I fear Sandy is right (as usual :) and the best practice for a compromised system is to format it an rebuild it from scratch....
As you have malware running on your system which prevents itself from beeing disabled it looks that this is more then a simple Gator like Adware, but some trojan dropper. The Problem with this software is that it allows to install everything on your server from a remote location. So there are no tools to remove alle the software which could be installed by the detected "adware" So your Server could already be "infected" with a stealth keyboard recorder, a rootkit or a stealth server or whatever... As your server is an offical mail host with a good connection to the internet (I assume) it would be a valuable target for any Hacker, Spammer, Cracker Just set up a workstation, Build up the DNS Server, copy DNS information (Validate that there are no unkonwn executebals between the data). Copy Imail to the same drive letter on the "spare server" copy the registry (there is an artikle how to move imail from one server to another in the Ipswitch KB). Take down the compromised server. Change the IP Adress from the spare server to the servers IP, restart the spare server. Remove the existing partitons from the compromised server and rebuild it completely. After that you can restore Imail and DNS-Server from the spare maschine... I think this is the only aceptable method (from security view)! Don't you have a clean backup from this maschine? Just copy DNS and Imail Information to another location, restore the backup and copy back imail and DNS Information... I bet you will care for better backups know .) Matti > My take on spyware cleanup is basically that you either trust > your third-party on-demand/real-time scanner (we use PestPatrol > Enterprise), or you trust nothing and rebuild totally from scratch. > I don't think a non-specialist can certify a server as spyware-free > after a known attack without using any third-party tools for support. > --Sandy > -- > ------------------------------------ > Sanford Whiteman, Chief Technologist > Broadleaf Systems, a division of > Cypress Integrated Systems, Inc. > mailto:[EMAIL PROTECTED] > ------------------------------------ > -- > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ - Matti Haack - Hit Haack IT Service Gmbh Poltlbauer Weg 4, D-94036 Passau +49 851 50477-22 Fax: +49 851 50477-29 http://www.haack-it.de Dieses Dokument ist ausschliesslich fuer den Adressaten bestimmt. Jegliche Art von Reproduktion, Verbreitung, Vervielfaeltigung, Modifikation, Verteilung und/oder Publikation dieser E-Mail-Nachricht ist untersagt, soweit dies nicht ausdruecklich genehmigt wurde. Jegliche Haftung fur Ansprueche, die aufgrund der Kommunikation per E-Mail begruendet werden koennten, ist ausgeschlossen, soweit der Haftungsausschluss gesetzlich zulaessig ist. -- Ausgehende E-Mail wurde auf Viren gescannt -- To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
