I'm a new member so please forgive me if I am not posting my question as clearly as I should. ESAT NOD32 AV reports infection with multiple versions of downloader Trojans "OpenStream" and "OpenConnection" in the "...\Application Data\Sun\Java\Deployment\Cache ..." folders on a number of different user profiles on our server (OS Server 2003 64-bit)[copy of log file attached]. However the AV software is unable to remove the malware. As best I can tell, we originally picked up the infection from a compromised website that was accessed through one of the workstations in our network. The infection subsequently migrated to other workstations before we picked it up. The infections on the workstations all appear to be related to the rouge Microsoft Total Security AV scam.
I've read a number of posts in BleepingComputer suggesting ways to remove these Trojans from systems running Win XP: These posts suggest running RKill to stop the malware and then running MalwareBytes to remove it. Some other procedures, such as deleting the Java cache are also suggested. We've applied these procedures on the infected workstations (all running under Win XP Pro SP3) and they all appear to be clean. Do these suggested malware removal procedures also apply to servers running under Server 2003 64-bit, or is a completely different approach required to remove this sort of malware from such a server? Do RKill and the other malware removal utilities work under Server 2003 64-bit environment?
I appreciate that much more information is required before I attempt to remove this malware and I would appreciate any suggestions you might have. But for now I'm simply wondering whether I'm even in the right ballpark or if a completely different solution to our problem is required.
Is the reported infection of files in the user profiles on the server an active threat, or are these merely archived files? Is there any way short of a full rebuild of the hard drives on the server to get rid of the infection now that it's become widely dispersed like this?
Edited by hamluis, 31 May 2011 - 09:04 AM.
Moved from NT to Am I Infected.