Computer acting very weird
OK, this is extremely strange, and seems like it could only be explained by a virus. First, my Symantac Antivirus on my SBS 2003 Standard Edition R2 was due for its annual virus definition subscription and, since I decided I didn't want to use SAV again, I disconnected the Internet access and began installing Trend Micro. Unfortunately, I wan't able to get it completely installed and as our business needs to access the Internet, we were without an antivirus program for 24 hours. (I know, very stupid).
We have seven computers on the domain with one server. The computer in Room 1 began acting very strangely the day after. It is very strange. I have a few sites that require a logon and a password and then I have to type in a medication in order to look it up. The second I put the cursor in the field for the med, the browser would instantly return to the home page. The browser wouldn't close it would just go back to the home page. I would repeat the process and the same thing. It was very reproducible. This was occurring with every single web page like this.
Also, we have an electronic medical record, where you have to enter words or phrases in fields. As soon you entered a phrase like, "Fever for three days, the cursor would instantly move back one space skipping over the last letter. It would basically look like this: Fever for three day|s if you can call the line before the 's" a cursor. If you clicked on the backspace key, it would delete all of the letters to the left, and the last letter which was on the right would follow it. Another thing was if you right click in a window in the program, it will bring up a window with key words where if you left click on them, it enters the data associated with it in the section of the record. Basically, these are templates. But, with this computer, before you could selecton one, it would enter the top on in the list. Finally, if you clicked on visit history, a window will open listing all of the dates and visits. Normally, you highlight one, and the entire visit that was previously written will show up in the page below. But, on this day (yesterday), you could highlight one and it would show the note, but then the blue highlight would randomly move up to another note and put it in.
I assumed this had to be a virus. Trend Micro was installed and received updates and scanned the PC and found nothing. I then uninstalled the client, because I was used to that antivirus and installed a single, standalone AVG virus scanner, updated the definitions and scanned the computer. Nothing.
So, I come in today to check on it, and the Windows XP screensaver, instead of showing a small icon had a giant icon that took up 1/3 of the screen. CTRL - ALT - DELETE brought me to the next window where the logon window was HUGE. Took up the entire page. I logged in and the desktop was fine. I figured my VGA would be set to 600 x 800, but it was OK. I then did the webpage thing and the EMR thing and everything is perfect.
I am completely stumped. I did disconnect that computer from the network. The only other weird thing is on my own computer in my office, Task Manager is gone. You can right-click on the taskbar and click on Task Manager, but it doesn't appear.
I get a little confused at times with viruses, etc. I know it isn't good to leave the network insecure, but I run the network with Symantec for one year, and it would seem like if a virus entered the LAN, at least Symantec would see it and tell me. Or find it in a scan. Why would I get a virus the ONE day I was unprotected. We have a good hardware firewall and Windows firewall. And, the two computers I am worried about are only used by me, and I don't surf strange websites. If a virus doesn't come in by email, how does it get in? Through a website? A person from the outside?
Sorry, this is so long. Just wanted to give you all of the information.
We have seven computers on the domain with one server. The computer in Room 1 began acting very strangely the day after. It is very strange. I have a few sites that require a logon and a password and then I have to type in a medication in order to look it up. The second I put the cursor in the field for the med, the browser would instantly return to the home page. The browser wouldn't close it would just go back to the home page. I would repeat the process and the same thing. It was very reproducible. This was occurring with every single web page like this.
Also, we have an electronic medical record, where you have to enter words or phrases in fields. As soon you entered a phrase like, "Fever for three days, the cursor would instantly move back one space skipping over the last letter. It would basically look like this: Fever for three day|s if you can call the line before the 's" a cursor. If you clicked on the backspace key, it would delete all of the letters to the left, and the last letter which was on the right would follow it. Another thing was if you right click in a window in the program, it will bring up a window with key words where if you left click on them, it enters the data associated with it in the section of the record. Basically, these are templates. But, with this computer, before you could selecton one, it would enter the top on in the list. Finally, if you clicked on visit history, a window will open listing all of the dates and visits. Normally, you highlight one, and the entire visit that was previously written will show up in the page below. But, on this day (yesterday), you could highlight one and it would show the note, but then the blue highlight would randomly move up to another note and put it in.
I assumed this had to be a virus. Trend Micro was installed and received updates and scanned the PC and found nothing. I then uninstalled the client, because I was used to that antivirus and installed a single, standalone AVG virus scanner, updated the definitions and scanned the computer. Nothing.
So, I come in today to check on it, and the Windows XP screensaver, instead of showing a small icon had a giant icon that took up 1/3 of the screen. CTRL - ALT - DELETE brought me to the next window where the logon window was HUGE. Took up the entire page. I logged in and the desktop was fine. I figured my VGA would be set to 600 x 800, but it was OK. I then did the webpage thing and the EMR thing and everything is perfect.
I am completely stumped. I did disconnect that computer from the network. The only other weird thing is on my own computer in my office, Task Manager is gone. You can right-click on the taskbar and click on Task Manager, but it doesn't appear.
I get a little confused at times with viruses, etc. I know it isn't good to leave the network insecure, but I run the network with Symantec for one year, and it would seem like if a virus entered the LAN, at least Symantec would see it and tell me. Or find it in a scan. Why would I get a virus the ONE day I was unprotected. We have a good hardware firewall and Windows firewall. And, the two computers I am worried about are only used by me, and I don't surf strange websites. If a virus doesn't come in by email, how does it get in? Through a website? A person from the outside?
Sorry, this is so long. Just wanted to give you all of the information.
Malware has many points of entry - apart from the internet.
End-users plug in usb keys, install software from burnt CD's/DVD's.
Also - unzipped/unrar'd files can contain dormant malware - not just viruses - but trojans and other nasties - that can easily spread around a network.
End-users plug in usb keys, install software from burnt CD's/DVD's.
Also - unzipped/unrar'd files can contain dormant malware - not just viruses - but trojans and other nasties - that can easily spread around a network.
Antivirus software - by definition - is not normally very good at removing non-viral threats.
You require three main sorts of security software - antivirus, anti-spyware and anti-spam on a network.
Software firewall clients also help by stemming the flow of trojans and worms from one computer to another.
Of course - a hardware firewall will help a lot as well.
You require three main sorts of security software - antivirus, anti-spyware and anti-spam on a network.
Software firewall clients also help by stemming the flow of trojans and worms from one computer to another.
Of course - a hardware firewall will help a lot as well.
ASKER
and235100,
Thanks for helping out on Thanksgiving. I tried both things in number one answer and learned a lot about copying the I386 folder, but nothing worked.
Do you think that spam or spyware would cause this? I am thinking it wouldn't. I am not sure about Trojans and worms. I will try running an anti-trojan scanner. I believe I have a good one of those.
Thanks for helping out on Thanksgiving. I tried both things in number one answer and learned a lot about copying the I386 folder, but nothing worked.
Do you think that spam or spyware would cause this? I am thinking it wouldn't. I am not sure about Trojans and worms. I will try running an anti-trojan scanner. I believe I have a good one of those.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
and235100,
I have worked on the problem all afternoon. : (
Still no luck. I will definitely try your tip above. Just as a clarification, and I know my question was extremely long, the Task Manager issue is on my computer in my office and, though it makes me nervous, I am more concerned with the Room 1 computer which seems to be "possessed." I need help trying to troubleshoot why it is happening and, if it is a virus, why I can't seem to detect it with AVG or Trend Micro.
Thanks.
I have worked on the problem all afternoon. : (
Still no luck. I will definitely try your tip above. Just as a clarification, and I know my question was extremely long, the Task Manager issue is on my computer in my office and, though it makes me nervous, I am more concerned with the Room 1 computer which seems to be "possessed." I need help trying to troubleshoot why it is happening and, if it is a virus, why I can't seem to detect it with AVG or Trend Micro.
Thanks.
AVG and Trend Micro will not necessarily detect a rootkit. Assuming for the moment that you may have a 'nasty', suggest you try Trend HijackThis 2.02:
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html
The technique is to create a folder where you would like the HijackThis file to reside and run it from there, not from the Desktop or a temp folder.
It is important that you download this file to its own folder as this folder will be used when HijackThis makes backups. Temp folders get deleted, taking with them HJT's 'backups' of items that were 'fixed'.
Run Hijackthis scan, save the log file, then copy and paste the logfile to the site below.
http://www.hijackthis.de/
Select "Short analysis".
A list of items for you to scrutinise will appear and if you're familiar with HijackThis you'll know what items to FIX. If you require advice, copy and post the "link" here. Preferably not the full log, as it can be too lengthy.
Alternatively you may select this next link and login using your Experts-Exchange username and password. Upload your HijackThis report then again post the link to the report to us >
http://www.ee-stuff.com
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html
The technique is to create a folder where you would like the HijackThis file to reside and run it from there, not from the Desktop or a temp folder.
It is important that you download this file to its own folder as this folder will be used when HijackThis makes backups. Temp folders get deleted, taking with them HJT's 'backups' of items that were 'fixed'.
Run Hijackthis scan, save the log file, then copy and paste the logfile to the site below.
http://www.hijackthis.de/
Select "Short analysis".
A list of items for you to scrutinise will appear and if you're familiar with HijackThis you'll know what items to FIX. If you require advice, copy and post the "link" here. Preferably not the full log, as it can be too lengthy.
Alternatively you may select this next link and login using your Experts-Exchange username and password. Upload your HijackThis report then again post the link to the report to us >
http://www.ee-stuff.com
In re-reading your comments ..
>Why would I get a virus the ONE day I was unprotected<
Not wishing to alarm but it's conceivable you could acquire a 'nasty' within less than one minute of accessing the internet, *unprotected*. With a good s/w and h/w firewall it's still possible, but it's a situation we should be able to quickly check for.
Please note that neither will HijackThis necessarily detect a rootkit (rootkit yet to be established!), but at least it can provide us with the information to choose the appropriate tool to remove a rootkit, or whatever other nasty it may find.
>Why would I get a virus the ONE day I was unprotected<
Not wishing to alarm but it's conceivable you could acquire a 'nasty' within less than one minute of accessing the internet, *unprotected*. With a good s/w and h/w firewall it's still possible, but it's a situation we should be able to quickly check for.
Please note that neither will HijackThis necessarily detect a rootkit (rootkit yet to be established!), but at least it can provide us with the information to choose the appropriate tool to remove a rootkit, or whatever other nasty it may find.
ASKER
Jonvee,
Thanks for the info. I will do all this and post back. While I am doing this, I have some questions.
If I were to receive an email and open an attachment I shouldn't (which I would never do), if it contained a virus and the antivirus software had that definition, it would instantly detect the virus and give an alert (usually). So, why is it that if the Internet is capable of putting viruses into my network when I have no protection, why isn't the same thing happening all the time but the viruses would be detected?
Hope that makes sense.
Thanks for the info. I will do all this and post back. While I am doing this, I have some questions.
If I were to receive an email and open an attachment I shouldn't (which I would never do), if it contained a virus and the antivirus software had that definition, it would instantly detect the virus and give an alert (usually). So, why is it that if the Internet is capable of putting viruses into my network when I have no protection, why isn't the same thing happening all the time but the viruses would be detected?
Hope that makes sense.
ASKER
Btw, I feel like a complete idiot. Thought I was doing the right thing by removing Symantec when they wanted me to renew my subscription. I should have disconnected from the Internet before removing it. By the time I installed another one, I had the problem.
ASKER
http://www.hijackthis.de/logfiles/cd36a82296bd3a34b102bd297564bdf2.html
Not sure if this is the short or long version. It only gave one button. Let me know if you need a shorter version.
Happy Thanksgiving by the way!
Not sure if this is the short or long version. It only gave one button. Let me know if you need a shorter version.
Happy Thanksgiving by the way!
Thanks ... It'll take a while to study the log in more detail but a preliminary check shows it to be *reasonably* clean!
However, in cases where it states "This is a unknown process ..", it would be useful if you could confirm you recognise the item, where possible.
Other examples: In the case of "GrooveMonitor.exe", this program is apparantly used to track Groove problems and creates error reports that are sent back to MS ..
http://www.bleepingcomputer.com/startups/GrooveMonitor-18228.html
[?] C:\Program Files\Mirra\Mirra.Client.e
http://www.answersthatwork.com/Tasklist_pages/tasklist_m.htm
Y] C:\Program Files\Microsoft Outlook\Office12\ONENOTEM.
http://www.bleepingcomputer.com/startups/ONENOTEM.EXE-2921.html
You can Fix this (harmless?) entry >
N] O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7
Will study the log further and report back later.
Meanwhile, for *possible* rootkits suggest you try running Combofix.
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with another HijackThis log, in a reply for us.
Please do not mouseclick combofix's window while its running, it may cause it to hang/stall.
You may have to disable NAV if you have it installed, it's been reported that it can interfere with the cleanup.
Don't worry about 'removing Symantec', we all make those sort of moves occasionally .. it's easy to be wise after the event!
Oh yes, regarding your comment "Happy Thanksgiving by the way!" ... like and235100 i too am English! But thanks anyway :)
However, in cases where it states "This is a unknown process ..", it would be useful if you could confirm you recognise the item, where possible.
Other examples: In the case of "GrooveMonitor.exe", this program is apparantly used to track Groove problems and creates error reports that are sent back to MS ..
http://www.bleepingcomputer.com/startups/GrooveMonitor-18228.html
[?] C:\Program Files\Mirra\Mirra.Client.e
http://www.answersthatwork.com/Tasklist_pages/tasklist_m.htm
Y] C:\Program Files\Microsoft Outlook\Office12\ONENOTEM.
http://www.bleepingcomputer.com/startups/ONENOTEM.EXE-2921.html
You can Fix this (harmless?) entry >
N] O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7
Will study the log further and report back later.
Meanwhile, for *possible* rootkits suggest you try running Combofix.
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with another HijackThis log, in a reply for us.
Please do not mouseclick combofix's window while its running, it may cause it to hang/stall.
You may have to disable NAV if you have it installed, it's been reported that it can interfere with the cleanup.
Don't worry about 'removing Symantec', we all make those sort of moves occasionally .. it's easy to be wise after the event!
Oh yes, regarding your comment "Happy Thanksgiving by the way!" ... like and235100 i too am English! But thanks anyway :)
ASKER
Oh, so TGIF, lol. Ironic you would mention Mirra. It'a a backup server which runs in real time made by Seagate well now anyway. So, it may have a copy of the virus.
I will do those things. I am going to post a link soon to another question, because it doesn't completely fit here. But, it's rather important.
I will do those things. I am going to post a link soon to another question, because it doesn't completely fit here. But, it's rather important.
ASKER
A bit more information which may or may not help. Last night I did run Trojan Hunter on all of the PCs. Two them including my PC in my office (which is a bit weird) had three Trojans mostly generic. They were cleaned and removed.
The server, ironically, had Trojan Hunter and NOD32 installed, and they tend to produce false positives -- I found this when I Googled the virus and tens of places talked about the false positive. Scared the hell out of me though.
Just to give an example of another weird thing. Within the last hour, my clock in my system tray changed from 5:07 to 17:07.
The server, ironically, had Trojan Hunter and NOD32 installed, and they tend to produce false positives -- I found this when I Googled the virus and tens of places talked about the false positive. Scared the hell out of me though.
Just to give an example of another weird thing. Within the last hour, my clock in my system tray changed from 5:07 to 17:07.
ASKER
ASKER
Just to give an example of another weird thing. Within the last hour, my clock in my system tray changed from 5:07 to 17:07.
I guess ComboFix changes that.
I guess ComboFix changes that.
Yes, your clock change was probably due to ComboFix.
You can uninstall ComboFix as follows >
Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then hit enter, which should reset the clock settings, re-hide system hidden files, reset System Restore, etc..
Am studying your three logs.
You can uninstall ComboFix as follows >
Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then hit enter, which should reset the clock settings, re-hide system hidden files, reset System Restore, etc..
Am studying your three logs.
ASKER
Very nervous. One computer was given an IP address of something like 292.268.34.179 where it should be 192.168.1.x and it didn't have a default gateway.
The Room 1 computer had about 15 red X's. The server has 3. Some computers with correct IPs etc. can reach the Internet, some can't. I think DHCP is screwed up somehow or maybe DNS. I hope I don't have to redo the server.
The Room 1 computer had about 15 red X's. The server has 3. Some computers with correct IPs etc. can reach the Internet, some can't. I think DHCP is screwed up somehow or maybe DNS. I hope I don't have to redo the server.
ASKER
I extremely appreciate your helping me. It must be rather late/early over there.
ASKER
I opened another question at:
https://www.experts-exchange.com/index.jsp?qid=22979685
I know you are busy but just in case you can go between two. : )
https://www.experts-exchange.com/index.jsp?qid=22979685
I know you are busy but just in case you can go between two. : )
ASKER
Very import. These are server's log.
http://www.hijackthis.de/logfiles/90c8daf4cf3371a9e784a6aae76e5630.html
http://www.hijackthis.de/logfiles/0fb3d09873f5644fccaa2e3a0e926d2f.html
http://www.hijackthis.de/logfiles/90c8daf4cf3371a9e784a6aae76e5630.html
http://www.hijackthis.de/logfiles/0fb3d09873f5644fccaa2e3a0e926d2f.html
ASKER
Well, not sure if you had any luck. I am going to get some sleep. Pretty much had to get home to get Internet acces. Things seem to be getting worse. DHCP giving out bizarre IPs. Can't see the network even with assigned IPs. Looks like I will probably have to format all of the computers including the server.
Dumb question, but will a backup from Wednesday night whether image or not contain the same rootkits, and would data files be safe to back up or reinstall from backups?
Dumb question, but will a backup from Wednesday night whether image or not contain the same rootkits, and would data files be safe to back up or reinstall from backups?
> a backup from Wednesday night <
Doubt if it's a dumb question, but i can't give you an accurate answer !
Instinct says that it's worth trying, but not if it's going to take almost as long as your suggested format of all computers and server!
In fact if you get no further experts' comments(i appreciate that there is a considerable urgency to your problem!), suggest you post a quick "pointer question" (worth 20 points) in the HijackThis TA with a link to this
thread number http:Q_22977986.html, where you should get an additional & quick response. This will give you input from experts specialising in virus & Malware removal.
https://www.experts-exchange.com/Software/Internet_Email/Spy_Ad_Blockers/HijackThis/
Naturally we would stay with you throughout the process :)
Now going to take a second look at your two most recent logs, and will regularly view your 2nd question.
Doubt if it's a dumb question, but i can't give you an accurate answer !
Instinct says that it's worth trying, but not if it's going to take almost as long as your suggested format of all computers and server!
In fact if you get no further experts' comments(i appreciate that there is a considerable urgency to your problem!), suggest you post a quick "pointer question" (worth 20 points) in the HijackThis TA with a link to this
thread number http:Q_22977986.html, where you should get an additional & quick response. This will give you input from experts specialising in virus & Malware removal.
https://www.experts-exchange.com/Software/Internet_Email/Spy_Ad_Blockers/HijackThis/
Naturally we would stay with you throughout the process :)
Now going to take a second look at your two most recent logs, and will regularly view your 2nd question.
ASKER
Thanks. Hanging in there.
Once again the logs appear reasonably clean, but have only established that there appears to be no sign of 'Vundo' or 'FixWareout' infections. That still doesn't prove that there's not something nasty present!
Only other suggestion at this time is to 'isolate' the Room 1 computer and
try the F-Secure "Blacklight" rootkit remover. If successful you could move on to the server & others >>
"Rootkit Detection and Elimination Tool":
http://www.f-secure.com/security_center/
This Blacklight tutorial from 'bleepingcomputer' may help. If not, post back for a cut/paste guide >>
"Using Blacklight to detect and remove Rootkits":
http://www.bleepingcomputer.com/tutorials/tutorial124.html
Or the Sophos scanner which has a good recommendation >
Sophos Anti-Rootkit Version 1.3.1
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
Only other suggestion at this time is to 'isolate' the Room 1 computer and
try the F-Secure "Blacklight" rootkit remover. If successful you could move on to the server & others >>
"Rootkit Detection and Elimination Tool":
http://www.f-secure.com/security_center/
This Blacklight tutorial from 'bleepingcomputer' may help. If not, post back for a cut/paste guide >>
"Using Blacklight to detect and remove Rootkits":
http://www.bleepingcomputer.com/tutorials/tutorial124.html
Or the Sophos scanner which has a good recommendation >
Sophos Anti-Rootkit Version 1.3.1
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
ASKER
OK. I will try that. When I look at the ones where they are easy to read with the green checks and yellow question marks and red X's, there appear to be 5 red X's on the server and quite a few on Office computer and Room1's computer.
ASKER
OK, back at office. The only Internet access I have is from the server, which I know is not a good idea, but it is the only way to communicate to EE.
ASKER
After uploading or making links to Hijack this, is there a way to know which computer you scanned? I am getting a bit confused as to which one I scanned given the overall confusion.
If you take a look at a particular HijackThis logfile it should list the "Platform"at top of log. Here it may give you a particular computer number.
If not, i guess it shouldn't take too long to re-scan.
Actually it may be quicker & more benificial to read, if you used the http://www.ee-stuff.com link and your Experts-Exchange username and password as mentioned earlier. Thanks.
If not, i guess it shouldn't take too long to re-scan.
Actually it may be quicker & more benificial to read, if you used the http://www.ee-stuff.com link and your Experts-Exchange username and password as mentioned earlier. Thanks.
Confirming that i meant you could upload the whole 'un-analysed' HJT logfile, rather than the link to the log, on http://www.ee-stuff.com link.
Hi Bert, Read the posts, you are in quite a pickle are you not.
I think it's too much turkey <G> Sorry...
Though I have connected an un-updated PC directly to the Internet and received the sasser virus in under 2 minutes, I am afraid I am a skeptic that you received a virus due to removing Symantec for a day. You have the best in firewalls and I assume you are not opening mail attachments on the server, not to say you can't get a virus in other ways.
Many of these symptoms sound like a virus or root kit, but all of them at once seems quite unusual, unless someone actually has control of your network through a root kit. A scary thought. As mentioned earlier, virus software will generally not protect you from many root kits. Viruses are not my specialty, so I will pursue other avenues as you appear to be in very good hands. If you do suspect a root kit, and there is a possibility of remote access, I would immediately physically disconnect the business network from the Internet. You have a lot of very confidential information.
On the problematic computer, I know it's an over simplification, but have you rebooted it? The cursor issues could conceivably be fixed by a re-boot.
I was under the impression you only removed Symantec from the server, is that the case?
Removing Symantec can cause a disaster in itself. I have had to rebuild servers that Symantec, admittedly by their IT staff, have destroyed server services. The IP assigned to the PC is interesting (292.268.34.179 ), it's not a legitimate IPV4 IP it's greater than 255. Where you run an SBS domain, I assume you are using DHCP. Check the DHCP scope on the server to see if it has been changed in some way. The other clients DHCP leases may not have expired yet, so if DHCP has been affected, it may not have manifested itself yet.
By the way "GrooveMonitor.exe" and "ONENOTEM.EXE" are Office 2007 services, and possibly 2003, depending on version and options chosen.
I think it's too much turkey <G> Sorry...
Though I have connected an un-updated PC directly to the Internet and received the sasser virus in under 2 minutes, I am afraid I am a skeptic that you received a virus due to removing Symantec for a day. You have the best in firewalls and I assume you are not opening mail attachments on the server, not to say you can't get a virus in other ways.
Many of these symptoms sound like a virus or root kit, but all of them at once seems quite unusual, unless someone actually has control of your network through a root kit. A scary thought. As mentioned earlier, virus software will generally not protect you from many root kits. Viruses are not my specialty, so I will pursue other avenues as you appear to be in very good hands. If you do suspect a root kit, and there is a possibility of remote access, I would immediately physically disconnect the business network from the Internet. You have a lot of very confidential information.
On the problematic computer, I know it's an over simplification, but have you rebooted it? The cursor issues could conceivably be fixed by a re-boot.
I was under the impression you only removed Symantec from the server, is that the case?
Removing Symantec can cause a disaster in itself. I have had to rebuild servers that Symantec, admittedly by their IT staff, have destroyed server services. The IP assigned to the PC is interesting (292.268.34.179 ), it's not a legitimate IPV4 IP it's greater than 255. Where you run an SBS domain, I assume you are using DHCP. Check the DHCP scope on the server to see if it has been changed in some way. The other clients DHCP leases may not have expired yet, so if DHCP has been affected, it may not have manifested itself yet.
By the way "GrooveMonitor.exe" and "ONENOTEM.EXE" are Office 2007 services, and possibly 2003, depending on version and options chosen.
PS -QuickMessenger and PopMessenger use Net Send which requires the messenger service be enabled. A know security risk.
-To many music related apps for a business environment in my opinion. Where do all the music files come from?
-Did you install iTivity on the server? If so OK, but make sure you did it and not a root kit. I ask as there is no need for it on an SBS.
-To many music related apps for a business environment in my opinion. Where do all the music files come from?
-Did you install iTivity on the server? If so OK, but make sure you did it and not a root kit. I ask as there is no need for it on an SBS.
ASKER
Let's see. And, thanks Rob.
First, a bit of information. I ran Blacklight and it found nothing. I ran RegCure, and it seems like any registry cleaner. It found a bunch of things but not sure what it means. I had no AV on any computer for a bit.
I also ran Rootrevealer by sysinternals and it found over 400 discrepancies. I realize messenger service is a risk. But, QM is the only one that works. I guess I could use one other that doesn't use messenger service.
I will try rebooting. Many PCs can't see each other. Many PCs have the right IPs and DNS, etc. as does the server.
Someone may have tons of information, but even though that would be a HIPAA violation, hey, I tried to stay secure. I can't help that. Little Johnny had strep throat. Oh well.
The major problem is the Internet access. It is the classic Catch 22. The server is the only computer which has Internet access capability, and if I disconnect the network from the outside world, then I have no help from the experts.
iTivity is a program whereby Medware can add updates to the Medware program. Kind of like the other 3rd party LogMeIn remote type things.
First, a bit of information. I ran Blacklight and it found nothing. I ran RegCure, and it seems like any registry cleaner. It found a bunch of things but not sure what it means. I had no AV on any computer for a bit.
I also ran Rootrevealer by sysinternals and it found over 400 discrepancies. I realize messenger service is a risk. But, QM is the only one that works. I guess I could use one other that doesn't use messenger service.
I will try rebooting. Many PCs can't see each other. Many PCs have the right IPs and DNS, etc. as does the server.
Someone may have tons of information, but even though that would be a HIPAA violation, hey, I tried to stay secure. I can't help that. Little Johnny had strep throat. Oh well.
The major problem is the Internet access. It is the classic Catch 22. The server is the only computer which has Internet access capability, and if I disconnect the network from the outside world, then I have no help from the experts.
iTivity is a program whereby Medware can add updates to the Medware program. Kind of like the other 3rd party LogMeIn remote type things.
ASKER
The IP address in the address pool are all normal. Would the Windows Firewall have detected things trying to leave the PC?
RootRevealer is very good but it takes a lot of time to determine what each process is. May be your best bet though. However, interesting that nothing has really turned up any evidence of Virus or root kit so far. RootKits are very scary, and can be hard to detect. The other thing with rootkits is they are very easy to create. I am surprised they are not more prevalent.
>>"I can't help that. Little Johnny had strep throat. Oh well"
Do you accept credit card payments?
>>"classic Catch 22..."
Can you attach a laptop to the router or just one PC and remove the risk from all others?
>>"Many PCs can't see each other..."
Have you checked the DHCP scope on the server to see if it has been changed?
>>"I can't help that. Little Johnny had strep throat. Oh well"
Do you accept credit card payments?
>>"classic Catch 22..."
Can you attach a laptop to the router or just one PC and remove the risk from all others?
>>"Many PCs can't see each other..."
Have you checked the DHCP scope on the server to see if it has been changed?
Sorry missed last post.
If the Windows firewall was enabled on all PC's, hopefully it would have helped protect the spread of any infection. One of the main reasons for having it.
One concern with rootkits is they can quite easily do key logging and remote control. The services they use may be allowed by the firewall. For example RDP is enabled on your network. Once access is gained and passwords collected the controller could then use that information to access other PC's. This is possible, but not common.
If the Windows firewall was enabled on all PC's, hopefully it would have helped protect the spread of any infection. One of the main reasons for having it.
One concern with rootkits is they can quite easily do key logging and remote control. The services they use may be allowed by the firewall. For example RDP is enabled on your network. Once access is gained and passwords collected the controller could then use that information to access other PC's. This is possible, but not common.
ASKER
We do accept credit card payments, but I don't think they are kept in billing. We just post the 20.00 copay, but not the credit card.
ASKER
Btw, I uploaded the Hijackthis log, but I am not confident it went for whatever reasons.
ASKER
Hopefully helpful information. I ran Blacklight and Sophos Rootkit finder or whatever on Room1. Neither found anything. Still couldn't get to the Internet. I can't recall, which is bad, but I think at the time IP address was normal. Scope still showed 1.24 in the address leases. DHCP enabled. The server's card is set up correctly as far as IP and DNS, etc.
I rebooted Room1, and it's IP address now is 169.254.114.38 with a subnet of 255.255.0.0 and no gateway. Still 192.168.1.24 on the server.
I rebooted Room1, and it's IP address now is 169.254.114.38 with a subnet of 255.255.0.0 and no gateway. Still 192.168.1.24 on the server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks reference Blacklight and Sophos!
For no internet access you may wish to try IEFix. It's a repair utility that repairs IE 6 by registering it's core DLL files, & more ..
http://windowsxp.mvps.org/IEFIX.htm
For no internet access you may wish to try IEFix. It's a repair utility that repairs IE 6 by registering it's core DLL files, & more ..
http://windowsxp.mvps.org/IEFIX.htm
ASKER
https://filedb.experts-exchange.com/incoming/ee-stuff/5793-hijackthis.txt
This is the direct link to the file. The problem was (for a newbie like me -- welll I am not that bad, I did configure a Cisco PIX twice, lol). The problem was it won't take a .log extension. Had to be .txt.
I will check out the link above. I can't believe how long you are helping. I appreciate it tremendously.
I have thought a lot about reformatting. If I could just prove that my server wasn't infected, that would be hugh, although ironic. Is it possible a rootkit got in, changed some things and then left or do rootkit revealers miss some?
This is the direct link to the file. The problem was (for a newbie like me -- welll I am not that bad, I did configure a Cisco PIX twice, lol). The problem was it won't take a .log extension. Had to be .txt.
I will check out the link above. I can't believe how long you are helping. I appreciate it tremendously.
I have thought a lot about reformatting. If I could just prove that my server wasn't infected, that would be hugh, although ironic. Is it possible a rootkit got in, changed some things and then left or do rootkit revealers miss some?
Your log analysis >
http://www.hijackthis.de/logfiles/b34587a5772e16ea137bb1978290bb89.html
HJT analysis taking forever, because the "autoanalysis" does not 'recognise' about 25 of the entries!! There are a number of "These are unknown process'" listed.
Continuing to work through them manually, & it's slow going!
For example, do you recognise this one pls?>>
C:\DOCUME~1\ADMINI~1\LOCAL
> do rootkit revealers miss some?<
Conceivable i guess, but we get good reports.
An expert in the HijackThis TA could no doubt tell you more :)
http://www.hijackthis.de/logfiles/b34587a5772e16ea137bb1978290bb89.html
HJT analysis taking forever, because the "autoanalysis" does not 'recognise' about 25 of the entries!! There are a number of "These are unknown process'" listed.
Continuing to work through them manually, & it's slow going!
For example, do you recognise this one pls?>>
C:\DOCUME~1\ADMINI~1\LOCAL
> do rootkit revealers miss some?<
Conceivable i guess, but we get good reports.
An expert in the HijackThis TA could no doubt tell you more :)
>>"I rebooted Room1, and it's IP address now is 169.254.114.38 with a subnet of 255.255.0.0 and no gateway. Still 192.168.1.24 on the server."
169.254.x.x is APIPA addressing which is assigned automatically by the workstation itself when it cannot find a DHCP server. Either there is a physical break between it and the server, something has corrupted the Network adapter drivers, a bad network adapter or the server's DHCP is not working.
You mentioned "Scope still showed 1.24 in the address leases". First click on the DHCP server name in the DHCP management console.
1) Is there a colored icon or dot on the DHCP server? Should be green dot. Anything else let us know.
2) Click on scope to expand it, click on address pool. In the right hand window is the address pool correct? i.e. your subnet?
3) I assume DHCP for the LAN is disabled on the Cisco?? It should be.
169.254.x.x is APIPA addressing which is assigned automatically by the workstation itself when it cannot find a DHCP server. Either there is a physical break between it and the server, something has corrupted the Network adapter drivers, a bad network adapter or the server's DHCP is not working.
You mentioned "Scope still showed 1.24 in the address leases". First click on the DHCP server name in the DHCP management console.
1) Is there a colored icon or dot on the DHCP server? Should be green dot. Anything else let us know.
2) Click on scope to expand it, click on address pool. In the right hand window is the address pool correct? i.e. your subnet?
3) I assume DHCP for the LAN is disabled on the Cisco?? It should be.
Analysis on the HJT log grinding to a halt, even google does not recognise several of the exe entries!
Suggest i backoff for a period while you follow Rob's suggestions.
Monitoring ..
Suggest i backoff for a period while you follow Rob's suggestions.
Monitoring ..
ASKER
YVXSE is not recognizeable. I browsed to it, and it is a skull and crossbones. I didn't click on it.
Rob, there is a green arrow which looks like a dot, but is clearly an arrow on the DHCP icon.
The IP address pools are what they should be. Am I supposed to see a subnet number like 255.255...?
This basically all started when Room1's webpage would return to the home page is a cursor was placed in any field. And, the backspace key would make the cursor move over the last letter or it would do it anyway. All other compters have been normal.
Can a computer get out to the Internet if it can't see the server. I mean each network card has a default gates way along with a DNS point to the server's IP.
Jonvee. Don't back off please! Unless you have to. Where are all the HJT experts? Not that you haven't been great.
Rob, there is a green arrow which looks like a dot, but is clearly an arrow on the DHCP icon.
The IP address pools are what they should be. Am I supposed to see a subnet number like 255.255...?
This basically all started when Room1's webpage would return to the home page is a cursor was placed in any field. And, the backspace key would make the cursor move over the last letter or it would do it anyway. All other compters have been normal.
Can a computer get out to the Internet if it can't see the server. I mean each network card has a default gates way along with a DNS point to the server's IP.
Jonvee. Don't back off please! Unless you have to. Where are all the HJT experts? Not that you haven't been great.
ASKER
Rob, No I am not running DHCP on the Cisco.
ASKER
Just trying to give as much info as possible. Rebooted office computer. Many times it can't restart due to a program's not closing, and you will get that window/screen which tells you that you can close it. I wasn't able to read the entire thing, because it went into reboot mode, but one said, I couldn't close it "Due to a Windows Form Parking Issue." I have never seen that one before.
The other said, "WMS notification issue..." or something to that effect.
The other said, "WMS notification issue..." or something to that effect.
Analysed log >>
http://www.hijackthis.de/logfiles/b34587a5772e16ea137bb1978290bb89.html
A quick read showed little change, still several 'unknowns'!
>YVXSE is not recognizeable <
Bert, when you have time i suggest above entry and any other that you *do not recognise*, be Fixed by HijackThis. From the log your HJT program is located in it's own(safe) folder, and a backup of anything you Fix can be restored if it was accidently deleted, for example.
Here it's nearing the midnight hour again .. will drop by early tomorrow!
For now, good luck.
http://www.hijackthis.de/logfiles/b34587a5772e16ea137bb1978290bb89.html
A quick read showed little change, still several 'unknowns'!
>YVXSE is not recognizeable <
Bert, when you have time i suggest above entry and any other that you *do not recognise*, be Fixed by HijackThis. From the log your HJT program is located in it's own(safe) folder, and a backup of anything you Fix can be restored if it was accidently deleted, for example.
Here it's nearing the midnight hour again .. will drop by early tomorrow!
For now, good luck.
YVXSE is in your temporary files is it not? May be part of Sysinternals install. Should delete all temp files anyway (need to enable "Show Hidden Files and Folders" (& un-hide protected system files on Vista):
C:\Windows\Temp\
C:\Documents and settings (Users if Vista)\User Name\Local settings\Temp
C:\Documents and settings (Users if Vista)\User Name\Local settings\Temporary Internet Files
>>"green arrow which looks like a dot"
Just checked you are right, my eyes are not what they once were. At least it's not yellow or Red, that's the main thing. Sounds like scope is OK. I was worried something changed the scope, giving the client an odd address and lost network connectivity.
>>""Due to a Windows Form Parking Issue." "
Any HP software installed?
WMS for the record is usually Windows Media Service or windows Messaging service.
>>"Can a computer get out to the Internet if it can't see the server. "
Depends on how the network is configured. If the SBS uses 2 NIC and it is the gateway for the clients, then no. If the Cisco is the gateway, yes, but the SBS is the DNS server so they will be able to access and ping by IP but not FQDN.
Try restarting the PC in "Safe Mode with Networking"
Also the results of both of the following may be helpful (from the PC that cannot connect to the server/Internet):
ipconfig /all
route print
C:\Windows\Temp\
C:\Documents and settings (Users if Vista)\User Name\Local settings\Temp
C:\Documents and settings (Users if Vista)\User Name\Local settings\Temporary Internet Files
>>"green arrow which looks like a dot"
Just checked you are right, my eyes are not what they once were. At least it's not yellow or Red, that's the main thing. Sounds like scope is OK. I was worried something changed the scope, giving the client an odd address and lost network connectivity.
>>""Due to a Windows Form Parking Issue." "
Any HP software installed?
WMS for the record is usually Windows Media Service or windows Messaging service.
>>"Can a computer get out to the Internet if it can't see the server. "
Depends on how the network is configured. If the SBS uses 2 NIC and it is the gateway for the clients, then no. If the Cisco is the gateway, yes, but the SBS is the DNS server so they will be able to access and ping by IP but not FQDN.
Try restarting the PC in "Safe Mode with Networking"
Also the results of both of the following may be helpful (from the PC that cannot connect to the server/Internet):
ipconfig /all
route print
ASKER
Using all XP Pro. Good call on the HP although we don't have an all-in-one and couldn't see it in Startup on msconfig. None of the PCs can get to the Internet even with static IP address with IP, subnet and gateway of router both with and without DNS of the server's IP. Kind of strange.
Getting closer to reformatting. Yuk! Whole new question. I will do the ipconfig /all route print
But, I will say something weird: Like all the other stuff isn't, lol. But yesterday when I ran a HJT and looked at the analyzed easy to read for beginners version, there were 5 red X's. Now, there are none.
Getting closer to reformatting. Yuk! Whole new question. I will do the ipconfig /all route print
But, I will say something weird: Like all the other stuff isn't, lol. But yesterday when I ran a HJT and looked at the analyzed easy to read for beginners version, there were 5 red X's. Now, there are none.
I take it the results above are with both static and DHCP results?
Even so do you know why you have a 169.254.x.x address in the route print? This contradicts the IPConfig results. Or, were they from different time periods?
Even so do you know why you have a 169.254.x.x address in the route print? This contradicts the IPConfig results. Or, were they from different time periods?
ASKER
Static, DHCP and RP all at the same time.
ASKER
The only thing is I did reboot at some point. Probably after switchng to DHCP. I can't recall.
>>"Static, DHCP and RP all at the same time."
How can you have static and DHCP at the same time?
How can you have static and DHCP at the same time?
ASKER
https://filedb.experts-exchange.com/incoming/ee-stuff/5797-New-IP-config-and-route-print.txt
You can't. I guess I misunderstood your different time periods. I took that to mean hours. What I meant was static, do a ipconfig /all, then do DHCP, do a ipconfig /all and then route print. All within two minutes. But the new one shows an IP address with a 255.255.0.0 subnet given by the PC, I guess.
You can't. I guess I misunderstood your different time periods. I took that to mean hours. What I meant was static, do a ipconfig /all, then do DHCP, do a ipconfig /all and then route print. All within two minutes. But the new one shows an IP address with a 255.255.0.0 subnet given by the PC, I guess.
The 169.254.x.x address it is receiving would indicate that the DHCP client service is working on the PC, but it cannot contact the server for the DHCP address. Something is blocking it. It could be a virus has caused problems, but I would tend to look more to a bad connection, cable, or router. Is the network adapter light on? If so, try rebooting the router. If that doesn't work, do you have a spare switch or hub around? Try connecting the PC and server to the other hub and see if it can get a proper address from the server.
ASKER
OK...installed new driver for NIC card. Light is on. All cables are the same. Rebooted modem, firewall/router and switch. Still could not see the server.
Tried getting out to the Internet from other PC (Office). Realized I would probably need my ISP's DNS. I guess I was right. With a static IP, subnet mask ending with 0, a default gateway of the private side of the PIX and the ISP's first DNS, I got right out to Yahoo.
That's the good news. The bad news deserves its own comment:
Tried getting out to the Internet from other PC (Office). Realized I would probably need my ISP's DNS. I guess I was right. With a static IP, subnet mask ending with 0, a default gateway of the private side of the PIX and the ISP's first DNS, I got right out to Yahoo.
That's the good news. The bad news deserves its own comment:
ASKER
I decided to reboot the server to see if DHCP would start.
I got the message:
PXE-E51: No DHCP or ProxyDHCP offers were received.
PXE-MOF: Exiting HP PXE ROM.
Operating System not found
Now, I'm not even close to the smartest computer person, but I think that is bad.
I got the message:
PXE-E51: No DHCP or ProxyDHCP offers were received.
PXE-MOF: Exiting HP PXE ROM.
Operating System not found
Now, I'm not even close to the smartest computer person, but I think that is bad.
Did you try static IP and DNS on the computer that could not connect to the Internet? The problem one?
>>"PXE-E51: No DHCP or ProxyDHCP offers were received."
That is normal. You probably don't have a PXE DHCP server. That is different from the DHCP server you are familiar with. It's for booting from a network to automatically start a Windows install. Usually only on big networks.
>>Operating System not found"
Now that is not good. I take it it did not boot??
What do you have for drives? SCSI, SATA, IDE ?
Are they in a hardware or software Raid configuration?
You haven't looked at the Event logs lately have you, and noticed any Disk errors in the System log? The SBS daily e-mailed reports should also show if there are any.
>>"PXE-E51: No DHCP or ProxyDHCP offers were received."
That is normal. You probably don't have a PXE DHCP server. That is different from the DHCP server you are familiar with. It's for booting from a network to automatically start a Windows install. Usually only on big networks.
>>Operating System not found"
Now that is not good. I take it it did not boot??
What do you have for drives? SCSI, SATA, IDE ?
Are they in a hardware or software Raid configuration?
You haven't looked at the Event logs lately have you, and noticed any Disk errors in the System log? The SBS daily e-mailed reports should also show if there are any.
ASKER
No, it doesn't boot. Harddrives are SATA and set up in a RAID5 with a hardware (HP Array E200i) card. Looked at event logs yesterday. Nothing there.
I don't think a hard drive crashed. My take is some virus has done all this. Maybe in a boot sector, who knows?
I don't think a hard drive crashed. My take is some virus has done all this. Maybe in a boot sector, who knows?
You should be able to boot the raid controller and verify that all disks are present and healthy. Being RAID5 you would have to have 2 dead to cause a problem, in theory.
Still skeptical all these issues are related to a typical virus, too many different issues. A rootkit with someone with remote access possibly, but that is not very common. But what do I know, I'm more a network guy.
I am "out-a-here" for the night but will check back tomorrow.
Still skeptical all these issues are related to a typical virus, too many different issues. A rootkit with someone with remote access possibly, but that is not very common. But what do I know, I'm more a network guy.
I am "out-a-here" for the night but will check back tomorrow.
ASKER
K, thanks.
ASKER
OK, how much stupider can I get. I guess I need to go home and cry in my beer at this point. Yes, I booted to my RAID, and the entire configuration was OK. I kept watching it go to No Operating System was found. I decided to look at my boot options and a screen came up which gave me the options of booting from 1. CD 2. Removable devices, 3. Hard drives and 4. Floppy disk. Then it hit me. I had been moving the utility programs (HJT, etc) to computers using my USB thumb drive. So, it was trying to boot from it. (I guess I forgot to put an SBS 2003 OS on it, lol). So, I took it out and wahlah, it booted right up.
I could have ended up having to completely redo my server, although I may have to anyway.
I could have ended up having to completely redo my server, although I may have to anyway.
ASKER
OK, so here is the question:
Basically, the computer in room1 had those weird things happening. The cursor in a username field or a field for the name of a medication would cause the web page to click right back to the home page. The cursor in the EMR would automatically move back OVER one letter. And, then the giant log on screen. The task manager would nowhere to be found on my office computer for about five hours, then it reappeared. Now, the computers aren't seeing each other. If you click on Windows Network on the server and get to Riverviewpediat icon and click there where you should see all of the PCs, you only see the server. All coputers can get to the Internet with fixed IPs and an ISP DNS. But, they can not receive DHCP.
We have not truly been able to discover a virus using HJT or Comfix or whatever that is nor with a few other tools. No definite evidence.
So, based on this, do I reformat the server and all seven workstations? Do I reformat room1 and the server? Or is there a different answer? I am pressed for time, because everything needs to be ready for Monday morning. And, I think doing all that will take all day.
Basically, the computer in room1 had those weird things happening. The cursor in a username field or a field for the name of a medication would cause the web page to click right back to the home page. The cursor in the EMR would automatically move back OVER one letter. And, then the giant log on screen. The task manager would nowhere to be found on my office computer for about five hours, then it reappeared. Now, the computers aren't seeing each other. If you click on Windows Network on the server and get to Riverviewpediat icon and click there where you should see all of the PCs, you only see the server. All coputers can get to the Internet with fixed IPs and an ISP DNS. But, they can not receive DHCP.
We have not truly been able to discover a virus using HJT or Comfix or whatever that is nor with a few other tools. No definite evidence.
So, based on this, do I reformat the server and all seven workstations? Do I reformat room1 and the server? Or is there a different answer? I am pressed for time, because everything needs to be ready for Monday morning. And, I think doing all that will take all day.
ASKER
Another though. This all happened when I uninstalled Symantec and installed Trend Micro the following day. Given that Symantec seems to cause problems no matter what is done with it, could I have caused a problem with the uninstall. It was uninstalled from the clients as well.
A couple of thoughts for you. Could the keyboard in room 1 have a keyboard with a "sticky" control key. It sounds stupid but I have seen weird stuff when a control key gets partially stuck down. Suddenly when you are pressing s you are getting control-s...etc.
Also, have you tried giving the computer a static IP address. If you are not able to communicate with a static ip address you probably have a bad hub. Try power cycling the hub.
Also, have you tried giving the computer a static IP address. If you are not able to communicate with a static ip address you probably have a bad hub. Try power cycling the hub.
Late night for you Bert !
>>"So, based on this, do I reformat the server and all seven workstations?"
Highly unlikely. It's an network error.
When you installed Trend Micro, which version did you install. They have a version that includes a software firewall. This will definitely block access to the server. Un-Install from the server if necessary, might be a good idea anyway.
As Joediggity2 just mentioned, and as I did at 10:30 last night; have you tried replacing the router with any old hub or switch? You could also enable DHCP on the Cisco or another router to see if the clients get a DHCP address, but I wouldn't waste time on that, I'm doubtful all 7 have damaged DHCP client service.
>>"So, based on this, do I reformat the server and all seven workstations?"
Highly unlikely. It's an network error.
When you installed Trend Micro, which version did you install. They have a version that includes a software firewall. This will definitely block access to the server. Un-Install from the server if necessary, might be a good idea anyway.
As Joediggity2 just mentioned, and as I did at 10:30 last night; have you tried replacing the router with any old hub or switch? You could also enable DHCP on the Cisco or another router to see if the clients get a DHCP address, but I wouldn't waste time on that, I'm doubtful all 7 have damaged DHCP client service.
Another thought, if you have +4 workstations/servers you must have a switch in place. Common for them to act up. Try getting rid of it and connect the server and a couple of PC's directly to the Cisco.
You may also have remnants of Symantec causing problems. This is one of the main curses of Symantec. They make dozens of tools and have instructions on how to get rid of it all. "Sometimes" they work <G>.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002031914291648
You may also have remnants of Symantec causing problems. This is one of the main curses of Symantec. They make dozens of tools and have instructions on how to get rid of it all. "Sometimes" they work <G>.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002031914291648
ASKER
OK, thanks everyone. I am headed in to start again.
The reason I am hesitant to do anything with the switch (which I did reboot last night) is that it costs $1,000. I would hate to replace it. Why $1,000? I 'll explain later.
The reason I am hesitant to do anything with the switch (which I did reboot last night) is that it costs $1,000. I would hate to replace it. Why $1,000? I 'll explain later.
You are just going to temporarily replace it as a test. There is no risk of harm.
If a $1000 switch (I assume not router) it must be manageable. You haven't changed the configuration have you?
If a $1000 switch (I assume not router) it must be manageable. You haven't changed the configuration have you?
ASKER
Rob,
It is manageable, yes. I haven't changed the configuration, not that I recall lately. When it is on, btw, some lights are amber and some green.
I need everyone's opinion, if possible. Given all this, what is the likelihood there are actually no viruses? I agree it's a network problem and will troubleshoot as above, but could it be a network problem from viruses on the server? I do have hundreds of backups where I could restore Drive C, the OS. Of course, that makes me a bit nervous if I could fix it otherwise.
I know viruses can spread within the network. Do these rootkit viruses spread compared to worms, etc. Or do they just hide whatever malware they have? I guess I could always go peer-to-peer until figured out. Off to Dunkin' Donuts and the office for more fun!
Thanks, thanks, thanks for the help.
It is manageable, yes. I haven't changed the configuration, not that I recall lately. When it is on, btw, some lights are amber and some green.
I need everyone's opinion, if possible. Given all this, what is the likelihood there are actually no viruses? I agree it's a network problem and will troubleshoot as above, but could it be a network problem from viruses on the server? I do have hundreds of backups where I could restore Drive C, the OS. Of course, that makes me a bit nervous if I could fix it otherwise.
I know viruses can spread within the network. Do these rootkit viruses spread compared to worms, etc. Or do they just hide whatever malware they have? I guess I could always go peer-to-peer until figured out. Off to Dunkin' Donuts and the office for more fun!
Thanks, thanks, thanks for the help.
>>"When it is on, btw, some lights are amber and some green."
You would have to look at the display or read the manual, but it usually means 100mbps connection for green and 10mbps for orange. It can also be 1/2 and full duplex, or even problems.
Anything is possible with a virus, but disabling networking would disable the virus from spreading, which is rather counter productive from the hacker's point of view.
Personally I am still very skeptical it is a virus or at least that the major issues are virus related.
I suspect the main issue is the server's LAN card. All PC's can connect to the Internet so chances are that the switch is working. However, removing Symantec, or more likely adding Trend Micro "broke" something.
I would run the CEICW
If that doesn't help, remove Trend Micro from the server,
If that doesn't work run CEICW again.
Also double check the NIC in device manager and if enabled, firewall exceptions.
I wouldn't un-install the NIC unless you get guidance from Jeff....this is SBS.
You would have to look at the display or read the manual, but it usually means 100mbps connection for green and 10mbps for orange. It can also be 1/2 and full duplex, or even problems.
Anything is possible with a virus, but disabling networking would disable the virus from spreading, which is rather counter productive from the hacker's point of view.
Personally I am still very skeptical it is a virus or at least that the major issues are virus related.
I suspect the main issue is the server's LAN card. All PC's can connect to the Internet so chances are that the switch is working. However, removing Symantec, or more likely adding Trend Micro "broke" something.
I would run the CEICW
If that doesn't help, remove Trend Micro from the server,
If that doesn't work run CEICW again.
Also double check the NIC in device manager and if enabled, firewall exceptions.
I wouldn't un-install the NIC unless you get guidance from Jeff....this is SBS.
ASKER
I'm scared of Jeff, he will be very disappointed in me.
Couple of things: I enabled DHCP in Cisco PIX and instantly got IPs, etc. for computers. I can't get Internet access from them, I guess due to DNS again. I installed Trend Micro (without the firewall). It is off. I also installed NOD32. I was trialing them, which is why I was so stupid as to have AV off at times.
I did run CEICW. I will do it again. I will try the Symantec thing. It was late last night, but I could have sworn that I had my office PC static and when I came in it was DHCP enabled. Very weird.
Prior to all this, I was getting 1GB to every computer over the network.
I bought coffee for everyone.
Couple of things: I enabled DHCP in Cisco PIX and instantly got IPs, etc. for computers. I can't get Internet access from them, I guess due to DNS again. I installed Trend Micro (without the firewall). It is off. I also installed NOD32. I was trialing them, which is why I was so stupid as to have AV off at times.
I did run CEICW. I will do it again. I will try the Symantec thing. It was late last night, but I could have sworn that I had my office PC static and when I came in it was DHCP enabled. Very weird.
Prior to all this, I was getting 1GB to every computer over the network.
I bought coffee for everyone.
ASKER
As info:
I ran NoNav to get Symantec off. There are still a couple of folders left: Quarantine with some files and some log files.
Trend Micro's folder on program files has quite a few folders left, like 20. Under PCVSRC which is shared.
How 'bout that save from the USB drive? I thought that was pretty good. Stupid to have it there, but none the less. Gotta throw me a bone now and then.
I ran NoNav to get Symantec off. There are still a couple of folders left: Quarantine with some files and some log files.
Trend Micro's folder on program files has quite a few folders left, like 20. Under PCVSRC which is shared.
How 'bout that save from the USB drive? I thought that was pretty good. Stupid to have it there, but none the less. Gotta throw me a bone now and then.
ASKER
Sorry to keep giving random information.
Symantec has a service in services, but it is off.
Trend Micro has a service that is on.
Symantec has a service in services, but it is off.
Trend Micro has a service that is on.
Regret unavoidably late in loggingon ..
Your last HijackThis log still has puzzling entries, but little change from previous log.
Rob made a good point regarding Symantec remnants. Here's another useful removal tool. It uninstalls all Norton 2004/2005/2006/2007 products >
"Norton Removal Tool (SymNRT) 2008.0.1.19 ":
http://www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html
You asked our opinion and i would have to say that it does now look like a network problem and yes, possibly originating from Symantec removal.
Rob has made some excellent suggestions!
It is difficult yet to come to any conclusion about a virus/rootkit problem, perhaps only resolved with further scans once network issues have been cleared.
Because of my lack of network experience there's little i can add at this stage other than i'll be here to offer moral support where possible.
Your last HijackThis log still has puzzling entries, but little change from previous log.
Rob made a good point regarding Symantec remnants. Here's another useful removal tool. It uninstalls all Norton 2004/2005/2006/2007 products >
"Norton Removal Tool (SymNRT) 2008.0.1.19 ":
http://www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html
You asked our opinion and i would have to say that it does now look like a network problem and yes, possibly originating from Symantec removal.
Rob has made some excellent suggestions!
It is difficult yet to come to any conclusion about a virus/rootkit problem, perhaps only resolved with further scans once network issues have been cleared.
Because of my lack of network experience there's little i can add at this stage other than i'll be here to offer moral support where possible.
ASKER
You guys are amazing. Yes, Rob does give great suggestions. He is one of the best. I would give the link, but now is not the time, but we spent, what Rob, about two weeks figuring out a PIX issue which turned out to be licenses.
I will try the Symantec thing. Wouldn't it be something if the virus thing was simply a red herring. I certainly hope so. And, don't worry about coming on late. What do you and Rob do all day that you can help so much?
I will try the Symantec thing. Wouldn't it be something if the virus thing was simply a red herring. I certainly hope so. And, don't worry about coming on late. What do you and Rob do all day that you can help so much?
>>"I bought coffee for everyone."
Can you drop it of? <G>
Don't forget after running CEICW you will need to disable DHCP on the Cisco, in order to test. Also when SBS sees the other DHCP server it will/should shut down the DHCP server service on the SBS, so you will have to restart that.
I don't know all the Symantec tools. Is NoNav compatible with your version of Symantec? Don't use the wrong one. You probably should do the manual removal as well, outlined in the link I provided. I mentioned I had a 2003 server that Symantec themselves couldn't remove it all.
>>"How 'bout that save from the USB drive?"
That is why from time to time you should leave the site for 20 minutes. You spot those things instantly when you come back. I have done it too, but haven't seen that issue on a server. Laptops yes. May be how the BIOS is configured. I don't allow boot from USB. Saves problems and adds a tiny bit of security.
Jonvee, don't discredit your virus removal suggestions. That would have been my first assumption with the cursor issues on the PC. Just at some point there were too many oddities for a single virus. Not to say it's not still a possibility. Virus detection and removal is defiantly not my strong point. I always like to look at things, even viruses, as what were they trying to achieve. Didn't seem to be a purpose.
I am painting this afternoon, but I will be around and check periodically.
I have my problems too. One of my dogs cut her tail somehow, and spent 3 hours unattended wagging it through the house. It looks like a CSI crime scene. At least I don't have a Monday AM deadline.
Can you drop it of? <G>
Don't forget after running CEICW you will need to disable DHCP on the Cisco, in order to test. Also when SBS sees the other DHCP server it will/should shut down the DHCP server service on the SBS, so you will have to restart that.
I don't know all the Symantec tools. Is NoNav compatible with your version of Symantec? Don't use the wrong one. You probably should do the manual removal as well, outlined in the link I provided. I mentioned I had a 2003 server that Symantec themselves couldn't remove it all.
>>"How 'bout that save from the USB drive?"
That is why from time to time you should leave the site for 20 minutes. You spot those things instantly when you come back. I have done it too, but haven't seen that issue on a server. Laptops yes. May be how the BIOS is configured. I don't allow boot from USB. Saves problems and adds a tiny bit of security.
Jonvee, don't discredit your virus removal suggestions. That would have been my first assumption with the cursor issues on the PC. Just at some point there were too many oddities for a single virus. Not to say it's not still a possibility. Virus detection and removal is defiantly not my strong point. I always like to look at things, even viruses, as what were they trying to achieve. Didn't seem to be a purpose.
I am painting this afternoon, but I will be around and check periodically.
I have my problems too. One of my dogs cut her tail somehow, and spent 3 hours unattended wagging it through the house. It looks like a CSI crime scene. At least I don't have a Monday AM deadline.
>>"What do you and Rob do all day that you can help so much?"
Not much! Pretty sad isn't it.
Not much! Pretty sad isn't it.
ASKER
Any issue with the Trend Micro's service being on even though it is uninstalled plus many, many folders and files its folder which is still left on the server?
ASKER
Right now, there is no DHCP under computer management where it was green arrow last night. Can't run CEICW due to no DHCP. It is stopped on the services, and when I start it, it says it started but then stopped. Sorry about the dog. This is where I can help, but like you with antivirus, I am not a vet.
ASKER
It's automatic on service. Should I just reboot?
>>"Right now, there is no DHCP under computer management where it was green arrow last night. Can't run CEICW due to no DHCP."
As mentioned, it saw the Cisco DHCP server and shut down the service.
Turn off the DHCP service on the Cisco, manually start the service (right click and choose start) and reboot the client PC's. It will not start while enabled on the Cisco.
As mentioned, it saw the Cisco DHCP server and shut down the service.
Turn off the DHCP service on the Cisco, manually start the service (right click and choose start) and reboot the client PC's. It will not start while enabled on the Cisco.
ASKER
Can start DHCP services. Still cannot connect. Should I be able to open Windows Firewall on server. Ipnat.sys is stopping it.
>>"Can start DHCP services. Still cannot connect. "
Try unplugging from the network and see if it will start.
If not right click on the service in services management console and choose properties. Click on the Dependencies tab. DHCP is dependent on 1/2 dozen services. One by one check to see if they are started. Especially "TCP/IP Protocol Driver". If any are not started, start them. If they won't start, check their dependencies.
>>"Should I be able to open Windows Firewall on server. Ipnat.sys is stopping it."
Probably not, especially on SBS. Ipnat.sys is used by RRAS as well as something else. That is an appropriate response if RRAS is enabled, and it seems to be always the case on SBS regardless.
Try unplugging from the network and see if it will start.
If not right click on the service in services management console and choose properties. Click on the Dependencies tab. DHCP is dependent on 1/2 dozen services. One by one check to see if they are started. Especially "TCP/IP Protocol Driver". If any are not started, start them. If they won't start, check their dependencies.
>>"Should I be able to open Windows Firewall on server. Ipnat.sys is stopping it."
Probably not, especially on SBS. Ipnat.sys is used by RRAS as well as something else. That is an appropriate response if RRAS is enabled, and it seems to be always the case on SBS regardless.
ASKER
Sorry, wasn't clear. I can start DHCP. I can not connect to the clients.
There is no TCP/IP Protocol Driver
Trend Micro has a service running.
I use Symantec (or did use) 10.1.
Wonder if I should reinstall it before uninstalling it or reinstall it and see if DHCP works correctly.
Remember, DHCP is running now although it is dependent on TCP/IP Protocol Driver which is not even present in the services.
There is no TCP/IP Protocol Driver
Trend Micro has a service running.
I use Symantec (or did use) 10.1.
Wonder if I should reinstall it before uninstalling it or reinstall it and see if DHCP works correctly.
Remember, DHCP is running now although it is dependent on TCP/IP Protocol Driver which is not even present in the services.
>>"Wonder if I should reinstall it before un-installing it or reinstall it and see if DHCP works correctly."
Install which app? Re-installing and un-installing is sometimes a fix, but the less you have to "mess" with Symantec the better.
>>"There is no TCP/IP Protocol Driver"
Just noticed that service doesn't exist, but on 3 SBS servers it is present as a dependency. Interesting. I guess that list may include more than just services.
Is there 1 NIC or 2 on your server? If one and you have Internet access, TCP/IP is fine, but if two, make sure TCP/IP protocol is present on the LAN NIC.
Clients will have to renew their leases by rebooting....with the Cisco DHCP off. Have you done that?
Install which app? Re-installing and un-installing is sometimes a fix, but the less you have to "mess" with Symantec the better.
>>"There is no TCP/IP Protocol Driver"
Just noticed that service doesn't exist, but on 3 SBS servers it is present as a dependency. Interesting. I guess that list may include more than just services.
Is there 1 NIC or 2 on your server? If one and you have Internet access, TCP/IP is fine, but if two, make sure TCP/IP protocol is present on the LAN NIC.
Clients will have to renew their leases by rebooting....with the Cisco DHCP off. Have you done that?
ASKER
Sorry for the delay. Tried fixing DHCP/DNS thing from error message on System Errors. Lots of error messages and numbers of them. When I typed the command Microsoft suggested, DHCP instantly said it was running, but nothing changed.
I have one NIC card. Rebooted clients. Nothing. Cisco off. DHCP on server on.
By the way, when removed Symantec on Tuesday no network issues all day. Installed TM on Wednesday night and have been having these issues ever since.
I did have another weird occurrence on Room1. It is possessed.
I have one NIC card. Rebooted clients. Nothing. Cisco off. DHCP on server on.
By the way, when removed Symantec on Tuesday no network issues all day. Installed TM on Wednesday night and have been having these issues ever since.
I did have another weird occurrence on Room1. It is possessed.
1 NIC on the server and it communicates with the Internet fine, and the PC's communicate with the Internet fine. That means the network adapters are all working OK. Has to be a software firewall somewhere on all PC's or the server, or a problem with the switch or router, assuming PC's are getting an IP in the same subnet as the server, and all have the correct subnet mask.
Have you been able to try the SBS and 1 PC on a different switch/hub?
A virus would be more apt to kill Internet access than LAN access.
Have you been able to try the SBS and 1 PC on a different switch/hub?
A virus would be more apt to kill Internet access than LAN access.
ASKER
https://filedb.experts-exchange.com/incoming/ee-stuff/5806-Errors.txt
Hope the painting is going well.
Hope the painting is going well.
Painting is coming along pretty good. On Schedule anyway. My office is next to my shop so I keep checking e-mail to see how you are making out when I head down to get something.
I'll continue to review, but I noticed. HP network adapter is configured to full duplex. If the switch is not set the same you can loose connectivity. Best to have both auto negotiate, rather than manually set.
I'll continue to review, but I noticed. HP network adapter is configured to full duplex. If the switch is not set the same you can loose connectivity. Best to have both auto negotiate, rather than manually set.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It is part of Sysinternals, although I saw it somewhere else. But pretty sure Sysinternals. Isn't Sysinternals generally used to look for rootkits and viruses? Then why have a skull and crossbones on their icon?
PC time is exact due to being set by the navy. Of course, not at the moment, but still the same time.
Not sure how to LAN to IPSec. Is that on server or client?
The network adapter is disabled now. But, at the time it wasn't.
PC time is exact due to being set by the navy. Of course, not at the moment, but still the same time.
Not sure how to LAN to IPSec. Is that on server or client?
The network adapter is disabled now. But, at the time it wasn't.
>What do you and Rob do all day that you can help so much?<
Some of us have just spent three hours backpacking around some local hills, it's a regular thing! Main problem now is to resist falling asleep at the keyboard(yet again)! <grin>
Here midnight is now approaching, good luck in your race to complete by Monday!
RobWill, thanks for the thoughts ! It's been good reading your comments throughout the last few hours.
Some of us have just spent three hours backpacking around some local hills, it's a regular thing! Main problem now is to resist falling asleep at the keyboard(yet again)! <grin>
Here midnight is now approaching, good luck in your race to complete by Monday!
RobWill, thanks for the thoughts ! It's been good reading your comments throughout the last few hours.
ASKER
Hiking sounds fun. We hike in Acadia. But, now just frazzled trying to figure this out. I just no that when I do a config /all it says DHCP enabled: No.
>>DHCP enabled: No."
Where?
Should say that on the server, shouldn't on the workstation.
If it does say it on the workstation, it is because it has a static IP.
Time doesn't matter as long as PC and server are close. The server should adjust. Just pointed it out as your log has above normal NTP errors.
Don't worry about IPSec on the LAN a couple of things I saw made me think you might have configured it. You would not have done so by mistake. It is a way of securing local traffic so that an employee cannot sniff local LAN traffic. since we have moved from hubs to switches, it's not as big an issue. Reduces performance too.
What about the GIG adapter being set to full duplex, have you checked that out.
Have you tried another switch.
Nice "talking" with you Jonvee. Hope all is well on your side of the "pond". I'm in Nova Scotia, Canada.
Where?
Should say that on the server, shouldn't on the workstation.
If it does say it on the workstation, it is because it has a static IP.
Time doesn't matter as long as PC and server are close. The server should adjust. Just pointed it out as your log has above normal NTP errors.
Don't worry about IPSec on the LAN a couple of things I saw made me think you might have configured it. You would not have done so by mistake. It is a way of securing local traffic so that an employee cannot sniff local LAN traffic. since we have moved from hubs to switches, it's not as big an issue. Reduces performance too.
What about the GIG adapter being set to full duplex, have you checked that out.
Have you tried another switch.
Nice "talking" with you Jonvee. Hope all is well on your side of the "pond". I'm in Nova Scotia, Canada.
ASKER
Sorry, Rob, I missed one of your answers.
All of the workstations have the Windows Firewall on by default, although they used to be greyed out and now they are not. When I disabled it for a bit, it didn't make a difference. I tried a Linksys 4 port switch and connected the server to port 32 and my computer to port 3. They couldn't see each other. Server did not give DHCP.
Is there a firewall besides the one on the service with the ICS on the server?
All of the workstations have the Windows Firewall on by default, although they used to be greyed out and now they are not. When I disabled it for a bit, it didn't make a difference. I tried a Linksys 4 port switch and connected the server to port 32 and my computer to port 3. They couldn't see each other. Server did not give DHCP.
Is there a firewall besides the one on the service with the ICS on the server?
>>" tried a Linksys 4 port switch "
Good. It was a switch and not a router was it? I didn't know they had a 4 port switch.
>>"Is there a firewall besides the one on the service with the ICS on the server?"
Basic NAT one in RRAS, that is why I was suggesting turning it off temporarily.
Good. It was a switch and not a router was it? I didn't know they had a 4 port switch.
>>"Is there a firewall besides the one on the service with the ICS on the server?"
Basic NAT one in RRAS, that is why I was suggesting turning it off temporarily.
ASKER
Yeah, the Linksys has an uplink and four ports. Very tiny, very cute.
When I looked through the services, I saw one that caught my eye. But, of course, to IT people, it will be normal.
I tried to start the DNS server and it said it couldn't due to a 1222 error. The network is not present.
When I looked through the services, I saw one that caught my eye. But, of course, to IT people, it will be normal.
I tried to start the DNS server and it said it couldn't due to a 1222 error. The network is not present.
122 error for DNS, odd.
DNS is not started and you cannot start it?
Should be able to do that connected or not connected.
It too has a dependency of TCP/IP Protocol driver.
Wonder if your NIC driver is corrupt.
I wouldn't un-install but try updating the driver in device manager. (right click on the NIC and choose "update driver"). Windows should be able to provide a driver for that NIC. Allow it to check the Internet.
DNS is not started and you cannot start it?
Should be able to do that connected or not connected.
It too has a dependency of TCP/IP Protocol driver.
Wonder if your NIC driver is corrupt.
I wouldn't un-install but try updating the driver in device manager. (right click on the NIC and choose "update driver"). Windows should be able to provide a driver for that NIC. Allow it to check the Internet.
ASKER
I actually tried earlier and wasn't very successful getting the exact driver. I will try now again.
By the way, R-K (in a PAQ earlier) told someone he never puts AV on servers. I am confused now. Maybe he doesn't use Internet on it?
By the way, R-K (in a PAQ earlier) told someone he never puts AV on servers. I am confused now. Maybe he doesn't use Internet on it?
>>"R-K (in a PAQ earlier) told someone he never puts AV on servers. I am confused now. Maybe he doesn't use Internet on it?"
However, there are doctors that refuse to prescribed drugs too. <G>
I would consider that if the server was not a mail server, did not have Internet access, and was primarily a file or SQL server which may affect performance by continuously scanning files.
That is further support that 1 day without anti-virus software is not the end of the world......assuming you have a good firewall.
However, there are doctors that refuse to prescribed drugs too. <G>
I would consider that if the server was not a mail server, did not have Internet access, and was primarily a file or SQL server which may affect performance by continuously scanning files.
That is further support that 1 day without anti-virus software is not the end of the world......assuming you have a good firewall.
ASKER
Couple of things. As usual, finding a simple NIC driver for HP is more difficult than it should be. I do have another card, maybe I should just throw it in. Why would a NIC card reach the Internet but not other hardware?
Don't yell at me, but when I went to the DHCP, window I deleted the DHCP and Added a new server which was basically just the DHCP with new scopes etc. That was just now. But, when I went to add or authorize a server, it gave me two choices: 192.168.1.100, my server IP address and 127.0.0.1?
I will keep looking.
Don't yell at me, but when I went to the DHCP, window I deleted the DHCP and Added a new server which was basically just the DHCP with new scopes etc. That was just now. But, when I went to add or authorize a server, it gave me two choices: 192.168.1.100, my server IP address and 127.0.0.1?
I will keep looking.
ASKER
I fixed it! But, I still have two questions.
>I fixed it!< Fixed the add or authorising of a server, or fixed the 'whole issue' .. sincerely hope it's the latter?
ASKER
Hey Jonvee!
I fixed the whole thing. But's hard to know what did it, although I have an idea.
First, an article said to change a registry setting to make the NIC card's Offload Checksum disabled. I could do it manually anyway, but I made the reg change. That seemed to help along with a command line that did something, I forgot. It started working then, but then stopped. Tried doing the dnscmd /Config /Enable...something...Prob
I still couldn't turn the DNS server on. Just couldn't see the network. I uninstalled the NIC card, but when I added new hardware, it couldn't find a driver. Even though HP went out of their way to make it impossible to find, I found a driver for it. And, wham....the DNS service started right up. And everything worked.
So, I headed over to Room1. Just bizarre. Possessed. I was trying to download a driver for the NIC card, but it was like a game of cat and mouse. The very instant I would click to the page that had the driver, it would switch back. Click on the link...go to the page...try as fast as I could to move the scroll bar down, but click and back. Over and over again. About thirty times until somehow I managed to click on the driver link. This got me to the page where it would download, but then it clicked back to the home page. Over and over, but finally I dove to the download link and hit it just before the virus or ghost swithced back to the home page. Even windows would close. I had to browse to the server to open a folder so I could access a database. But, the moment, I tried, the window closed and I was back on the client.
As soon as I installed a new driver, everything was normal. So, could a faulty driver cause those symptoms? And, what would make two drivers become corrupted at the same time? Could it be the uninstall of Symantec on the server and the uninstall of the client NAV? But, that's generally an easy uninstall.
And, I have to ask? I chose the 192.168.1.100 as my authorized server. I have seen the 127.0.0.1 before, but I unauthorized it.
Well, mac and cheese, a beer, and some Ben and Jerry's before getting four hours sleep and seeing patients all day. What a nightmare this has been.
I certainly hope I didn't do all this work only to have viruses screw it all up. I wish I knew they weren't there.
Thanks.
Bert
I fixed the whole thing. But's hard to know what did it, although I have an idea.
First, an article said to change a registry setting to make the NIC card's Offload Checksum disabled. I could do it manually anyway, but I made the reg change. That seemed to help along with a command line that did something, I forgot. It started working then, but then stopped. Tried doing the dnscmd /Config /Enable...something...Prob
I still couldn't turn the DNS server on. Just couldn't see the network. I uninstalled the NIC card, but when I added new hardware, it couldn't find a driver. Even though HP went out of their way to make it impossible to find, I found a driver for it. And, wham....the DNS service started right up. And everything worked.
So, I headed over to Room1. Just bizarre. Possessed. I was trying to download a driver for the NIC card, but it was like a game of cat and mouse. The very instant I would click to the page that had the driver, it would switch back. Click on the link...go to the page...try as fast as I could to move the scroll bar down, but click and back. Over and over again. About thirty times until somehow I managed to click on the driver link. This got me to the page where it would download, but then it clicked back to the home page. Over and over, but finally I dove to the download link and hit it just before the virus or ghost swithced back to the home page. Even windows would close. I had to browse to the server to open a folder so I could access a database. But, the moment, I tried, the window closed and I was back on the client.
As soon as I installed a new driver, everything was normal. So, could a faulty driver cause those symptoms? And, what would make two drivers become corrupted at the same time? Could it be the uninstall of Symantec on the server and the uninstall of the client NAV? But, that's generally an easy uninstall.
And, I have to ask? I chose the 192.168.1.100 as my authorized server. I have seen the 127.0.0.1 before, but I unauthorized it.
Well, mac and cheese, a beer, and some Ben and Jerry's before getting four hours sleep and seeing patients all day. What a nightmare this has been.
I certainly hope I didn't do all this work only to have viruses screw it all up. I wish I knew they weren't there.
Thanks.
Bert
That's excellent news, so glad you made the deadline, and thanks too for the detailed report!!
On viruses >>I wish I knew they weren't there<
I still feel that the issue was related in some way to 'Symantec' , or of course your driver incident, but i guess it wouldn't hurt to 'definition update' & re-scan for virus or Malware, whenever it's practical.
Incidently (and it really goes without saying), if there are any 'points' for the above work, i am definitely *out of the running*. You've done great, and Rob deserves '5000' if that were possible! For me it was just good to come along for the ride with a couple of network hotshots .. thanks :)
You'll be able to cheer up your patients today, following this earlier achievement!
On viruses >>I wish I knew they weren't there<
I still feel that the issue was related in some way to 'Symantec' , or of course your driver incident, but i guess it wouldn't hurt to 'definition update' & re-scan for virus or Malware, whenever it's practical.
Incidently (and it really goes without saying), if there are any 'points' for the above work, i am definitely *out of the running*. You've done great, and Rob deserves '5000' if that were possible! For me it was just good to come along for the ride with a couple of network hotshots .. thanks :)
You'll be able to cheer up your patients today, following this earlier achievement!
On the 127.0.0.1 address, that is the loopback address for the computer. All computers and devices have a 127.0.0.1 address which is used for testing.
ASKER
Jonvee,
Thanks. And, I thought I would spend more timed figuring out the points, lol. I'm sure you'll do fine there. It's always good to learn from Rob. I will try to posts a couple more interventions when I am awake.
@Joe, Thanks. Should it be listed as a choice under servers when you go to add one?
Thanks. And, I thought I would spend more timed figuring out the points, lol. I'm sure you'll do fine there. It's always good to learn from Rob. I will try to posts a couple more interventions when I am awake.
@Joe, Thanks. Should it be listed as a choice under servers when you go to add one?
ASKER
Any comment on the probablility of removing a CLIENT Norton Antiviral program and issues. It seems less given I have done it often in the past compared with removing one from the server.
Also, if anyone has an idea how a bad driver would cause the issues with room1.
Thanks.
Also, if anyone has an idea how a bad driver would cause the issues with room1.
Thanks.
Probably because the network card wasn't up it listed it. In any event, both address identify the server you are working on and therefore should work (no guarantees as I really don't want to bring mine down to test).
Hi all! Sorry left last night for what I thought was 20 minutes and never made it back.
Glad to hear it is working.
Any chance the computer in room 1 has the same NIC as the server? If so it could be related to a Windows update. They are automatically deployed by your SBS 2003 R2 unless you have changed the defaults.
As for the jumping around the screen, can't see how that would be related to a NIC driver, but I have been wrong about driver issues 100 times before. The jumping can be a bad mouse or keyboard, or week battery if wireless, should it come back.
On the server itself you can choose 127.0.0.1 to point to it's own internal DNS, but I don't recommend it, though it is an acceptable MS method. On the PC it won't work as it would be pointing to itself (the loopback adapter as Joe said). DNS needs to be set up in the DNS management console for the 192.168.x.x subnet.
Removing Symantec can always be scary. It's a horrible product these days. However, your problems didn't seem to start until you installed Trend Micro. It may also be unrelated.
As for points, do as you see fit. However, in my opinion Jonvee's suggestions were a critical part of the troubleshooting. Regardless of the outcome.
Watch your event logs for any side effects from re-installing the network adapter, especially DNS.
--Rob
Glad to hear it is working.
Any chance the computer in room 1 has the same NIC as the server? If so it could be related to a Windows update. They are automatically deployed by your SBS 2003 R2 unless you have changed the defaults.
As for the jumping around the screen, can't see how that would be related to a NIC driver, but I have been wrong about driver issues 100 times before. The jumping can be a bad mouse or keyboard, or week battery if wireless, should it come back.
On the server itself you can choose 127.0.0.1 to point to it's own internal DNS, but I don't recommend it, though it is an acceptable MS method. On the PC it won't work as it would be pointing to itself (the loopback adapter as Joe said). DNS needs to be set up in the DNS management console for the 192.168.x.x subnet.
Removing Symantec can always be scary. It's a horrible product these days. However, your problems didn't seem to start until you installed Trend Micro. It may also be unrelated.
As for points, do as you see fit. However, in my opinion Jonvee's suggestions were a critical part of the troubleshooting. Regardless of the outcome.
Watch your event logs for any side effects from re-installing the network adapter, especially DNS.
--Rob
ASKER
I do need to get better at looking at the event logs. It's frustrating because when I find an error message and Error ID and go to Microsoft, it isn't always there. Then I Google it and get tens of message boards that are horrible compared to EE with stranded questions and flaming and such. EE rocks!
I will look at the battery. Wonder why changing the NIC card driver caused it to work better? I will change the batteries but only after the error comes back.
Should 127.0.0.1 show up as a possibility under the Add DHCP window? I don't think deleting the DHCP and adding it back should help but my friend was pressuring me, and he always does what I say, so I felt bad. What's breaking a server among friends? <G>
And, with Jonvee. What, he spent his entire Thanksgiving weekend reading HJT novels.
I will look at the battery. Wonder why changing the NIC card driver caused it to work better? I will change the batteries but only after the error comes back.
Should 127.0.0.1 show up as a possibility under the Add DHCP window? I don't think deleting the DHCP and adding it back should help but my friend was pressuring me, and he always does what I say, so I felt bad. What's breaking a server among friends? <G>
And, with Jonvee. What, he spent his entire Thanksgiving weekend reading HJT novels.
ASKER
Rob, I thought you were mad at me for doing the DHCP thing without your approval. Seriously. Thought that's why I you didn't come back.
Everyone take a look at the upload I sent. It came from a SBS Systems Analyzer suggested by an SBS 2003 MVP on TechNet. Trust me, if you had to pass an interview to move from TechNet to EE, I don't think he/she would have passed. Good info. Not very user friendly, lol.
Everyone take a look at the upload I sent. It came from a SBS Systems Analyzer suggested by an SBS 2003 MVP on TechNet. Trust me, if you had to pass an interview to move from TechNet to EE, I don't think he/she would have passed. Good info. Not very user friendly, lol.
Not mad at all Bert. Sorry, just had to drive my daughter and got tied up when I got back.
>>"Wonder why changing the NIC card driver caused it to work better? "
Who knows, its the Widows way <G>. Possible some other system files were updated at the same time by the driver.
>>"Should 127.0.0.1 show up as a possibility under the Add DHCP window?"
Do you mean in the DHCP management console window? If so, no.
Which upload are you referring to?
>>"Wonder why changing the NIC card driver caused it to work better? "
Who knows, its the Widows way <G>. Possible some other system files were updated at the same time by the driver.
>>"Should 127.0.0.1 show up as a possibility under the Add DHCP window?"
Do you mean in the DHCP management console window? If so, no.
Which upload are you referring to?
ASKER
ASKER
OK, I know it's not polite to shout, but THIS IS JUST TOO WEIRD!
I am freaking out. There has to be something something going on here, or I am just in the middle of a Stephen King novel. This is Bangor by the way.
Everything network-wise is fine. But, get this. And, I will explain it the best I can.
We have the SBS 2003 Server and seven workstations as follows:
Room1 Used by me and generally logged into as a domain administrator (Sorry Rob, maybe I learned by lesson). I am only a user now.
Room2 Used by me only and generally logged into with my account as a domain administrator.
Nurse's station Used by my MA. User account
Checkout Rarely used. If so, generally user account.
Billing Used by biller and a user account
Receptionist Used by receptionist and user account
My Office Obviously, used by me and domain account
Again, I just changed to user. Everyone should know that any and all computers are logged into by me at some time or another.
The ones we had trouble with were Room1 and the server. Maybe mine, but I can't recall.
Ok, so over the weekend, we basically fixed things. So, here is what is going on today.
Each computer has a client version of AmazingCharts, an electronic medical record which accesses its main Access database on the server. This was the application where the cursor was moving backwards and the templates were entering automatically to a degree; see above on initial quetsion. This was the computer with the browser problems and windows clicking back to the previous window.
Anyway, on all computers except Office, Room1 and Server, things are fine. If you go to the one person's chart and open up the list of medications; you can click on each medication, and it will give how many days ago it was prescribed. So, like:
Amoxicillin 8 days
Fluoride 350 days
Bactroban 270 days
You can click on any medication and it is correct. On all computers except the above three, any patient's data is correct.
Now, in the Office, Room1 and Server computer, if you bring up the same patient, you get:
Bactroban minus 1370 days
Fluoride 975 days
Amoxicillin 475 days
The other meds in the same chart were correct. Bear in mind, this patient is only 375 days old.
I get the same weird numbers on those three possessed machines. I looked in the actual Access database, and the dates are correct. The dates on the computer are correct and, remember, there are othere are other medications in the same chart which are normal dates. And, we didn't mess with room2.
This is bizarre, is it not?
I am freaking out. There has to be something something going on here, or I am just in the middle of a Stephen King novel. This is Bangor by the way.
Everything network-wise is fine. But, get this. And, I will explain it the best I can.
We have the SBS 2003 Server and seven workstations as follows:
Room1 Used by me and generally logged into as a domain administrator (Sorry Rob, maybe I learned by lesson). I am only a user now.
Room2 Used by me only and generally logged into with my account as a domain administrator.
Nurse's station Used by my MA. User account
Checkout Rarely used. If so, generally user account.
Billing Used by biller and a user account
Receptionist Used by receptionist and user account
My Office Obviously, used by me and domain account
Again, I just changed to user. Everyone should know that any and all computers are logged into by me at some time or another.
The ones we had trouble with were Room1 and the server. Maybe mine, but I can't recall.
Ok, so over the weekend, we basically fixed things. So, here is what is going on today.
Each computer has a client version of AmazingCharts, an electronic medical record which accesses its main Access database on the server. This was the application where the cursor was moving backwards and the templates were entering automatically to a degree; see above on initial quetsion. This was the computer with the browser problems and windows clicking back to the previous window.
Anyway, on all computers except Office, Room1 and Server, things are fine. If you go to the one person's chart and open up the list of medications; you can click on each medication, and it will give how many days ago it was prescribed. So, like:
Amoxicillin 8 days
Fluoride 350 days
Bactroban 270 days
You can click on any medication and it is correct. On all computers except the above three, any patient's data is correct.
Now, in the Office, Room1 and Server computer, if you bring up the same patient, you get:
Bactroban minus 1370 days
Fluoride 975 days
Amoxicillin 475 days
The other meds in the same chart were correct. Bear in mind, this patient is only 375 days old.
I get the same weird numbers on those three possessed machines. I looked in the actual Access database, and the dates are correct. The dates on the computer are correct and, remember, there are othere are other medications in the same chart which are normal dates. And, we didn't mess with room2.
This is bizarre, is it not?
Sounds like database corruption of some sort.
When accessing Amazing Charts do you have different user names within the program? i.e could this be related to the choice of AC user name or MS user name rather than PC.
When accessing Amazing Charts do you have different user names within the program? i.e could this be related to the choice of AC user name or MS user name rather than PC.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Rob, I will look at around 5:30 PM my time. Can't do it now. I hope. Yes different logins for both.
@Joe, I thought of that and looked. I can look deeper. The reason that is hard to believe is because one medication will be normal and another abnormal. Plus a negative sign is strange.
It is happening on every patient now. Plus the other problems are coming back. The clicking back. Time came up because of Combofix or whatever which changes time to military time.
The odd thing is that everything is happening at once. Of course, I guess that could still be due to Symantec.
I bought some decent stand alone AVGs and running those on clients. Trend Micro scanned server. Nothing. I hate those rootkits. Then you never know.
@Joe, I thought of that and looked. I can look deeper. The reason that is hard to believe is because one medication will be normal and another abnormal. Plus a negative sign is strange.
It is happening on every patient now. Plus the other problems are coming back. The clicking back. Time came up because of Combofix or whatever which changes time to military time.
The odd thing is that everything is happening at once. Of course, I guess that could still be due to Symantec.
I bought some decent stand alone AVGs and running those on clients. Trend Micro scanned server. Nothing. I hate those rootkits. Then you never know.
I don't think your database issues would be related in anyway to Symantec or TrendMicro.
By the way, AVG is great on the workstations, but if you buy a server/client solution you set it up on the server and it automatically installs on the clients, manages updates, and does complete network reporting. One of the big advantages is the server software then can detect a network wide out break of a virus before it hits other systems, and alert you.
By the way, AVG is great on the workstations, but if you buy a server/client solution you set it up on the server and it automatically installs on the clients, manages updates, and does complete network reporting. One of the big advantages is the server software then can detect a network wide out break of a virus before it hits other systems, and alert you.
ASKER
Yes, I had the Symantec Corporate 10.1 edition. I may have even stayed with it, but it wouldn't update my computer. All the others but not mine. Two Symantec support people couldn't fix it. They were great, though. I couldn't even download updates directly from the Internet site. I had some corrupt update folders. You know what is funny, and I am sure you know this already. But, when they wanted me to get something from their site, they had me Google it. They didn't even give me the URL to their page.
Last night, to get the driver for the NIC, I had to download a 168 MB file to extract. I couldn't just download one driver. Maybe it is there, but I couldn't find it.
You would be proud of me. A whole day logged in as a user.
Last night, to get the driver for the NIC, I had to download a 168 MB file to extract. I couldn't just download one driver. Maybe it is there, but I couldn't find it.
You would be proud of me. A whole day logged in as a user.
Nothing Symantec does surprises me. Must say though their support tries hard.
HP driver should be:
http://h18007.www1.hp.com/support/files/networking/us/download/27942.html
Good man. You can't get into as much trouble as a user <G>.
HP driver should be:
http://h18007.www1.hp.com/support/files/networking/us/download/27942.html
Good man. You can't get into as much trouble as a user <G>.
ASKER
Well, not to bore everyone, but I am flabbergasted. Grabbed a database from 10/16/07 (yes I do backups for six weeks at least even if I don't run AV). Used that database and same patient and the "bad" PCs would see 1200 days or so, while the good ones would see 34 days. Even with both Room1 and Room2 looking at the same patient at the same time on the same med, room1 would see 1200 while room2 would see 34 days. I then took that database and put it directly on room2. Perfect. Put the same database on room1 and saw 1200 days. Remember (if you care, lol) that room1 and my computer and the server see the same wrong number and all the time. It's not as if they see random wrong numbers.
So, if this were a virus so that I am reading information wrong, would data from the room1 PC be bad? Any ideas. Again, just leaning away or toward viruses would help. I could easily and within a couple of hours reformat room1. But, I really don't want to reformat my PC and the server.
So, if this were a virus so that I am reading information wrong, would data from the room1 PC be bad? Any ideas. Again, just leaning away or toward viruses would help. I could easily and within a couple of hours reformat room1. But, I really don't want to reformat my PC and the server.
If the data is wrong when read from a bad PC when on the server, and correct when read from from the same PC it's not a virus.
What do you get for time when you run at a command prompt on computer 1:
Time /T
Date /D
Net Time \ServerName
Do they agree, both in value and format? Though I can't see a fixed difference in the numbers.
What do you get for time when you run at a command prompt on computer 1:
Time /T
Date /D
Net Time \ServerName
Do they agree, both in value and format? Though I can't see a fixed difference in the numbers.
A couple of thoughts:
1) Are all workstations running the same version of Amazing charts?
2) Have all workstations been updated with the same virus software and old removed
3) From the Amazing Charts web site, where you have been playing with different AV software:
Be sure your anti-virus software (e.g., Norton, McAfee, AOL popup blocker is off during installation, and that once installed, Amazing Charts is an allowed program listed in the antivirus/firewall configuration file.
4) Do all PC's have the same DST updates installed
5) Have you contacted AC support?
Are we still on topic? <G>
Virus => Network => Database software
1) Are all workstations running the same version of Amazing charts?
2) Have all workstations been updated with the same virus software and old removed
3) From the Amazing Charts web site, where you have been playing with different AV software:
Be sure your anti-virus software (e.g., Norton, McAfee, AOL popup blocker is off during installation, and that once installed, Amazing Charts is an allowed program listed in the antivirus/firewall configuration file.
4) Do all PC's have the same DST updates installed
5) Have you contacted AC support?
Are we still on topic? <G>
Virus => Network => Database software
ASKER
I will do these. Hang in there. Would someone just shoot me. Here I am dead tired, and I decide to change my server IP address. No, I don't know why? After realizing it would take changing everything in the router, I just left it. Then, I did exclusion ranges and DHCP scopes. Should be easy should it not?
OK, so let me check.
OK, so let me check.
>>"I decide to change my server IP address."
Are you trying hard to break that SBS <G>.
Are you trying hard to break that SBS <G>.
ASKER
Time was correct. >Date /D kept giving the error message:
The system cannot accept the date entered (mm-dd-yy)
I tried changing it in Control Panel (Regional options), but it still shows a date "balloon" of yyyy-mm-dd. Or do you change it in the BIOS?
I don't know what the Net Time \Server said.
The system cannot accept the date entered (mm-dd-yy)
I tried changing it in Control Panel (Regional options), but it still shows a date "balloon" of yyyy-mm-dd. Or do you change it in the BIOS?
I don't know what the Net Time \Server said.
Whoops, sorry should be Date /T
>>"I don't know what the Net Time \Server said."
You need that the point is to compare.
By same format I meant 12 and 24 hour clock but it shouldn't matter anyway.
>>"I don't know what the Net Time \Server said."
You need that the point is to compare.
By same format I meant 12 and 24 hour clock but it shouldn't matter anyway.
I think he meant date /t
ASKER
Yes, all the same version.
Same antivirus software. I don't see any Symantec remnants on any of them.
I am using AVG currently. I haven't installed any Amazing Charts in awhile. Well, since the latest version.
I will look at putting it in firewall.
What are DST updates? The regular Microsoft updates? Yes.
I pretty much am AC support. Almost 800 posts on the boards. AC support is not very good. But, I don't think it's an AC issue. Well, not until a week ago or so.
On topic? Well, I can always end this one and start another.
But, rather than Virus -> Network -> Database software, it is more like
Computer acting weird -> Computer acting weirder.
I don't think this is a database issue. It just happens to be the lastest in what has become bizarre circumstances. Let me give you an example.
When I get an email that I have a new comment, I click on the link which takes me to the question. It immediately clicks shut. I then open it from the desktop, open the question, then print out the entire question. I can't get to the one comment and copy and paste it fast enough before it clicks back to the home page. Not the list of open questions but all the way back to where it first opened up.
Then I have to type my answer in notepad, copy it and they try to paste it in as fast as possible. Maybe I get it in after two or three tries. Of course, I could use a different PC. That would make sense. <G>
Same antivirus software. I don't see any Symantec remnants on any of them.
I am using AVG currently. I haven't installed any Amazing Charts in awhile. Well, since the latest version.
I will look at putting it in firewall.
What are DST updates? The regular Microsoft updates? Yes.
I pretty much am AC support. Almost 800 posts on the boards. AC support is not very good. But, I don't think it's an AC issue. Well, not until a week ago or so.
On topic? Well, I can always end this one and start another.
But, rather than Virus -> Network -> Database software, it is more like
Computer acting weird -> Computer acting weirder.
I don't think this is a database issue. It just happens to be the lastest in what has become bizarre circumstances. Let me give you an example.
When I get an email that I have a new comment, I click on the link which takes me to the question. It immediately clicks shut. I then open it from the desktop, open the question, then print out the entire question. I can't get to the one comment and copy and paste it fast enough before it clicks back to the home page. Not the list of open questions but all the way back to where it first opened up.
Then I have to type my answer in notepad, copy it and they try to paste it in as fast as possible. Maybe I get it in after two or three tries. Of course, I could use a different PC. That would make sense. <G>
Time for bed, I'm making too many mistakes:
Net Time \\ServerName
^
Net Time \\ServerName
^
ASKER
I agree. I only got 3 1/2 hours last night and had my busiest day yet. I will try the command. Tomorrow, when I am rested (I hope), I will close this question and award points. If it continues, I will just have to start a new question. It is bizarre.
ASKER
More and more things happening on room1. Getting ready to reformat. It is almost unusable. Can't even highlight words or a sentence and delete it with the delete key or with backspace. It just basically laughs at me, i.e. doesn't do anything.
There are over 100 comments, so I am not even sure if I picked the right ones. They all kind of helped by putting them together.
By the way, after deleting and redoing my DHCP, I excluded the range where my static IPs (printers, etc.) were. But, then I read about making static IP ranges or scopes. Do you need to do that.
If you can't answer, that's OK. <G> It's kind of related.
There are over 100 comments, so I am not even sure if I picked the right ones. They all kind of helped by putting them together.
By the way, after deleting and redoing my DHCP, I excluded the range where my static IPs (printers, etc.) were. But, then I read about making static IP ranges or scopes. Do you need to do that.
If you can't answer, that's OK. <G> It's kind of related.
DHCP is just that, dynamic not static, so the scope you create is for DHCP addresses. Traditionally you set a range for your scope like 192.168.100.101 to 192.168.100.150, but another method, which is the SBS default, is to make the entire subnet DHCP such as 192.168.100.1 to 192.168.100.254 and then create exclusions for know static IP's such as the server (very critical) and other devices like routers and printers.
By the way a scope includes the range (correctly named the address pool), scope options (router, DNS, WINS, etc), exclusions, and Reservations.
The problem with static addresses is you have to maintain a list of them. An alternative is the last option above, reservations. You can reserve an IP for a specific device such as a printer by creating a reservation which assures the DHCP server will always assign that IP to that MAC address. This is very useful in that you can centrally make changes very easily (allowing for lease expiries), and the DHCP management console maintains a dynamic list of reserved (effectively static) IP's. Do not assign your DHCP server an IP in this way.
My preference on the other hand is to maintain certain ranges of IP's for specific types of equipment such as the example below:
x.x.x.1 to x.x.x.19 Servers (I use static for all servers)
x.x.x.20 to x.x.x.49 Printers (I use reservations but can be static)
x.x.x.50 to x.x.x.99 Computers requiring a fixed IP (I use reservations)
x.x.x.100 to x.x.x.199 DHCP address pool
x.x.x.200 to x.x.x.254 Routers and other network devices
Make sure your DHCP doesn't conflict with any statics you have assigned. If they do create an exception.
Thanks Bert.
Cheers !
--Rob
By the way a scope includes the range (correctly named the address pool), scope options (router, DNS, WINS, etc), exclusions, and Reservations.
The problem with static addresses is you have to maintain a list of them. An alternative is the last option above, reservations. You can reserve an IP for a specific device such as a printer by creating a reservation which assures the DHCP server will always assign that IP to that MAC address. This is very useful in that you can centrally make changes very easily (allowing for lease expiries), and the DHCP management console maintains a dynamic list of reserved (effectively static) IP's. Do not assign your DHCP server an IP in this way.
My preference on the other hand is to maintain certain ranges of IP's for specific types of equipment such as the example below:
x.x.x.1 to x.x.x.19 Servers (I use static for all servers)
x.x.x.20 to x.x.x.49 Printers (I use reservations but can be static)
x.x.x.50 to x.x.x.99 Computers requiring a fixed IP (I use reservations)
x.x.x.100 to x.x.x.199 DHCP address pool
x.x.x.200 to x.x.x.254 Routers and other network devices
Make sure your DHCP doesn't conflict with any statics you have assigned. If they do create an exception.
Thanks Bert.
Cheers !
--Rob
ASKER
Thanks for the detailed explanation. Very helpful. I wonder what DHCP scope room1 belongs in? LOL J/K
Just for giggles try hooking a different keyboard up to the computer and see what happens.
ASKER
Joe,
Hope, you don't mind Joe. You know, at this point I will try anything. I will do just that today and get back to you on the results. Of course, that makes it hard to explain the different number of day son the scripts. I wish I could fly you all in to see this thing. That's the only way to really fathom it. But, then there must be a solution. Wait, if I only had one wish, I doubt I should use it for that. Maybe I would wish that one of you or TechSoEasy lived in Brewer. LOL
There is a thing in medicine called Occam's razor. He was a very famous physician from, I believe, the 1800s. He posited that if a patient had a headache, sore throat and abdominal pain, they probably don't have migraines, mononucleosis -> sore throat, and appendicitis. They probably have one thing that explains all = Strep throat which can give all the above symptoms especially in children.
But, I will try it. I wonder also if it could be a bad NIC card. I mean it works, but a new driver in the server seemed to help with DNS. But, I did replace the driver on Room1.
I'm sorry, the question is probably over so I shouldn't continue.
Hope, you don't mind Joe. You know, at this point I will try anything. I will do just that today and get back to you on the results. Of course, that makes it hard to explain the different number of day son the scripts. I wish I could fly you all in to see this thing. That's the only way to really fathom it. But, then there must be a solution. Wait, if I only had one wish, I doubt I should use it for that. Maybe I would wish that one of you or TechSoEasy lived in Brewer. LOL
There is a thing in medicine called Occam's razor. He was a very famous physician from, I believe, the 1800s. He posited that if a patient had a headache, sore throat and abdominal pain, they probably don't have migraines, mononucleosis -> sore throat, and appendicitis. They probably have one thing that explains all = Strep throat which can give all the above symptoms especially in children.
But, I will try it. I wonder also if it could be a bad NIC card. I mean it works, but a new driver in the server seemed to help with DNS. But, I did replace the driver on Room1.
I'm sorry, the question is probably over so I shouldn't continue.
>There is a thing in medicine called Occam's razor<
You probably already know Bert but it also crops up in Cosmology & elsewhere, but now i'm getting even further off track!
>reading HJT novels< << That's a good one! <G>
Anyway, good luck, & thanks (all) for a piece of the cake; this must be one of the longest threads of all time!
You probably already know Bert but it also crops up in Cosmology & elsewhere, but now i'm getting even further off track!
>reading HJT novels< << That's a good one! <G>
Anyway, good luck, & thanks (all) for a piece of the cake; this must be one of the longest threads of all time!
ASKER
It was a long thread. I am not sure if it was quite as long as
https://www.experts-exchange.com/questions/21680714/Would-a-new-switch-or-switch-configuration-solve-my-problem.html or the other questions linked in this question. There were three or four questions involved and to this day, still my favorite troubleshooting effort on here. And, so much help from the experts including our famous Rob.
The irony of the questions that took around two or three is that combined it was probably around 200 or more comments. While grsteed (Gary) finally solved it, there is a link to an almost exact same PAQ, where it was solved with one answer.
It's actually a great read -- for an IT guy.
https://www.experts-exchange.com/questions/21680714/Would-a-new-switch-or-switch-configuration-solve-my-problem.html or the other questions linked in this question. There were three or four questions involved and to this day, still my favorite troubleshooting effort on here. And, so much help from the experts including our famous Rob.
The irony of the questions that took around two or three is that combined it was probably around 200 or more comments. While grsteed (Gary) finally solved it, there is a link to an almost exact same PAQ, where it was solved with one answer.
It's actually a great read -- for an IT guy.
ASKER
OK, guys. We have a solution. Answers at 6PM EST.
Hint: There may not be an Occam's razor. Scary thought, given I have been practicing for over 13 years, and I have always gone by that.
Hint: There may not be an Occam's razor. Scary thought, given I have been practicing for over 13 years, and I have always gone by that.
It's now 7:30 EST <G> ??????
Hope it didn't die again.
Hope it didn't die again.
ASKER
Oh, that's right. I got caught up with my programmer, Mr. ED.
Well, let's just say I owe joediggityw 500 points. As I had promised him, just for laughts I changed the keyboard, mouse and the USB connector between rooms 1 and rooms 2. Rather than try room 1 first, I decided to try room 2. Well, wouldn't you know, all sorts of weird things started happening there. So, I went to room 1, and perfect. No click backs. No possessed back space key. No viruses except maybe in the keyboard, lol. It was perfect. So, then all we had to figure out besides why the keyboard (or mouse?) did that, was what was up with the dates.
Well, armed with the confidence that I probably did not have a virus, I figured there has to be something different on my computer and room 1's compter with the dates. I happened to look down at AmazingCharts and a patient was highlighted, which means he DOB was just below his name. The date of birth was 2007-08-23. That looked rather odd to me, so I checked out a good computer and the DOB was written as 08-23-2007 for the same patient. So I went to Regional and language settings in control panel, pulled up the date window and did a print screen. I compared this with the settings on the other two computers and, sure enough, the settings were different. I changed the settings and, wahlah!, the scripts were perfect. So, I was the first one at the door at Circuit City to buy a new keyboard and mouse, and I labelled the keyboard and mouse from room 1 as possessed and put it in the basement so they were quarantined. I will send them away later for testing. <G>
Now, all I have to find out is why the YVXSE service won't start secondary to its not find its path (which makes sense since I deleted the file when I thought it was a virus -- it looked like a skull and crossbones and seemed to be part of sysinternals) or if it is even necessary.
And, did this all happen due to the Symantec removal: DNS not starting, NIC card issues and Date issues or was it all coincidence?
By the way, I did go all day yesterday and today as a user, but it is driving me crazy. I must have had at least ten things occur where I needed to be an administrator. I know I can log on as an administrator, but when I have a download on my desktop and can't install it, if I log in as another user which has administrator rights, it will be a different desktop and I won't see the download. Maybe I can browse to it through Documents and Settings. It isn't the type of thing you can do a Run As on. Now, since I didn't have viruses, I will probably get all sloppy again.
But, hey, thanks Rob, and Jonvee and Joediggity. : )
PS Sorry about slipping in a few comments that cold be questions.
Well, let's just say I owe joediggityw 500 points. As I had promised him, just for laughts I changed the keyboard, mouse and the USB connector between rooms 1 and rooms 2. Rather than try room 1 first, I decided to try room 2. Well, wouldn't you know, all sorts of weird things started happening there. So, I went to room 1, and perfect. No click backs. No possessed back space key. No viruses except maybe in the keyboard, lol. It was perfect. So, then all we had to figure out besides why the keyboard (or mouse?) did that, was what was up with the dates.
Well, armed with the confidence that I probably did not have a virus, I figured there has to be something different on my computer and room 1's compter with the dates. I happened to look down at AmazingCharts and a patient was highlighted, which means he DOB was just below his name. The date of birth was 2007-08-23. That looked rather odd to me, so I checked out a good computer and the DOB was written as 08-23-2007 for the same patient. So I went to Regional and language settings in control panel, pulled up the date window and did a print screen. I compared this with the settings on the other two computers and, sure enough, the settings were different. I changed the settings and, wahlah!, the scripts were perfect. So, I was the first one at the door at Circuit City to buy a new keyboard and mouse, and I labelled the keyboard and mouse from room 1 as possessed and put it in the basement so they were quarantined. I will send them away later for testing. <G>
Now, all I have to find out is why the YVXSE service won't start secondary to its not find its path (which makes sense since I deleted the file when I thought it was a virus -- it looked like a skull and crossbones and seemed to be part of sysinternals) or if it is even necessary.
And, did this all happen due to the Symantec removal: DNS not starting, NIC card issues and Date issues or was it all coincidence?
By the way, I did go all day yesterday and today as a user, but it is driving me crazy. I must have had at least ten things occur where I needed to be an administrator. I know I can log on as an administrator, but when I have a download on my desktop and can't install it, if I log in as another user which has administrator rights, it will be a different desktop and I won't see the download. Maybe I can browse to it through Documents and Settings. It isn't the type of thing you can do a Run As on. Now, since I didn't have viruses, I will probably get all sloppy again.
But, hey, thanks Rob, and Jonvee and Joediggity. : )
PS Sorry about slipping in a few comments that cold be questions.
Interesting. Sounds good and thanks for the update.
What are you doing that requires admin rights that often? I have clients your size that no admin account is used for months at a time. Servers work best when you set them up and leave them alone except for monitoring and updates. SBS R2 will do both for you automatically.
What are you doing that requires admin rights that often? I have clients your size that no admin account is used for months at a time. Servers work best when you set them up and leave them alone except for monitoring and updates. SBS R2 will do both for you automatically.
ASKER
Hi Rob,
No this is on my computer. I needed to download a program and couldn't. When I tried to click on the clock in the system tray to look at a setting, it wouldn't let me. Yesterday, while troubleshooting something, I needed to make a change to a setting on a NIC card on a static IP address (I use dymanic, but just needed to try something), and it wouldn't let me. Nothing to do with the server.
No this is on my computer. I needed to download a program and couldn't. When I tried to click on the clock in the system tray to look at a setting, it wouldn't let me. Yesterday, while troubleshooting something, I needed to make a change to a setting on a NIC card on a static IP address (I use dymanic, but just needed to try something), and it wouldn't let me. Nothing to do with the server.
Ah! Different story. Contrary to all IT recommendations, every user is supposed to be an admin on their workstation, in an SBS network. It will set that by default when you run the connectcomputer wizard. Are you not getting an error at logon that the script could not be run, if you are not an admin?
I know I am stupid for it but even in my larger domain (500+ nodes) I allow the end user local admin rights on their individual computers...at least until they prove they can't handle the rights.
ASKER
Well all of the other computers other than mine, have users located in the local administrator group -- just the ones that need access to those computers. (Remember the whole debate over locking and logging off).
My compuer, on the other hand, has only Administrator and Domain admins under the Local administrator group. I am not sure why I am not listed as a local admin, which I know you disagree with anyway. Since my user account specifically is not listed, when I am only a user and log in, I do not have any local administrator rights, which is why I get the message when I log on that I cannot install or configure applications in the Client Setup Wizard.
BUT, if I put myself in the local adminstrator group, even if I logged in as a user only, viruses and such would still be able to have access to areas that only users with admin rights have, correct?
So, either way: having myself listed in the local admin group and logging in as a user only or a domain admin for that matter OR logging in as a domain admin would be just as insecure.
BUT...this sounds like a whole new question. <G>
PS I can't find the website article now, of course, but I read an article by a techie where he talked about a lot of computer network stuff mainly referring to security. He gave many good tips, but ironically at the end talked about logging in with user privilegs only but admitted that he simply couldn't.
My compuer, on the other hand, has only Administrator and Domain admins under the Local administrator group. I am not sure why I am not listed as a local admin, which I know you disagree with anyway. Since my user account specifically is not listed, when I am only a user and log in, I do not have any local administrator rights, which is why I get the message when I log on that I cannot install or configure applications in the Client Setup Wizard.
BUT, if I put myself in the local adminstrator group, even if I logged in as a user only, viruses and such would still be able to have access to areas that only users with admin rights have, correct?
So, either way: having myself listed in the local admin group and logging in as a user only or a domain admin for that matter OR logging in as a domain admin would be just as insecure.
BUT...this sounds like a whole new question. <G>
PS I can't find the website article now, of course, but I read an article by a techie where he talked about a lot of computer network stuff mainly referring to security. He gave many good tips, but ironically at the end talked about logging in with user privilegs only but admitted that he simply couldn't.
I have a friend who runs his computer as admin but launches IE and OUTLOOK with a less priveleged non-admin accounts.
and I can kick myself for not thinking of the region settings, that actually got me one time long ago.
ASKER
Joe,
Thanks. That is a topic of great debate and one I have been a part of quite a bit. I finally did it, becaue my staff kept getting locked out of their computers. I know they should log off...
I guess the only time you would get in trouble is if the keyboard became infected with a virus. <G> But, it is true that they probably would not be able to change the date and time settings.
Wow. I have a difficult enough time managing seven computers. 500! But, then I am a doctor just playing as an IT admin.
Thanks. That is a topic of great debate and one I have been a part of quite a bit. I finally did it, becaue my staff kept getting locked out of their computers. I know they should log off...
I guess the only time you would get in trouble is if the keyboard became infected with a virus. <G> But, it is true that they probably would not be able to change the date and time settings.
Wow. I have a difficult enough time managing seven computers. 500! But, then I am a doctor just playing as an IT admin.
and I am an it admin just playing doctor for his kids..
ASKER
"and I am an it admin just playing doctor for his kids.."
Too funny. And, I probably wish I were an IT admin and vice versa.
If you had remembered the regional thing, you definitely would be owed 500 points.
Too funny. And, I probably wish I were an IT admin and vice versa.
If you had remembered the regional thing, you definitely would be owed 500 points.
Otherwise - run sfc /scannow from a command prompt:
http://www.updatexp.com/scannow-sfc.html