Infected Windows 2008 Server

W

wsjtrade

Contributor
Joined
Jul 1, 2012
Posts
14
Any know how remove virus from the server with Windows 2008 server, related with files porn.exe, sexy.exe, password.exe,
This treat hide the folders and replace them with the same folder names but as executable files?

We manually remove this files, and unhide folders, but after happened the same

Thanks
 
Last edited by a moderator:
Hi, wsjtrade.

I edited the title of your post so that it wouldn't attract the wrong attention in search engines.

What security software is on the server? Depending on the product, the vendor should provide you with support in removing the malware. Otherwise, since it is a server, your best option is most likely to restore from the backup prior to infection.

Since I gather you are running a business, have each of the computers attached to the server been cleaned?
 
Thanks, Sir for your help, unfortunately we don't have any software for antivirus installed on server, we used for this treat removal tools like: karspesky, Mcafee, and manually remove the files, remove .exe files and unhide the server data folders but after few hours, appear again, hide folders, recreate the .exe file is a mess,
 
Hi, wsjtrade.

If the infection is reappearing after a few hours of cleaning, it is necessary to clean each of the computers that are attaching to the server. That also means their user files on the server. You also need to disable autorun.inf (thru GPO) on the server as well as on each computer, especially if they are using USB devices that may be transferring the infection.

I have never worked on an infected server. Thus, beyond the above, I do not feel confident providing you with any additional advice. I did, however, find a very long topic on this very same problem. I suggest you read it start to finish to see if it solves your problem. Network hit with sexy.exe, porn.exe, secret.exe, password.exe etc. - Spiceworks

In the meantime, I will contact another member of our staff who may have additional advice.
 
Wow, just reading that Spiceworks thread is incredibly interesting. Looks like you have quite the worm to deal with, wsjtrade : )
 
Hello,

Sorry to hear about the infected Server, hopefully there's not much downtime involved, that would have been critical to a business like what you have. Hopefully you have a full backup before the infections?

The link that Corrine has provided you is very helpful, follow the advice given. Also, have a read at this Article from Trend Micro on how to clean up the infections, I think that you would need the full version of OfficeScan-Endpoint Protection running to follow these steps. I see they have a 30 days trial version and install it for now. Are you able to access the internet from the Server? We use McAfee Saas Endpoint Protection and with my experience dealing with multiple Servers for me, it's the best Security server protection. You might want to check that out, they are quite reasonable. McAfee has also trial versions that you may try. I've seen a few times how McAfee Saas business protection blocking and cleaning out all virus/spyware, again this is based on my own experience dealing with few Servers in the past 12 years.

Luckily we don't get too many attacks or infections due to the Network Security protection that we've installed. You should invest on buying excellent protection for your Servers - Security Software/Hardware to protect your network. Also, a firewall/security hardware is highly recommended and it's a must for a business similar to Sonicwall. All the computers will need to have AV/Security programs installed and have the latest Windown Updates/Service Packs/Patches installed as well.
More info. in this Article that I wrote on how to secure your network.

Hope this helps....and good luck!
 
Last edited:
2xg said:
Hello,

Sorry to hear about the infected Server, hopefully there's not much downtime involved, that would have been critical to a business like what you have. Hopefully you have a full backup before the infections?

The link that Corrine has provided you is very helpful, follow the advice given. Also, have a read at this Article from Trend Micro on how to clean up the infections, I think that you would need the full version of OfficeScan-Endpoint Protection running to follow these steps. I see they have a 30 days trial version and install it for now. Are you able to access the internet from the Server? We use McAfee Saas Endpoint Protection and with my experience dealing with multiple Servers for me, it's the best Security server protection. You might want to check that out, they are quite reasonable. McAfee has also trial versions that you may try. I've seen a few times how McAfee Saas business protection blocking and cleaning out all virus/spyware, again this is based on my own experience dealing with few Servers in the past 12 years.

Luckily we don't get too many attacks or infections due to the Network Security protection that we've installed. You should invest on buying excellent protection for your Servers - Security Software/Hardware to protect your network. Also, a firewall/security hardware is highly recommended and it's a must for a business similar to Sonicwall. All the computers will need to have AV/Security programs installed and have the latest Windown Updates/Service Packs/Patches installed as well.
More info. in this Article that I wrote on how to secure your network.

Hope this helps....and good luck!
Click to expand...
 
Seen it, one of the connected clients is infected, probably not the server. Gather your tools, unplug you network switch and go to work. It was not a particularly hard one to get rid of. I will try to remember the name for you. If I remember correctly, the infected machine(s) will be a spam bot as well.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top