[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7351
  • Last Modified:

Can't connect to small business server 2003

The server was recently infected by W32.Mytob.KU@mm, Norton was able to remove the virus, but I still can't connect from any workstation. The server will not respond to pings from its dns name, or from it's local IP address. It's basically invisible on the network.
0
dave1184
Asked:
dave1184
  • 3
  • 2
1 Solution
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Did you use the removal tool?  Or did just the AV remove the virus?

Can you please post an IPCONFIG /ALL from the server?

Thanks.

Jeff
TechSoEasy
0
 
dave1184Author Commented:
A full scan that I ran overnight quarantined the virus in 12,000 different places. Afterward I ran the removal tool and it could'nt find the virus. I guess the full scan did its job, unless the removal tool restores certain settings that I need and it didnt peform these actions because the virus is gone, is this possible?

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : GPSERVE1
   Primary Dns Suffix  . . . . . . . : graniteplanet.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : graniteplanet.local

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme 5751 Gigabit Controlle
r
   Physical Address. . . . . . . . . : 00-13-20-09-AF-DE
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.88.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.88.1
   DNS Servers . . . . . . . . . . . : 192.168.88.11
   Primary WINS Server . . . . . . . : 192.168.88.11

C:\Documents and Settings\Administrator>
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
It is possible.  Are all services which are set to run automatically running?  Did you reboot the server after the tool ran? (You should).

Jeff
TechSoEasy
0
 
dave1184Author Commented:
There are two services that are not started, they refer to sql server and I dont think that would cause this. Below I have copied the latest performance report. There are some things that may be relevant, but when you restart the server sometimes stuff shows up in the report that's just do the restart. I did restart the server after the tool ran. I am installing service pack 1 as I understand it's reccomended because it contains some security fixes.

Server Performance Report for Granite Planet
Report created on 4/18/2006 at 4:25 PM       
      
Definitions



Summary for GPSERVE1
       Server has been running: 0 days and 1 hour       
       Server Specifications       Details

       Performance Summary       Details

       Top Processes       Details

       Backup: Not configured       Details

       Auto-started Services Not Running: 2       Details

       Critical Alerts: 15       Details

       Critical Errors in the Event Logs: 58392       Details




Details of GPSERVE1



Server Specifications
Operating System: Microsoft(R) Windows(R) Server 2003 for Small Business Server
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz, Intel(R) Pentium(R) 4 CPU 2.80GHz
Frequency: 2.8 GHz, 2.8 GHz
Amount of RAM: 2039 MB



Performance Summary
Performance Counters      Today      Last Month      Rate of Growth
Memory in use      1,571 MB       1,581 MB      -1 %
Free disk space (C:)      1,499 MB       2,784 MB      -46 %
Free disk space (D:)      35,266 MB       50,417 MB      -30 %
Free disk space (E:)      62,052 MB       62,052 MB      0 %
Busy disk time (0 C: D:)      15 %       6 %      145 %
Busy disk time (1 E:)      0 %       No data      
CPU Use (0)      64 %       3 %      1,756 %
CPU Use (1)      65 %       3 %      2,280 %



Top 5 Processes by Memory Usage
Process Name - ID      Memory Usage            
store - 2976      620 MB             
store - 1984      435 MB             
store - 1576      197 MB             
sqlservr - 560      160 MB             
sqlservr - 1424      96 MB             



Top 5 Processes by CPU Usage
Process Name - ID      CPU Time            
Rtvscan - 2972      91.1 %             
svchost - 756      40.5 %             
store - 1984      13.4 %             
sqlservr - 560      10.6 %             
SAVFMSESJM - 3160      8.2 %             



Backup
Result      Last Occurrence
Small Business Server Backup is not configured. To configure backup, click the Backup snap-in in Server Management, and then click Configure Backup.       Not applicable



Auto-started Services Not Running
Service Name
MSSQL$GP
SQLAgent$GP
 Total auto-started services not running: 2

In normal conditions, these services should be running. For details, it is recommended that you review errors in the Event log related to the service.



Critical Alerts
Issue      Last Occurrence      Total Occurrences
 Process (store.exe)      4/18/2006 4:25 PM      4
The store.exe process is allocating more memory than usual.

Check to see if you are having problems with e-mail. If so, stop and then restart the Microsoft Exchange Information Store service.

You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.            


Issue      Last Occurrence      Total Occurrences
 Simple Mail Transfer Protocol (SMTP)      4/18/2006 3:02 PM      1
SMTPSVC service is Stop Pending.

This service transports electronic mail across the network. If this service is stopped, messages are not delivered to the recipients.

For more information about this event, see the event logs on the server computer. You can restart this service by using the View Services task in the Server Management Monitoring and Reporting taskpad.

You can disable this alert by using the Change Alert Notifications task.            


Issue      Last Occurrence      Total Occurrences
 Microsoft Exchange Routing Engine      4/18/2006 3:01 PM      1
RESvc service is Stop Pending.

This service provides Exchange routing services using link state information. If this service is stopped, messages are not routed by the Small Business Server computer.

For more information about this event, see the event logs on the server computer. You can restart this service by using the View Services task in the Server Management Monitoring and Reporting taskpad.

You can disable this alert by using the Change Alert Notifications task.            


Issue      Last Occurrence      Total Occurrences
 World Wide Web Publishing      4/18/2006 3:00 PM      1
W3SVC service is Stop Pending.

This service provides Web connectivity and administration through the Internet Information Services snap-in.

For more information about this event, see the event logs on the server computer. You can restart this service by using the View Services task in the Server Management Monitoring and Reporting taskpad.

You can disable this alert by using the Change Alert Notifications task.            


Issue      Last Occurrence      Total Occurrences
 Windows Internet Name Service (WINS)      4/18/2006 1:13 PM      1
WINS service is Stopped.

This service resolves NetBIOS names for TCP/IP clients by locating network services that use NetBIOS names. If this service is stopped, network NetBIOS services will not function properly.

For more information about this event, see the event logs on the server computer. You can restart this service by using the View Services task in the Server Management Monitoring and Reporting taskpad.

You can disable this alert by using the Change Alert Notifications task.            


Issue      Last Occurrence      Total Occurrences
 System Up Time      4/18/2006 12:13 PM      3
The server restarted. If this event was not planned, check the Server Performance Report and Event Logs for information that can help explain the event.

You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.            


Issue      Last Occurrence      Total Occurrences
 Processor Activity (0)      4/18/2006 7:28 AM      2
The processor is experiencing a low level of idle time. Consistently low levels of idle time can cause performance problems.

Use Task Manager to view the top processes by CPU. If a service or less important process appears to be unusual, try stopping and then restarting it.

You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.            


Issue      Last Occurrence      Total Occurrences
 Processor Activity (1)      4/18/2006 7:28 AM      2
The processor is experiencing a low level of idle time. Consistently low levels of idle time can cause performance problems.

Use Task Manager to view the top processes by CPU. If a service or less important process appears to be unusual, try stopping and then restarting it.

You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.            



Critical Errors in Application Log
Source      Event ID      Last Occurrence      Total Occurrences
 MSExchangeAL      8026      4/18/2006 1:16 PM      51,362 *
LDAP Bind was unsuccessful on directory GPSERVE1.graniteplanet.local for distinguished name ''. Directory returned error:[0x51] Server Down. DC=graniteplanet,DC=local For more information, click http://www.microsoft.com/contentredirect.asp.                   


Source      Event ID      Last Occurrence      Total Occurrences
 MSExchangeIS      9662      4/18/2006 1:16 PM      2 *
There was an error obtaining the Unsolicited Commercial Email default filter level from the directory. The error code was 0x80004005. The value remains at 8. For more information, click http://www.microsoft.com/contentredirect.asp.                   


Source      Event ID      Last Occurrence      Total Occurrences
 MSExchangeSA      9154      4/18/2006 1:15 PM      4 *
DSACCESS returned an error '0x80004005' on DS notification. Microsoft Exchange System Attendant will re-set DS notification later. For more information, click http://www.microsoft.com/contentredirect.asp.                   


Source      Event ID      Last Occurrence      Total Occurrences
 MSExchangeIS Mailbox Store      7200      4/18/2006 1:15 PM      4 *
Background thread FDoUpdateCatalog halted on database "First Storage Group\Mailbox Store (GPSERVE1)" due to error code 0x80004005. For more information, click http://www.microsoft.com/contentredirect.asp.                   


Source      Event ID      Last Occurrence      Total Occurrences
 MSExchangeIS Public Store      7200      4/18/2006 1:15 PM      1
Background thread FDoUpdateCatalog halted on database "First Storage Group\Public Folder Store (GPSERVE1)" due to error code 0x80004005. For more information, click http://www.microsoft.com/contentredirect.asp.                   


Source      Event ID      Last Occurrence      Total Occurrences
 Userenv      1030      4/18/2006 1:13 PM      1
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.                   


Source      Event ID      Last Occurrence      Total Occurrences
 Userenv      1058      4/18/2006 1:13 PM      1
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=graniteplanet,DC=local. The file must be present at the location <\\graniteplanet.local\sysvol\graniteplanet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.                   


Source      Event ID      Last Occurrence      Total Occurrences
 MSExchangeDSAccess      2103      4/18/2006 1:13 PM      2 *
Process MAD.EXE (PID=3500). All Global Catalog Servers in use are not responding: GPSERVE1.graniteplanet.local For more information, click http://www.microsoft.com/contentredirect.asp.                   


Source      Event ID      Last Occurrence      Total Occurrences
 MSExchangeDSAccess      2114      4/18/2006 1:13 PM      1
Process STORE.EXE (PID=4044). Topology Discovery failed, error 0xffffffff. For more information, click http://www.microsoft.com/contentredirect.asp.                   


Source      Event ID      Last Occurrence      Total Occurrences
 MSExchangeDSAccess      2102      4/18/2006 1:13 PM      4 *
Process MAD.EXE (PID=3500). All Domain Controller Servers in use are not responding: GPSERVE1.graniteplanet.local For more information, click http://www.microsoft.com/contentredirect.asp.                   


Source      Event ID      Last Occurrence      Total Occurrences
 Application Hang      1002      4/18/2006 12:48 PM      3 *
Hanging application VPC32.exe, version 10.0.2.2000, hang module hungapp, version 0.0.0.0, hang address 0x00000000.                   


Source      Event ID      Last Occurrence      Total Occurrences
 MSExchangeAL      8250      4/18/2006 10:10 AM      2 *
The Win32 API call 'DsGetDCNameW' returned error code [0x862] The specified component could not be found in the configuration information. The service could not be initialized. Make sure that the operating system was installed properly. For more information, click http://www.microsoft.com/contentredirect.asp.                   


Source      Event ID      Last Occurrence      Total Occurrences
 Symantec AntiVirus      5      4/18/2006 8:44 AM      6,905 *
                  


Source      Event ID      Last Occurrence      Total Occurrences
 Microsoft Fax      32107      4/18/2006 4:30 AM      2 *
Sent faxes cannot be archived, because the Fax service cannot access the folder C:\fax\archive specified as the Sent Items archive location. You can modify the location of the Sent Items archive folder from Fax Service Manager. For more information, see Troubleshooting in Fax Service Manager help. Win32 Error Code: %2 This error code indicates the cause of the error.                   


Source      Event ID      Last Occurrence      Total Occurrences
 Windows SharePoint Services 2.0      1000      4/17/2006 7:02 PM      1
#50070: Unable to connect to the database STS_gpserve1_1 on GPSERVE1\SharePoint. Check the database connection information and make sure that the database server is running.                   


Source      Event ID      Last Occurrence      Total Occurrences
 MSExchangeDSAccess      2104      4/17/2006 6:57 PM      1
Process STORE.EXE (PID=2976). All the DS Servers in domain are not responding. For more information, click http://www.microsoft.com/contentredirect.asp.                   
* The text shown is for the most recent occurrence of this event. For more information, see the Event log.

Critical Errors in Directory Service Log
There were no critical events in the Directory Service Log in the last 24 hours.



Critical Errors in DNS Server Log
Source      Event ID      Last Occurrence      Total Occurrences
 DNS      6702      4/18/2006 1:16 PM      1
DNS server has updated its own host (A) records. In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code. If this DNS server does not have any DS-integrated peers, then this error should be ignored. If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it. To ensure proper replication: 1) Find this server's Active Directory replication partners that run the DNS server. 2) Open DnsManager and connect in turn to each of the replication partners. 3) On each server, check the host (A record) registration for THIS server. 4) Delete any A records that do NOT correspond to IP addresses of this server. 5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact. (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.) 6) Note, that is not necessary to update EVERY replication partner. It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.                   


Source      Event ID      Last Occurrence      Total Occurrences
 DNS      4015      4/18/2006 10:10 AM      1
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.                   



Critical Errors in File Replication Service Log
There were no critical events in the File Replication Service Log in the last 24 hours.



Critical Errors in Security Log
Source      Event ID      Last Occurrence      Total Occurrences
 Security      529      4/18/2006 12:14 PM      31 *
Logon Failure:            
      Reason:      Unknown user name or bad password
      User Name:      Administrator
      Domain:      graniteplanet
      Logon Type:      5
      Logon Process:      Advapi
      Authentication Package:      Negotiate
      Workstation Name:      GPSERVE1
      Caller User Name:      GPSERVE1$
      Caller Domain:      graniteplanet
      Caller Logon ID:      (0x0,0x3E7)
      Caller Process ID:      544
      Transited Services:      -
      Source Network Address:      -
      Source Port:      -
* The text shown is for the most recent occurrence of this event. For more information, see the Event log.

Critical Errors in System Log
Source      Event ID      Last Occurrence      Total Occurrences
 MRxSmb      8003      4/18/2006 1:37 PM      1
The master browser has received a server announcement from the computer SJSWK that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B8639955-D815-45F4-801. The master browser is stopping or an election is being forced.                   


Source      Event ID      Last Occurrence      Total Occurrences
 NETLOGON      5775      4/18/2006 1:17 PM      8 *
The dynamic deletion of the DNS record 'graniteplanet.local. 600 IN A 192.168.88.12' failed on the following DNS server: DNS server IP address: <UNAVAILABLE> Returned Response Code (RCODE): 0 Returned Status Code: 0 USER ACTION To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center. ADDITIONAL DATA Error Value: A socket operation was attempted to an unreachable host.                   


Source      Event ID      Last Occurrence      Total Occurrences
 Service Control Manager      7024      4/18/2006 1:13 PM      1
The Windows Internet Name Service (WINS) service terminated with service-specific error 3758096386 (0xE0000002).                   


Source      Event ID      Last Occurrence      Total Occurrences
 NETLOGON      5774      4/18/2006 1:13 PM      22 *
The dynamic registration of the DNS record 'c1354df5-7c94-4e5c-a8af-f0da7469b139._msdcs.graniteplanet.local. 600 IN CNAME GPSERVE1.graniteplanet.local.' failed on the following DNS server: DNS server IP address: <UNAVAILABLE> Returned Response Code (RCODE): 0 Returned Status Code: 0 For computers and users to locate this domain controller, this record must be registered in DNS. USER ACTION Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD. Or, you can manually add this record to DNS, but it is not recommended. ADDITIONAL DATA Error Value: A socket operation was attempted to an unreachable host.                   


Source      Event ID      Last Occurrence      Total Occurrences
 RemoteAccess      20106      4/18/2006 1:10 PM      1
Unable to add the interface {B8639955-D815-45F4-801E-703ACCD1FA91} with the Router Manager for the IP protocol. The following error occurred: Cannot complete this function.                   


Source      Event ID      Last Occurrence      Total Occurrences
 Service Control Manager      7038      4/18/2006 12:14 PM      8 *
The MSSQL$GP service was unable to log on as graniteplanet\Administrator with the currently configured password due to the following error: Logon failure: unknown user name or bad password. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).                   


Source      Event ID      Last Occurrence      Total Occurrences
 Service Control Manager      7000      4/18/2006 12:14 PM      8 *
The MSSQL$GP service failed to start due to the following error: The service did not start due to a logon failure.                   


Source      Event ID      Last Occurrence      Total Occurrences
 Service Control Manager      7001      4/18/2006 12:14 PM      4 *
The SQLAgent$GP service depends on the MSSQL$GP service which failed to start because of the following error: The service did not start due to a logon failure.                   


Source      Event ID      Last Occurrence      Total Occurrences
 Service Control Manager      7016      4/18/2006 12:12 PM      3 *
The BrSplService service has reported an invalid current state 0.                   


Source      Event ID      Last Occurrence      Total Occurrences
 Print      54      4/18/2006 12:05 PM      1
Document Intuit was corrupted and has been deleted. The associated driver is: Brother HL-5170DN series.                   


Source      Event ID      Last Occurrence      Total Occurrences
 Schedule      7901      4/18/2006 8:00 AM      2 *
The At3.job command failed to start due to the following error: The system cannot find the path specified.                   


Source      Event ID      Last Occurrence      Total Occurrences
 VolSnap      25      4/17/2006 8:27 PM      1
The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time. Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.                   


Source      Event ID      Last Occurrence      Total Occurrences
 Print      61      4/17/2006 7:39 PM      3 *
The document Intuit owned by Administrator failed to print on printer BRO_LASER. Win32 error code returned by the print processor: 0. The operation completed successfully.                   
* The text shown is for the most recent occurrence of this event. For more information, see the Event log.

0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
How prepared are you to reinstall your server and restoring your last full backup?

Jeff
TechSoEasy
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now