the server closes its shares claiming a second SBS server on the network
the server closes its shares due to the cache memory pool being corrupt
the server generates a new guest account object with administrator and RDP membership within a couple of hours of being deleted (Tried to harden the built in guest account by changing the name, logon and password and then re disabling it, the builtin account now stays disabled)
The running services appear to be reasonable. I have tightened down security so that only 3 accounts have rdp access. I'm not sure how to go after the problem in a production server. All thoughts appreciated!
Anti-Virus is McAfee SAS, Server is an HP ML 150, memory is light at 2 GB. 15 users, DHCP comes from SBS server. Server has one NIC card. Not much of a firewall, SMC cable interface does this duty. The network has PCs and MACs. The MAC based computers do not access the servers. I have attached a Hi-jackthis log. I've removed the obvious problems and made notations in the log. Would like any input as to how to attack this situation.
Edited by ComputerGroup, 15 August 2011 - 01:17 PM.