Windows Server 2003 login unavailable

[tpmcd]

We have an older Windows 2003 server that runs SQL Server 2000. Recently AVG detected a virus and between AVG and Malware Bytes quite a few files were detected, quarantined, and deleted.

These programs are no longer detecting new threats but periodically, once a day or so, remote desktop gets disabled and we cannot get the console login screen to display. A power down and restart gets the login screen back. Afterwards a user account named "china" and occasionally one called "administror" has been created and the firewall port for remote desktop and SQL Server access have been disabled. A fresh scan typically finds no threats. I manually delete the two bogus accounts and things appear to be fine although obviously they are not.

The OS has all the service packs and updates that are available. I realize Server 2003 is past end-of-life. Is it just not viable any longer since it doesn't get updates?

Suggestions on how to track down the problem further and get rid of it are most welcome.

Tim

[JoeP517]

You may have a rootkit. Have a look at RootkitRevealer v1.71, How to detect and remove unknown rootkits, & Sophos - Remove rootkits with our free Virus Removal Tool.

You should also check to ensure that only the minimal firewall ports required are open.

Joe

[6string]

Do you have the disks to re-install everything? Backup the database and re-install everything.

[Paul T]

+1 for complete re-install. This is a server and it must be right or your data is toast.

You also need to find out who was silly enough to run infected software on a server and hit them over the head until they stop. ;-))

cheers, Paul