Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Anti Spyware Software on  Server ctrl-alt-del not working??

Posted on 2004-11-05
10
Medium Priority
?
196 Views
Last Modified: 2010-04-13
Hi,

we are running Small Business Server 2000 and am afraid it might be infected with spyware although am not totally sure, its just that ctrl-alt-del does not work at all and if i try to shutdown or restart through the start menu nothing happens.  i cant even log off from the server.  Anyway, to check it out I was gonna get some anti spyware software to run on it but am not sure which.  i have used spybot and adaware numerous times on client machines but am not sure if should use either of these on the server, could someone please advise?  Thanks in advance
0
Comment
Question by:markmcelhone
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 20

Expert Comment

by:Zaheer Iqbal
ID: 12502919
Try this

use Hijackthis, it can tell you about the running and starting applications,,, so you can have a better look at what's going on your system :)

Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 
LVL 16

Expert Comment

by:InteraX
ID: 12503065
Hi markmcelhone,

The symptoms you describe sound like a virus, although they may be spyware related.

Can you shutdown the server from the command line?
You can initiate a shutdown from the command line with the shutdown command. For full syntax, type shutdown /?

Have you checked wether you have any dubious IP connections going out from the server?
To check IP connections on you server, type netstat -a.
Be carelfull of any connections to IRC servers. The target port will be TCP 6667 or 6668.

As a final check, scan with AV software and something like Spybot S&D. Don't make any changes unless you are absolutely sure that you want to make the changes you are making.

Good Luck
;-)
0
 
LVL 20

Expert Comment

by:Zaheer Iqbal
ID: 12503107
Try online virus scan http:\\housecall.trendmicro.com
Check processes running in thr back round and kill any processes that you are not familiar with.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 1

Author Comment

by:markmcelhone
ID: 12503262
the shutdown command doesnt seem to be available in windows 2000 - it is not recognized as an internal or external command, operable program or batch file.
I have done a netstat -a though and have noticed a few IP Addresses that I dont recognize.  What could I do about these?

I would scan with spybot although dont wanna install on server unless know for sure it wont make any changes that could have a bad effect on the server operating.  Have any of you used it on a server before?
0
 
LVL 16

Expert Comment

by:InteraX
ID: 12503359
markmcelhone,

I've never run spybot on a server before, but I would be very surprised if it makes any changes to the OS/AD that would harm it.

As for the unknown IP addresses, You would need to find out the owning process. In WinXP/Server2003, you can do a netstat -a -o to find out the owning process of the connection, then run taskmanager to find out the process. For Windows 2000, you will need a 3rd party tool to determine the owning PID. If the process is svchost.exe, run tasklist /svc at the command prompt to find out which dll'd etc are loaded by that instance of svchost.

For Windows 2000 machines, there is an app called fport from foundstone inc. which should do the job.

http://www.foundstone.com

0
 
LVL 6

Expert Comment

by:kapes
ID: 12504977
no problem in installing Spybot on server... as long as ... you don't change anything using it...
just use it, to SCAN the server...

0
 
LVL 51

Accepted Solution

by:
Netman66 earned 375 total points
ID: 12506072
Log everyone out of the network.
Power off the server with the power button.
Reboot it and run a virus scan and some spyware tools.

In situations where you cannot restart or shutdown, it's not necessarily virus or spyware (although it's not inconceivable) it could simply be corrupt pool area or some locked threads.

While boucing the server hard like this is not advisable in most circumstances, this is one of those times.

0
 
LVL 1

Author Comment

by:markmcelhone
ID: 12506513
I manually powered off the server (after getting everyone to quit anything that was resident on the server) after stopping Exchange Services as they can cause grief if not taken care off properly.  After restart everything seems fine.  I didnt think it could have been spyware at the start as the server is never used for browsing although could think of nothing else it could be.  Seems ok now anyway and am in the middle of a virus scan.
0
 
LVL 20

Expert Comment

by:Zaheer Iqbal
ID: 12512569
Ok check your event viewer for any errors related and post them here..
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Machine Learning is one of the profound applications of AI and therefore, just like AI, it is surrounded by myths and fears. Check out these facts about ML that demystify the related myths.
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question