I manage an NT SBS 4.5 server with sp6a. It runs Trend Micro Office Scan Suite 5 (Office Scan & Scan Mail) with the latest pattern files. The trouble that I have noticed that in the directory ?D:\WINNT.SBS?, folders named “WFv1?, ?Wfv2? and so on are showing up. The number of folders has grown to 100. These folders sometimes contain the same files and an often they will have an executable. I can?t delete them unless I reboot the server, disconnect it from the network and then delete them. The AV software has not picked up anything unusually except for the KLEZ – H virus, which has been detected over a thousand times. . I have narrowed down the source of the infection, to our receptionist’s PC. She often surfs the net, plays Internet games and sends and receives jokes and pics. I know this because I have been checking her e-mail. The infected file ends up in the ?D:\exchgsrvr\imcdata\in? folder on the Server. It shows up in her e-mail as a weird email. When she deletes the infected e-mail, the file moves to ?D:\exchgsrvr\imcdata\out? on the Server. I have the AV software configured to block out all the known file extension, which could disguise it self as a legitimate file including .exe, .mp3, .bat, .scr and so forth. (.doc, .xls, .gif .pdf & .jpeg are not blocked).
I ran the KLEX fix tool from Trend Micro on the Server. It did indicate there was an infection and it was suppose to have been fixed. I ran the tool twice for good measure. I even ran the tool on the Receptionist’s PC. There was no indication of an infection on her machine, which is odd because her machine is the source of most of the viruses on the network.
Having done all this, the folders are still appearing. Can someone shed some light into whatis happening? I forgot to mention that the IIS Admin & World Wide Web Publishing services are constantly shutting down. And Exchange Server has sp4 installed.
