RE: [IMail Forum] Slightly OT: Need some server/virus/spyware help

[John Tolmachoff \(Lists\)]

When I have found re-occuring infections and rebuilds were the last resort, I would spend the time and go agoogling for every process I would find running. Eventually, I would track down everything and end up doing things like creating dummy directories in safe mode and deny access to all except a special user created only for that purpose. I would do the same thing in the registry.   John T eServices For You   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troy D. Hilton Sent: Tuesday, August 23, 2005 4:33 AM To: IMail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] Slightly OT: Need some server/virus/spyware help   Hey Dave,   Yes, I’ve booted to Safe Mode many times and while the spyware is detected it is not removed. I’ve done spyware removals before on desktop systems and have had good success but in this case it seems as though the servers are reinfecting each other, virus-wise. The spyware just won’t go away.   I fear that Sandy is right. I may just have to rebuild. I *may* try Pat’s solution first though. Depends on my time. As it is I’ve had about 3 hours sleep in the past 2 days because of this and right now my thought processes are a bit cloudy.   Thank all.   Troy D. Hilton Serveon, Inc. [EMAIL PROTECTED] 302-529-8640 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Riddle Sent: Tuesday, August 23, 2005 2:45 AM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] Slightly OT: Need some server/virus/spyware help   Have you tried scanning it with the following apps in Safemode to keep most of them from actually running? This order process of "free" apps has always worked for me even with heavily infected consumer machines used by teenage children. YMMV I run the applications in this order.  You will need to boot with Safemode with networking to ensure access to the 'net to get the updates signatures for the software.  The "demo" install Webroot is a one shot deal on getting the updates so I normally run it last and hopefully can boot normally by this point. 1. Ad-Aware 2. Spybot 3. Microsoft Anti-Spyware 4. Webroot Spysweeper 5. Hi-Jack This to check for other nasties that are still in startup mode. Finally I run the free ActiveScan from Panda.  The free version will kill viruses but not Spyware. It will however identify the culprits and the detail report will show you exactly where they are so that you can manually remove them. At 12:18 AM 8/23/2005, you wrote: So, its 3 something in toe morning and Im here scanning my mail server for spyware. One of my associates used it to browse some websites and got the sucker infected with all sorts of nasties. Ive spent the better part of 3 days trying to get this thing clean to no avail. While my software will detect the spyware it cannot completely clean it so the apps become active after a reboot. Im considering a server rebuild but I really dont want to take my only Imail server completely off line for me to wipe the drives and rebuild it from scratch. That will take hours. Oh, its a Compaq Proliant 5000 server running Imail 7.15 HF2. Yes, its old but it works for us. Is there a way to simply reinstall the OS and perhaps some patches without having to totally reconfigure the server or use the Compaq SmartStart app? Im betwixt a hard rock and a concrete wall. Oh, this server is also my primary DNS server as well, running SimpleDNS Plus, just to complicate things. Any help is Greatly appreciated. Feel free to contact me offline. Thanks! Troy D. Hilton Serveon, Inc. [EMAIL PROTECTED] 302-529-8640 To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/