I want to know if this a repeating false positive or if the servers are infected ... and what can bbe done.
all running with a domain and Microsoft Small Business Server 2008, clients are XP/7/Vista all Professional versions, and all recently infected with different things, antiviruss in use have included MS Security Essentials, Kaspersky 2010-11 and Esset (which had expired in this case 2 months ago).
On three separate networks we work on Combofix has identified the server as:
"BITS: Possible infected site", listing the web address of hxxp://servername:8530 <<-- Port for WSUS (which is turned on and running in all three networks)
It also finds:
It will remove these two files in all instances .. along with the other stuff it finds. HOWEVER when the PCs get put back on the network and run for a day or so they will reappear with the same message. If you run Combofix right away after putting it back on the network, like running it a second time in a row, it comes up clean.
I have a full Combofix log also individual GMER, DDS logs. I attached them.
DO WE HAVE A PROBLEM???
THANK YOU ALL SO MUCH FOR YOUR HELP!!!
Edited by Joe Sudora, 12 January 2011 - 06:00 PM.