a 3rd party tool.
Best to export the ost to pst before removing from the existing domain.  You do not have to be connected to the server to do so, you can use cached credentials until disjoined.
Note: Outlook 2013 only stores recent e-mail locally by default.  There is an option in the account settings to extend or select all.

You could leave things as they are for now and not join the SBS 2003 domain, and just map a drive using different credentials to the 2003 server data, assuming you can deal with e-mail.

"When you do so the .ost file will no longer be accessible or usable, without a 3rd party tool.
" ---> That is what I thought.
OK. I will export PST from each workstation and once I replace current server with old server, I will simply use a workgroup on each workstation, import PST back to their outlook (not connected to EXCH SBS2003) & add POP account, and use mapped drives.

How about NK2 FIle? Outlook 2010 does not keep. Should I create NK2 file manaully from current Outlook 2010?

With Outlook 2010 you can move the auto-complete information using the following:
In the old/existing profile go to:
-C:\Users\%username%\AppData\Local\Microsoft\Outlook\RoamCache
-Locate the file named  Stream_Autocomplete<a bunch of numbers>.dat
-Save/copy this file.
-Using the new profile open Outlook and send one e-mail by typing in an address.  This will force the creation of an autocomplete file
-Close Outlook and locate the Stream_Autocomplete file in the new profile.
-Rename it by changing the suffix to something like .old
-Copy to the same location the file copied from the old profile
-Rename it EXACTLY the same as the one on which you changed the suffix, now using the .dat extension.

Update:
Since users are able to access files and folders, emails ... etc., I am going to reboot the server at the end of today, check out the server health status and make the next move based on that.

Accessing files on the infected server?  If so that could be very risky.

I know, but I will find out after 5PM today whether redoing the server is necessary.
After reboot, I will try to scan again and keep you posted.

I would at least disconnect the internet,  That virus gives someone remote access to your server and key logging capability.

got you.

After numerous scan by AVG and reboot, finally the virus infection situation seems to be "Somewhat" under control. The virus scan finds less and less.
Finally I was able to install my End Point Protection and I am going to scan it.
If repeated virus scan does not find any more infected, I am going to keep the server as it is.

I can appreciate why, but the virus gave the intruder the ability to do things like create his own system account and such.  
I have seen systems where someone tried to disguise an admin account by making it look like an HP system account.
Make sure you scan for root kits as well.
Glad to hear you have it under control.

Update:
AVG scanner has not detected any infected files during last two scans and the server is running pretty smooth with CPU utilization under 50% at all times.
Although Symantec EndPoint Protection that I have installed several days ago keeps catching some stuff in real time.
But I am not 100% sure if it really a virus or false alarm.

Hard to say.  As mentioned "once infected always suspected".

There are a lot of other potential issues than viruses with which to be concerned, such as unknown user accounts, legitimate remote management tools, telnet enable and router configured....

Repeated Scan using AVG (http://free.avg.com/ca-en/remove-win32-expir) was instrumental in resotring the OS to the usable stage.