edb.log deleted by Norton A/V, store dismounted and won't remount.

This morning, everyone got kicked out of email and i checked event viewer to find that norton a/v detected the netsky virus in edb.log and deleted it.  Exchange tried to recreate the edb.log and remount to store to no avail.  I tried to do a backup of the edb.log file from a few hours before it was deleted and the store still won't mount.  
Event Viewer logs:
Virus Found!Virus name: W32.Netsky.C@mm in File: C:\exchsrvr\MDBDATA\edb.log by: Realtime Protection scan.  Action: Delete succeeded : Access denied
MSExchangeIS (2756) Unable to create the log. The drive may be read-only, out of disk space, misconfigured, or corrupted. Error -1811.
MSExchangeIS (2756) The database engine failed with error -510 while trying to log the commit of a transaction.  To ensure database consistency, the process was terminated.  Simply restart the process to force database recovery and return the database to a consistent state.
An error was returned from the messaging software the Internet Mail Service uses to process messages on the Microsoft Exchange Server.  As a result, the message in spool file HCG1SBPR will be retried when the server is restarted.
The error 0x80040115 was encountered while trying to communicate with the message store. An attempt to refresh the connection will be made.  If not successful, the service will be shut down.
An error was returned from the messaging software the Internet Mail Service uses to process messages on the Microsoft Exchange Server.  As a result, the message in spool file HCG1SBPT will be retried when the server is restarted.
The error 0x8004011d occurred while trying to refresh network connections to the Information Store. The Internet Mail Service is being shut down.
A serious error has occurred while trying to send mail into the Exchange Information Store. The Internet Mail Service is being shut down.
An unexpected error [0x80040115] occurred in maintenance thread.
Error 0xfffffdfd initializing the Microsoft Exchange Server Information Store database.
Error Database is in inconsistent state initializing the Microsoft Exchange Server Information Store database.

After unsuccessfully trying to copy a backed up edb.log and restart the store, i copied the priv.edb to a server with enough room to run an eseutil /p on it.  (not enough room on the mail server and without correct log files anyway, didn't think a soft recovery would be possible)
So now i've run the eseutil /p and it found many inconsistencies and I guess repaired them so now i'm running an eseutil /d (as per an article I read on here)
I plan on running the (isinteg -pri -fix -test alltests) next for good measure but am not sure what to do afterwards.  
I have deleted all of the log files and edb.chk from the mdbdata folder (as per a suggested solution from microsoft) but need to know the proper way to remount the defragged/checked priv.edb

Not sure where to go from here.  
Who is Participating?
OneHumpConnect With a Mentor Commented:
Sorry for the delayed response.  Yahoo someone thought EE email was spam.

Never let AV apps delete.  A bad definition might delete your whole hard drive someday.  :)  Quarantine always gives you a safety net.

I would restore from yesterday.  You cannot restore an active log file.  If you do the restore, I would leave your logs as they are and see if they can be replayed.  You cannot do a restore and delete your logs.

OK, you have no backup and had to repair.  The problem with a repair is that it deletes bad pages in the database.  Not a huge problem in simple cases like yours, but some users might see funny stuff.  The process is pretty simple.  Run the repair and delete your logs.  The database should mount.  That's really about it.  If you want to be REALLY dilligent, you could restore your old backup to another server and exmerge that data in, ignoring duplicates.  I'd probably only go that route if people notice that something is wrong with their data after the repair.

File system scanner on Exchange server = bad.  If you're going to run it, please make sure you exclude everything Exchange touches.  Enough said there.

Unfortunately, your best bet is a restore.  Exchange writes a log signature to every DB in the storage group.  That signature must match the active log.  You can try a repair, but that's not your best option.  I strongly advise a restore if possible, even if it means a day's data loss.  You can then take your damaged priv offline and repair it and exmerge the diffs in later.

It's too late now, but is there a chance that Norton quarantined that file rather than delete it?

medguruAuthor Commented:
Norton deleted the edb.log instead of quarantine.  Should I just try a restore of the priv.edb from yesterday?  I tried restoring the edb.log and it still wouldn't mount.  Can I restore just the priv.edb and delete all the log files and mount it?
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

medguruAuthor Commented:
I have since excluded the exchange folders from Norton file scanning, so that should prevent this in the future.  For now, let's assume that I have no backup and was forced to run a hard repair (eseutil /p) on the priv.edb.   Where to go from here?
medguruAuthor Commented:
Here's what I did and it's working, with no reported data loss from users so far.

eseutil /p on the priv.edb
eseutil /d
isinteg -patch
isinteg -pri -fix -test alltests

remounted and voila, working.  
Perfect.  Running D wasnt necessary, but is not a bad thing.

You should have to run -patch.  All it does it update the GUID on the database when doing an offline restore.

Running -fix was probably a good thing, but probably didnt find anything.

It looks to me like you did the right thing and it sounds like you're good to go.

Please keep in mind that a repair is destructive and should always take a back seat to a restore.  It sounds like you're in good shape though. :)

remove the log files from the mdbdata and restart the server. reconfigure your Norton setting, do not scan the mdbdata forlder for realtime file protection.

Liew, that would put the databases in an inconsistent state becasue the log signatures would no longer match.  OK with Exchange 5.5, but a really bad idea with E2K.

Hi guys.

We are in exactly the same boat. Our priv.edb is around 8gb in size. We have a 400MHz pentium II mail server, and was wondering roughly how long it should take for the repair. We have been running for around an hour now, with no change in the status of the repairing damaged files section.


I just finished this process yesterday morning.  I have a Dual PIII 450, with 2GB RAM, with a 17GB Priv.edb and it took just over 11 hours to complete, I had the same situation... receiving a lot of feedback that the process was working it went silent after about an hour, and didn't recieve any feedback until the process had completed.  

One other issue... once complete I had to do the same process on the pub.edb as well before I could bring the IS back online

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.