Hi Iam running SBS 2003 Std with SP2. AV is eset AV4.Suddenly SQL started behaving strangely ppl were unable to connect to DB. On running process explorer i find sqlserv.exe trying to execute secedit.exe with high cpu usage then starts cmd.exe trying to execute a bat file which creates folders like i4241 in c:\system32 folder then opens up ftp.exe. Eset detected lib32woaqexe and deletes it just that. I have run sophos/malwarebytes/superantispyware etc nothing is detected but process explorer still shows the same sequence of events i have stated above. I had a same issue in a diff site and had to reformat the server.is that the only option.Any help is highly appreciated. I have uploaded a screenshot.
You mentioned scanning with Sophos. Do you happen to have a current license with ESET? If so, what product/version are you running on your SBS? If not, have you tried running an online scan with ESET?
Hi Thx for your reply I have eset smart security Business edition lic. For the server i have installed eset AV 4.2.67.10. No i havent tried online bcoz when i connect online the ftp tries to download files. I downloaded sophos tool to a local machine then copied it to the server for scan.
Nothing in this looks like a virus in the traditional sense. I'm guessing someone hit you with an sql injection attack to issue arbitrary commands to dump the contents of your DB to a remote ftp site. I would use autoruns to find the startup entries and purge them from the system.
hi thx for the time I havent seen anything in the startup(msconfig) or in hijackthis. It def looks like sql injection but it does run from somewhere which iam not able to find. As i had explained in my OP when its sqlservrexe runs cmd.exe it creates folders in system 32 to which it downloads files like a10.exe etc. Since i have taken it offline it just keeps running cmd and creates folders (folder properties show permission for unknown user) Thx again
In that case, I would check to see if there are SQL maintenance events scheduled within the instance that are triggering it. Those should be fairly easy to disable.
Nothing there too. It just creates folders and runs secedit.exe and cmd.exe and ftp.exe one after other. I have also run autoruns nothing in that too.
Try looking at the details of the sqlsvr.exe process to see if there is a thread from some unknown dll hooked in that might be triggering it. If that doesn't work, do a search of the hard drive for any new dll and exe files modified in that time period when the infection started which might point you in the right direction.
Thx smacky I first edited the registry and removed entries from muicache (secedit.exe and cmd.exe).then removed a firewall rule wan to lan which i had created to allow access to db port.now the thing is gone. As i had mentioned earlier the server is running a updated version of eset and i have scanned it with multiple syware/virus/rootkit tools. WIll keep a tab and see if something crops up again.