Possible Duplicate:
Reinstall after a Root Compromise?
One of our servers was compromised after a user with administrative privileges accidentally loaded a virus from a USB drive on a desktop connected to the domain. The two most obvious symptoms of this were:
- The server is no longer responding to login attempts
- The root directory of the drive containing user data has been filled with randomly named empty folders. (Initially it was around a million folders, I've been slowly deleting them.)
I've run several virus scans from different vendors and am fairly confident the virus has been removed but the damage is done.
I'm hoping the two symptoms are related and that once the directories are gone the server will start responding again. The drive is very slow to respond. I'm deleting about 20k folders at a time. Anymore than that and windows explorer becomes unresponsive.
In the event that I finish cleaning up the HD and things don't return to normal what other things can I check?