Posted 14 March 2010 - 02:56 AM
I have a Win2k3 server that it appears a user managed to put some files on the machine that were then executed. The system starts up fine at first, then starts becoming unresponsive to console and remote desktop sessions. Cannot open command prompt, and remote desktop connections hang when logging in. All that can be done is restarting the server.
Additionally, the file server functionality stops working.
I have run MBAM on the system and removed av.exe as a process that was attempting to run. I have since run MBAM and NAV10.2 corporate on the system in both regular and safe modes with no infections found.
I ran GMER on the system earlier today and it found suspicious file activity on the files atapi.sys and ntfs.sys (it actually froze the entire system when scanning atapi.sys). I restarted the system into recovery console and replaced both of these files. Restarted the system and rebooted. I ran GMER afterwards again and it found a bunch of entries under SSDT, and some .text code files. (I can post this if you would like.) I cannot run some of the other more common scanners on Win2k3 so I am a little bit stuck. Any help that you guys can offer I would greatly appreciate. The system seemed to be running ok after the reboot but has become unresponsive again. Initially gmer did not find atapi.sys after replacing the file from the disc, however at the very end of the scan if listed atapi.sys with a suspicious modification again.
Thanks for any help you can provide!