Re: Server running slow and MSSearch problems

[Paul King]

"Paul King" <paul@servlan.co.uk> wrote in message
news:%23wudp%23wUIHA.5524@TK2MSFTNGP05.phx.gbl...
> Hi Newell,
>
> Thanks for the update. I will post to the security group, but seriously
> thinking of converting over to Mac OS X Server!!
>
> 1) Viruses found were:
>
> TROJ_DLOADER.TDX, TROJ_RENOS.LZ. TROJ_VUNDO.AAH, PE_VIRUT.AV,
> TROJ_SMALL.ISY, PE_VIRUT.AV
>
> 2) Ran a complete scan using the Trend Micro OfficeScan product, as well
> as use Vundofix.
> 3) Used a product called "WinUtilities" from YLSoftware as it stated that
> this could be run on a Windows 2003 machine.
>
> Still having problems starting the MSSearch service - even after
> reinstalling MS SQL2000.....
>
> Any suggestions please.....
>
> Cheers
> Paul.
>
> "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message
> news:84B27A01-9B88-409C-AC60-A3902DD85C3D@microsoft.com...
>>
>> "Paul King" wrote:
>>
>>> Dear all,
>>>
>>> I have a 2003.net stanmdard server with SQL2000 and Exchange 2003. I
>>> have
>>> since contracted a nasty virus even though I had Trend AV installed.
>>>
>>> Anyways, I think I have got rid of the viruses but also did a registry
>>> cleanup using one of the tools on the web, this however has slowed the
>>> machine up.
>>>
>>> The processor is running fine (no high utilitisation) but the hard disk
>>> is
>>> going like the clappers. The only correlation I can make is that the
>>> one of
>>> the services failed to start which is Microsoft Search.
>>>
>>> When launched the error could not find the file specified is recorded,
>>> yet
>>> the MSSearch.exe is located in the correct directory.
>>>
>>> Any help would be appreciated.
>>> Regards
>>> Paul.
>>>
>>>
>> Not my area of expertise, but it is likely you are still infected with
>> something.
>>
>> Try posting to one of the security groups, and include the following
>> info:
>> 1) Which virus you suspected you had, and why (if Trend did not spot it).
>> 2) What you did to eradicate it.
>> 3) Which registry cleanup tool and from where you downloaded it - plain
>> text, not URL link.
>> --
>> Regards,
>> Newell White
>>
>
>

 

[David H. Lipman]

From: "Paul King" <paul@servlan.co.uk>

< snip >

>>
>> TROJ_DLOADER.TDX, TROJ_RENOS.LZ. TROJ_VUNDO.AAH, PE_VIRUT.AV,
>> TROJ_SMALL.ISY, PE_VIRUT.AV
>>

< snip >

If you have the above trojans and virus on a Win2003 server, you have a major problem in
that iot is being used WRONG!

Servers are NOT workstations and should be used as one. The fact that you have the Vundo
and Renos trojans means that someone is willy-nilly downloading "crap" while using the
server. This is very bad and that user should LOOSE access to that server (lose admin
rights).

Additionally the Virut is a file infecting virus and does spread. The server should be
REMOVED from the network. It *may* need to be wiped and rebuilt!

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Paul King]

David,

I appreciate your help on this mater and we have taken adequate steps to
address the person involved... However rebuilding this server is a last
resort process and would like to find another way to resolve this.

For the fact we had what we considered a high-end antivirus solution (Trend
SMB Product) this did not deal with this effectivley and has waivered my
faith in Microsoft Operating systems.

Needless to say that at the moment, the Mac OSX Server looks better on
paper!


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23iVe3UxUIHA.1212@TK2MSFTNGP05.phx.gbl...
> From: "Paul King" <paul@servlan.co.uk>
>
> < snip >
>
>>>
>>> TROJ_DLOADER.TDX, TROJ_RENOS.LZ. TROJ_VUNDO.AAH, PE_VIRUT.AV,
>>> TROJ_SMALL.ISY, PE_VIRUT.AV
>>>
>
> < snip >
>
> If you have the above trojans and virus on a Win2003 server, you have a
> major problem in
> that iot is being used WRONG!
>
> Servers are NOT workstations and should be used as one. The fact that you
> have the Vundo
> and Renos trojans means that someone is willy-nilly downloading "crap"
> while using the
> server. This is very bad and that user should LOOSE access to that server
> (lose admin
> rights).
>
> Additionally the Virut is a file infecting virus and does spread. The
> server should be
> REMOVED from the network. It *may* need to be wiped and rebuilt!
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

 

[David H. Lipman]

From: "Paul King" <paul@servlan.co.uk>

| David,
|
| I appreciate your help on this mater and we have taken adequate steps to
| address the person involved... However rebuilding this server is a last
| resort process and would like to find another way to resolve this.
|
| For the fact we had what we considered a high-end antivirus solution (Trend
| SMB Product) this did not deal with this effectivley and has waivered my
| faith in Microsoft Operating systems.
|
| Needless to say that at the moment, the Mac OSX Server looks better on
| paper!
|

I am glad that you identified the miscreant admin and took appropriate actions.

Again, this server needs to be removed from the LAN ASAP !

A server is very difficult to work with especuially if dealing with RAID arrays.

A suggested path would usually be remove the hard disk(s) and put them in a surrogate PC and
the use anti virus scanners (such as my Multi AV Scanning Tool) and scan the affected hard
disk(s).

However, this is good for plain drives, not arrays.


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose Unzip
Choose Close

Execute C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *




--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Paul King]

David,

Many thanks for your sound advice. Im going to try that method as this
Server is only using Raid1 using SATA drives.

What does Multi AV do differently?

Regards
Paul.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eh%23nmixUIHA.1184@TK2MSFTNGP04.phx.gbl...
> From: "Paul King" <paul@servlan.co.uk>
>
> | David,
> |
> | I appreciate your help on this mater and we have taken adequate steps to
> | address the person involved... However rebuilding this server is a last
> | resort process and would like to find another way to resolve this.
> |
> | For the fact we had what we considered a high-end antivirus solution
> (Trend
> | SMB Product) this did not deal with this effectivley and has waivered my
> | faith in Microsoft Operating systems.
> |
> | Needless to say that at the moment, the Mac OSX Server looks better on
> | paper!
> |
>
> I am glad that you identified the miscreant admin and took appropriate
> actions.
>
> Again, this server needs to be removed from the LAN ASAP !
>
> A server is very difficult to work with especuially if dealing with RAID
> arrays.
>
> A suggested path would usually be remove the hard disk(s) and put them in
> a surrogate PC and
> the use anti virus scanners (such as my Multi AV Scanning Tool) and scan
> the affected hard
> disk(s).
>
> However, this is good for plain drives, not arrays.
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.pctipp.ch/downloads/dl/35905.asp
>
> To use this utility, perform the following...
> Execute Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose Unzip
> Choose Close
>
> Execute C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to
> go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
> Normal Mode.
> This way all the components can be downloaded from each AV vendor's web
> site.
> The choices are Sophos, Trend, McAfee, Kaspersky, Exit this menu and
> Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files
> or you can
> download the files and perform a scan in Normal Mode. Once you have
> downloaded the files
> needed for each scanner you want to use, you should reboot the PC into
> Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want
> to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal
> Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
> comprehensive PDF help
> file.
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
>
> * * * Please report back your results * * *
>
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

 

[David H. Lipman]

From: "Paul King" <paul@servlan.co.uk>

| David,
|
| Many thanks for your sound advice. Im going to try that method as this
| Server is only using Raid1 using SATA drives.
|
| What does Multi AV do differently?
|
| Regards
| Paul.
|

The Multi AV Scanning Tool is a front-end to 4 different command line anti virus scanners.

Download it and then read the included PDF help file.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Leythos]

In article <e9N7baxUIHA.5264@TK2MSFTNGP02.phx.gbl>, paul@servlan.co.uk
says...
>
> For the fact we had what we considered a high-end antivirus solution (Trend
> SMB Product) this did not deal with this effectivley and has waivered my
> faith in Microsoft Operating systems.

No anti-virus product provides 100% protection, not in all my years.

Why didn't you have a firewall appliance that provides proxy services to
block files from being downloaded?

I could list a bunch of other why.....

Why not boot the server into safe mode, run a scan, delete any
suspicious folders/files, clean the registry, run Multi-AV, and then
bring it back online?

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)