Endpoint Protection

Hi Experts,

I am recently facing a issue with one of my Windows 2003 Server (File Server), Whenever I and trying to update/save any file in any of the share folder it always FREEZES (Not Responding), I have checked the HDD, Network Connection, Switch Port, Speed Settings and everything seems to be ok.
 
Server Details
 
OS: Windows Server 2003 STD R2
File System: NTFS
AV: Symantec Endpoint Protection 11.0.5002.333 (Only Antivirus & Antispyware)
 
I restarted the server and found that there is a continuous network activity on my server, so I used      netstat –a –b –o command and found that there are multiple outgoing connection on 25 Port (SMTP) on different server on internet using services.exe.
 
 
List of the Active Connections
 
  Proto  Local Address          Foreign Address        State           PID
  TCP    MYSERVER:epmap        MYSERVER.MISLP.COM:0  LISTENING       672
  RpcSs
  [svchost.exe]
 
  TCP    MYSERVER:microsoft-ds  MYSERVER.MISLP.COM:0  LISTENING       4
  [System]
 
  TCP    MYSERVER:1040         MYSERVER.MISLP.COM:0  LISTENING       420
  [lsass.exe]
 
  TCP    MYSERVER:3389         MYSERVER.MISLP.COM:0  LISTENING       2156
  TermService
  [svchost.exe]
 
  TCP    MYSERVER:5800         MYSERVER.MISLP.COM:0  LISTENING       1988
  [WinVNC.exe]
 
  TCP    MYSERVER:5900         MYSERVER.MISLP.COM:0  LISTENING       1988
  [WinVNC.exe]
 
  TCP    MYSERVER:1055         MYSERVER.MISLP.COM:0  LISTENING       2364
  [alg.exe]
 
  TCP    MYSERVER:netbios-ssn  MYSERVER.MISLP.COM:0  LISTENING       4
  [System]
 
  TCP    MYSERVER:1087         mislpsec01.mislp.com:http  ESTABLISHED     780
  [Smc.exe]
 
  TCP    MYSERVER:1234         mx1.prserv.net:smtp    ESTABLISHED     408
  [services.exe]
 
  TCP    MYSERVER:1132         mail.aarkel.com:smtp   FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1138         72.14.213.27:smtp      FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1140         s201a2.psmtp.com:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1148         smtp3.180com.net:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1160         61.151.251.2:smtp      FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1163         uplk01-napbr.abranet.net.br:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1167         smtp.aliceposta.it:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1183         pmxapp1.american.edu:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1190         vidar2.svf.au.dk:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1260         newman.behr.com:smtp   FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1275         f2.63.85ae.static.theplanet.com:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1276         f2.63.85ae.static.theplanet.com:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1285         smtpgw2-na-chq.bs-fs.com:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1286         mail.global.frontbridge.com:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1287         turna.bcc.bilkent.edu.tr:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1288         mail.global.frontbridge.com:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1289         u23.altospam.com:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1290         deframx20.softcom.dk:smtp  FIN_WAIT_1      408
  [services.exe]
 
  TCP    MYSERVER:1279         barracuda.com:smtp     CLOSING         408
  [services.exe]
 
  TCP    MYSERVER:1280         mx01.perfora.net:smtp  CLOSING         408
  [services.exe]
 
  TCP    MYSERVER:1281         azshara.cbox.biz:smtp  CLOSING         408
  [services.exe]
 
  TCP    MYSERVER:1185         was1-mh202.smtproutes.com:smtp  LAST_ACK        408
  [services.exe]
 
  TCP    MYSERVER:1259         mtain-me.r1000.mx.aol.com:smtp  LAST_ACK        408
  [services.exe]
 
  UDP    MYSERVER:isakmp       *:*                                    420
  [lsass.exe]
 
  UDP    MYSERVER:microsoft-ds  *:*                                    4
  [System]
 
  UDP    MYSERVER:4500         *:*                                    420
  [lsass.exe]
 
  UDP    MYSERVER:1060         *:*                                    780
  [Smc.exe]
 
  UDP    MYSERVER:1048         *:*                                    360
  [winlogon.exe]
 
  UDP    MYSERVER:ntp          *:*                                    864
  W32Time
  [svchost.exe]
 
  UDP    MYSERVER:1026         *:*                                    420
  [lsass.exe]
 
  UDP    MYSERVER:netbios-ns   *:*                                    4
  [System]
 
  UDP    MYSERVER:ntp          *:*                                    864
  W32Time
  [svchost.exe]
 
  UDP    MYSERVER:netbios-dgm  *:*                                    4
  [System]
 
 
Troubleshooting Done

• 
  I removed the default gateway of the server and than checked the netstat –a –b –o and found that it was not connecting to any of the external SMTP.

 

• 
  I did a full scan of the server is SAFEMODE and it found a file named “bmosd.sys” which it detects as “HACKTOOL.ROOTKIT” and“ACTION-Cleaned”.

 

• 
  As soon as I configure the GATEWAY, It again generates the SMTP traffic and than slows down my server.

 

• 
  I have scanned the server using “McAfee Rootkit” which showed nothing releated to Rootkits.

 

• 
  I scanned the server using “MS-ROOTKITREVELAR” following are the logs.

 

• 
  I am unable to do online “ACTIVESCAN 2.0” from PANDA as it does not support Windows 2003.

 

Please help as I am totally stuck and I need this server to be up and running as soon as possible.
 
 

This article may be helpful to you
How to find Suspected Threats on your computer.

May be the server is infected, it will be good If you log a call with Support and then let them gather and review the logs for suspecious files on the server.

We have seen couple of more such cases, Once you log a case we will have to submit some files if we find suspecious.

Hi Ankiith,

If a SEP safe mode scan is not detecting anything, I recommend following the procedures in the following article: Best practices for troubleshooting viruses on a network (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010011510455048)

It would also be a good idea to contact Technial Support.  They can recommend tools which examine the load points of that server for suspicious files: The SEP Support Tool for instance.  Once these are identified, they can be submitted to Symantec's Security Response for examination.  New signatures can be written against them.

Please keep the forum up-to-date with your progress!

Thanks and best regards,

Mick

Run MS Process Explorer to find out the exact location of the file.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

I once found services.exe was launched from C:\windows\fonts.

Hi Experts, Thank you for all your support, I have carried out the instruction mentioned above. But sadly i am not able to find any files that might be suspected as virus/threat. I had ran the MSProcessExplorer and found that Services.exe itself i generating the SMTP Traffic. I Think it would be better to REINSTALL the server, As i dont find any soultion in this issue.

Services.exe process file is present in which location?(It is suppose to be present in \windows\system32).ant file or process or reg entry you are able to find for 
Services.exe.exe?

Hi Aravind,

I have checked the location of the services.exe using MSProcessExplorer and it seems that its running from the corerct locaiton C:\WINDOWS\system32\services.exe

Below are the results of command TASKLIST /SVC, Is there something fishy with the services currently running.. Image Name PID Services ========================= ======== ============================================ System Idle Process 0 N/A System 4 N/A smss.exe 288 N/A csrss.exe 336 N/A winlogon.exe 360 N/A services.exe 408 Eventlog, PlugPlay lsass.exe 420 Netlogon, PolicyAgent, ProtectedStorage, SamSs svchost.exe 640 DcomLaunch svchost.exe 688 RpcSs svchost.exe 744 AeLookupSvc, AudioSrv, Browser, CryptSvc, dmserver, EventSystem, helpsvc, lanmanserver, lanmanworkstation, Messenger, Netman, Nla, RasMan, Schedule, seclogon, SENS, ShellHWDetection, TrkWks, winmgmt, Wmi, wuauserv Smc.exe 796 SmcService svchost.exe 840 Dhcp, Dnscache svchost.exe 868 LmHosts, W32Time ccSvcHst.exe 904 ccEvtMgr, ccSetMgr spoolsv.exe 1268 Spooler msdtc.exe 1296 MSDTC svchost.exe 1436 ERSvc essvr.exe 1452 ES lite Service MDM.EXE 1496 MDM svchost.exe 1592 Net Driver HPZ12 svchost.exe 1612 Pml Driver HPZ12 svchost.exe 1632 RemoteRegistry svchost.exe 1676 SrmSvc Rtvscan.exe 1756 Symantec AntiVirus svchost.exe 1856 TapiSrv winvnc.exe 1880 winvnc svchost.exe 2092 TermService wmiprvse.exe 2644 N/A explorer.exe 3200 N/A SmcGui.exe 3252 N/A RTHDCPL.EXE 3396 N/A acrotray.exe 3496 N/A ccApp.exe 3536 N/A ctfmon.exe 3568 N/A FBackup.exe 3576 N/A fbaSched.exe 3596 N/A FBackup.exe 3620 N/A WZQKPICK.EXE 3652 N/A igfxsrvc.exe 4044 N/A nlnotes.exe 312 N/A eclipse.exe 340 N/A notes2w.exe 564 N/A nevent.exe 2080 N/A ntaskldr.exe 2244 N/A ncollect.exe 2456 N/A mmc.exe 3864 N/A procexp.exe 2188 N/A cmd.exe 1544 N/A tasklist.exe 316 N/A wmiprvse.exe 244 N/A