Anti Spyware Software on Server ctrl-alt-del not working??


we are running Small Business Server 2000 and am afraid it might be infected with spyware although am not totally sure, its just that ctrl-alt-del does not work at all and if i try to shutdown or restart through the start menu nothing happens.  i cant even log off from the server.  Anyway, to check it out I was gonna get some anti spyware software to run on it but am not sure which.  i have used spybot and adaware numerous times on client machines but am not sure if should use either of these on the server, could someone please advise?  Thanks in advance
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zaheer IqbalTechnical Assurance & ImplementationCommented:
Try this

use Hijackthis, it can tell you about the running and starting applications,,, so you can have a better look at what's going on your system :)

Download HijackThis v1.98.2 from here, run it and Save the LOG file:

Then Post that log at this site >>
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >>

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
Hi markmcelhone,

The symptoms you describe sound like a virus, although they may be spyware related.

Can you shutdown the server from the command line?
You can initiate a shutdown from the command line with the shutdown command. For full syntax, type shutdown /?

Have you checked wether you have any dubious IP connections going out from the server?
To check IP connections on you server, type netstat -a.
Be carelfull of any connections to IRC servers. The target port will be TCP 6667 or 6668.

As a final check, scan with AV software and something like Spybot S&D. Don't make any changes unless you are absolutely sure that you want to make the changes you are making.

Good Luck
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Try online virus scan http:\\
Check processes running in thr back round and kill any processes that you are not familiar with.
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

markmcelhoneAuthor Commented:
the shutdown command doesnt seem to be available in windows 2000 - it is not recognized as an internal or external command, operable program or batch file.
I have done a netstat -a though and have noticed a few IP Addresses that I dont recognize.  What could I do about these?

I would scan with spybot although dont wanna install on server unless know for sure it wont make any changes that could have a bad effect on the server operating.  Have any of you used it on a server before?

I've never run spybot on a server before, but I would be very surprised if it makes any changes to the OS/AD that would harm it.

As for the unknown IP addresses, You would need to find out the owning process. In WinXP/Server2003, you can do a netstat -a -o to find out the owning process of the connection, then run taskmanager to find out the process. For Windows 2000, you will need a 3rd party tool to determine the owning PID. If the process is svchost.exe, run tasklist /svc at the command prompt to find out which dll'd etc are loaded by that instance of svchost.

For Windows 2000 machines, there is an app called fport from foundstone inc. which should do the job.

no problem in installing Spybot on server... as long as ... you don't change anything using it...
just use it, to SCAN the server...

Log everyone out of the network.
Power off the server with the power button.
Reboot it and run a virus scan and some spyware tools.

In situations where you cannot restart or shutdown, it's not necessarily virus or spyware (although it's not inconceivable) it could simply be corrupt pool area or some locked threads.

While boucing the server hard like this is not advisable in most circumstances, this is one of those times.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
markmcelhoneAuthor Commented:
I manually powered off the server (after getting everyone to quit anything that was resident on the server) after stopping Exchange Services as they can cause grief if not taken care off properly.  After restart everything seems fine.  I didnt think it could have been spyware at the start as the server is never used for browsing although could think of nothing else it could be.  Seems ok now anyway and am in the middle of a virus scan.
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Ok check your event viewer for any errors related and post them here..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.