We've been hit by a virus or malware of some sort.
MalwareBytes is refusing to run a scan (Error's out, no matter what I do.)
Trend Micro Housecall & Advanced security both can't see any issues.
I know its a virus because occasionally it will try to connect to an FTP server and download some malicious files.
I seem to have stopped that and most of the other problems (removed scheduled tasks, removed ftp issue) but the program continues to reset the administrator account password and 'enable' the account. Every 10 minutes (00:03, 00:13,00:23) etc.
This appears in event log.
A user account was enabled.
Subject:
Security ID: SYSTEM
Account Name: LOCALHOST$
Account Domain: CORPORATE DOMAIN
Logon ID: 0x3e7
Target Account:
Security ID: LOCALHOST\Administrator
Account Name: Administrator
Account Domain: LOCALHOST
I'm concerned that there may be lingering traces with this especially as this keeps happening so frequently.
A few things to note
YES we have backups. Restoring from backup says "the trust relationship between this computer and the domain failed" and logging on with the administrator account doesn't work.
YES i have a local administrator account that is NOT "Administrator"
NO I don't have physical access to the machine as it is hosted in AWS.
Any suggestions?
Aucun commentaire:
Enregistrer un commentaire