none
Severe Virus Problem on Windows Small Business Server 2003 SP2 32-bit

    السؤال

  • Hi,

    We are using Windows SBS 2003 SP2 32-bit for production purposes. This server is primarily used as Application Server to run IIS based applications.  We have McAfee Anti-virus running on this server. We also access this server through Remote Desktop and for FTP.

    Since last few days, we have very strange behavior on this server. As soon as this server is plugged into the network, within 3-5 minutes, the internet goes down for the entire network and the moment we plug this server out of network, internet works.

    Symptoms

    (1) McAfee Anti-virus has stopped working.

    (2) A folder is created on C:\ with name Shortcut to McAfee and inside that another folder is create  AcidBurn1.

    (3) Tons of junk files are copied inside this folder. The size of these files goes up to 10-40 GB.

    (4) We see few new services created automatically in Services Manager namely, sssXXXXXXX, and few services with junk characters in its description. Please click the following link to view the Screenshot of Services(PNG file is linked)

    What we have already tried

    (1) Malwarebytes Anti-malware software runs and re-runs in normal and safe mode

    (2) Windows Malicious Software run (normal and safe mode)

    (3) Tried to monitor network activity & event viewer but nothing odd found there and since the server brings down internet in 3-5 minutes after logging in, it is difficult to get any real clue.

    (4) Tried to start /enable McAfee but does not work

    (5) Isolated this server from network and disabled all Remote Desktop / FTP related ports but still not success, server still brings internet down in 3-5 minutes

    We have no idea about what this virus is and we would like to get some help on this issue.  We are ready to purchase a network security solution to resolve this problem for now as well as protect our network against such attacks in future.

    Any help will be highly appreciated.

    Thanks

    Vaibhav

    26/ربيع الأول/1432 04:40 ص

الإجابات

  • You have a rootkit installed affecting your server. I would run msconfig and disable everything in startup tab and also go to services tab, hide all microsoft and then disable all services.

    Reboot server see if you are still having issues and also double check if any services magically started backup.

    Make sure you have a backup of your server and download and run combofix. It should find the rootkit/malware.

    Re-enable msconfig to normal. Reboot. Download and run hijackthis. Scan system if you see any items with (file missing) at the end or blank items checkmark and remove them.

    You may have to remove and reinstall your antivirus.

    Good luck!

    Arnel

    • تم وضع علامة كإجابة بواسطة Vaibhav A Shah 17/ربيع الثاني/1432 05:22 ص
    26/ربيع الأول/1432 09:36 م

جميع الردود

  • Call 1-800-Microsoft
    Ask for their CSS security section and as for a Windows Online Forensic
    Analysis.
     
    Holler back if they don't know what you are talking about or where to
    call in.
     
    26/ربيع الأول/1432 04:55 ص
    المشرف
  • You have a rootkit installed affecting your server. I would run msconfig and disable everything in startup tab and also go to services tab, hide all microsoft and then disable all services.

    Reboot server see if you are still having issues and also double check if any services magically started backup.

    Make sure you have a backup of your server and download and run combofix. It should find the rootkit/malware.

    Re-enable msconfig to normal. Reboot. Download and run hijackthis. Scan system if you see any items with (file missing) at the end or blank items checkmark and remove them.

    You may have to remove and reinstall your antivirus.

    Good luck!

    Arnel

    • تم وضع علامة كإجابة بواسطة Vaibhav A Shah 17/ربيع الثاني/1432 05:22 ص
    26/ربيع الأول/1432 09:36 م
  • Hi Vaibhav, if you need more help with virus-related issues, please contact Microsoft Product Support Services.

    Visit the Microsoft Virus Solution and Security Center for resources and tools to keep your PC safe and healthy. If you are having issues with installing the update itself, visit Support for Microsoft Update for resources and tools to keep your PC updated with the latest updates. 

    For support outside the United States and Canada, visit the Product Support Services Web page (<http://support.microsoft.com/?pr=SecurityHome>  ).


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • تم التحرير بواسطة James XiongModerator 14/جمادى الأولى/1433 03:53 ص PCSafety Center update
    28/ربيع الأول/1432 01:31 ص
    المشرف
  • Hi Arnel,

    The solution you provided seems to be working quite well. We applied the solution last week on the server and so far, the server is working fine.

    We are in the process of installing Antivirus all over again and opening specific ports as required.

    Thanks for your input. We appreciate it.

    -Vaibhav

    17/ربيع الثاني/1432 05:23 ص