Possible Duplicate:
Reinstall after a Root Compromise?
One of our servers was compromised after a user with administrative privileges accidentally loaded a virus from a USB drive on a desktop connected to the domain. The two most obvious symptoms of this were:
- The server is no longer responding to login attempts
- The root directory of the drive containing user data has been filled with randomly named empty folders. (Initially it was around a million folders, I've been slowly deleting them.)
I've run several virus scans from different vendors and am fairly confident the virus has been removed but the damage is done.
I'm hoping the two symptoms are related and that once the directories are gone the server will start responding again. The drive is very slow to respond. I'm deleting about 20k folders at a time. Anymore than that and windows explorer becomes unresponsive.
In the event that I finish cleaning up the HD and things don't return to normal what other things can I check?
I hate to be blunt, but save yourself a TON of pain. If you continue down this path, you will be picking out remnants of the compromise for years to come. Since this is a server, you shouldn't be doing any cleaning at all. Clone the drives and set them aside for analysis later. Wipe the server, restore from backups.