Solved

Computer acting very weird

Posted on 2007-11-22
159
1,880 Views
Last Modified: 2013-11-22
OK, this is extremely strange, and seems like it could only be explained by a virus. First, my Symantac Antivirus  on my SBS 2003 Standard Edition R2 was due for its annual virus definition subscription and, since I decided I didn't want to use SAV again, I disconnected the Internet access and began installing Trend Micro. Unfortunately, I wan't able to get it completely installed and as our business needs to access the Internet, we were without an antivirus program for 24 hours. (I know, very stupid).

We have seven computers on the domain with one server. The computer in Room 1 began acting very strangely the day after. It is very strange. I have a few sites that require a logon and a password and then I have to type in a medication in order to look it up. The second I put the cursor in the field for the med, the browser would instantly return to the home page. The browser wouldn't close it would just go back to the home page. I would repeat the process and the same thing. It was very reproducible. This was occurring with every single web page like this.

Also, we have an electronic medical record, where you have to enter words or phrases in fields. As soon you entered a phrase like, "Fever for three days, the cursor would instantly move back one space skipping over the last letter. It would basically look like this: Fever for three day|s if you can call the line before the 's" a cursor. If you clicked on the backspace key, it would delete all of the letters to the left, and the last letter which was on the right would follow it. Another thing was if you right click in a window in the program, it will bring up a window with key words where if you left click on them, it enters the data associated with it in the section of the record. Basically, these are templates. But, with this computer, before you could selecton one, it would enter the top on in the list. Finally, if you clicked on visit history, a window will open listing all of the dates and visits. Normally, you highlight one, and the entire visit that was previously written will show up in the page below. But, on this day (yesterday), you could highlight one and it would show the note, but then the blue highlight would randomly move up to another note and put it in.

I assumed this had to be a virus. Trend Micro was installed and received updates and scanned the PC and found nothing. I then uninstalled the client, because I was used to that antivirus and installed a single, standalone AVG virus scanner, updated the definitions and scanned the computer. Nothing.

So, I come in today to check on it, and the Windows XP screensaver, instead of showing a small icon had a giant icon that took up 1/3 of the screen. CTRL - ALT - DELETE brought me to the next window where the logon window was HUGE. Took up the entire page. I logged in and the desktop was fine. I figured my VGA would be set to 600 x 800, but it was OK. I then did the webpage thing and the EMR thing and everything is perfect.

I am completely stumped. I did disconnect that computer from the network. The only other weird thing is on my own computer in my office, Task Manager is gone. You can right-click on the taskbar and click on Task Manager, but it doesn't appear.

I get a little confused at times with viruses, etc. I know it isn't good to leave the network insecure, but I run the network with Symantec for one year, and it would seem like if a virus entered the LAN, at least Symantec would see it and tell me. Or find it in a scan. Why would I get a virus the ONE day I was unprotected. We have a good hardware firewall and Windows firewall. And, the two computers I am worried about are only used by me, and I don't surf strange websites. If a virus doesn't come in by email, how does it get in? Through a website? A person from the outside?

Sorry, this is so long. Just wanted to give you all of the information.
0
Comment
Question by:Bert2005
  • 85
  • 41
  • 19
  • +2
159 Comments
 
LVL 32

Expert Comment

by:and235100
ID: 20335893
Try this: http://windowsxp.mvps.org/Taskmanager_error.htm to re-enable Task Manager.
Otherwise - run sfc /scannow from a command prompt:
http://www.updatexp.com/scannow-sfc.html
0
 
LVL 32

Expert Comment

by:and235100
ID: 20335902
Malware has many points of entry - apart from the internet.
End-users plug in usb keys, install software from burnt CD's/DVD's.
Also - unzipped/unrar'd files can contain dormant malware - not just viruses - but trojans and other nasties - that can easily spread around a network.
0
 
LVL 32

Expert Comment

by:and235100
ID: 20335908
Antivirus software - by definition - is not normally very good at removing non-viral threats.
You require three main sorts of security software - antivirus, anti-spyware and anti-spam on a network.
Software firewall clients also help by stemming the flow of trojans and worms from one computer to another.
Of course - a hardware firewall will help a lot as well.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20336186
and235100,

Thanks for helping out on Thanksgiving. I tried both things in number one answer and learned a lot about copying the I386 folder, but nothing worked.

Do you think that spam or spyware would cause this? I am thinking it wouldn't. I am not sure about Trojans and worms. I will try running an anti-trojan scanner. I believe I have a good one of those.
0
 
LVL 32

Assisted Solution

by:and235100
and235100 earned 50 total points
ID: 20336244
I am English - so the holiday period doesn't affect me. :-)
This isn't a spam issue, whatever the cause.

You could try this: http://www.dougknox.com/xp/utils/xp_emergencyutil.zip
Make a copy of task manager on another computer - then restore it on the problematic computer to C:\Windows\system32
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20336600
and235100,

I have worked on the problem all afternoon. : (  

Still no luck. I will definitely try your tip above. Just as a clarification, and I know my question was extremely long, the Task Manager issue is on my computer in my office and, though it makes me nervous, I am more concerned with the Room 1 computer which seems to be "possessed." I need help trying to troubleshoot why it is happening and, if it is a virus, why I can't seem to detect it with AVG or Trend Micro.

Thanks.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20337738
AVG and Trend Micro will not necessarily detect a rootkit.  Assuming for the moment that you may have a 'nasty', suggest you try Trend HijackThis 2.02:
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

The technique is to create a folder where you would like the HijackThis file to reside and run it from there, not from the Desktop or a temp folder.
It is important that you download this file to its own folder as this folder will be used when HijackThis makes backups. Temp folders get deleted, taking with them HJT's 'backups' of items that were 'fixed'.

Run Hijackthis scan, save the log file, then copy and paste the logfile to the site below.  
http://www.hijackthis.de/
Select "Short analysis".  
A list of items for you to scrutinise will appear and if you're familiar with HijackThis you'll know what items to FIX.  If you require advice, copy and post the "link" here. Preferably not the full log, as it can be too lengthy.
 
Alternatively you may select this next link and login using your Experts-Exchange username and password.  Upload your HijackThis report then again post the link to the report to us >
http://www.ee-stuff.com
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20338729
In re-reading your comments ..
>Why would I get a virus the ONE day I was unprotected<

Not wishing to alarm but it's conceivable you could acquire a 'nasty' within less than one minute of accessing the internet, *unprotected*.  With a good s/w and h/w firewall it's still possible, but it's a situation we should be able to quickly check for.
 
Please note that neither will HijackThis necessarily detect a rootkit  (rootkit yet to be established!), but at least it can provide us with the information to choose the appropriate tool to remove a rootkit, or whatever other nasty it may find.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20340139
Jonvee,

Thanks for the info. I will do all this and post back. While I am doing this, I have some questions.

If I were to receive an email and open an attachment I shouldn't (which I would never do), if it contained a virus and the antivirus software had that definition, it would instantly detect the virus and give an alert (usually). So, why is it that if the Internet is capable of putting viruses into my network when I have no protection, why isn't the same thing happening all the time but the viruses would be detected?

Hope that makes sense.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20340166
Btw, I feel like a complete idiot. Thought I was doing the right thing by removing Symantec when they wanted me to renew my subscription. I should have disconnected from the Internet before removing it. By the time I installed another one, I had the problem.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20340205
http://www.hijackthis.de/logfiles/cd36a82296bd3a34b102bd297564bdf2.html

Not sure if this is the short or long version. It only gave one button. Let me know if you need a shorter version.

Happy Thanksgiving by the way!
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20340439
Thanks  ...  It'll take a while to study the log in more detail but a preliminary check shows it to be *reasonably* clean!
However, in cases where it states "This is a unknown process ..", it would be useful if you could confirm you recognise the item, where possible.

Other examples: In the case of "GrooveMonitor.exe", this program is apparantly used to track Groove problems and creates error reports that are sent back to MS ..
http://www.bleepingcomputer.com/startups/GrooveMonitor-18228.html

[?] C:\Program Files\Mirra\Mirra.Client.exe - This is a unknown process:
http://www.answersthatwork.com/Tasklist_pages/tasklist_m.htm

Y] C:\Program Files\Microsoft Outlook\Office12\ONENOTEM.EXE
http://www.bleepingcomputer.com/startups/ONENOTEM.EXE-2921.html

You can Fix this (harmless?) entry >
N] O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Will study the log further and report back later.

Meanwhile, for *possible* rootkits suggest you try running Combofix.
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with another HijackThis log, in a reply for us.

Please do not mouseclick combofix's window while its running, it may cause it to hang/stall.
You may have to disable NAV if you have it installed, it's been reported that it can interfere with the cleanup.
 
Don't worry about 'removing Symantec', we all make those sort of moves occasionally .. it's easy to be wise after the event!

Oh yes, regarding your comment  "Happy Thanksgiving by the way!"  ... like and235100 i too am English!     But thanks anyway  :)
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20340829
Oh, so TGIF, lol. Ironic you would mention Mirra. It'a a backup server which runs in real time made by Seagate well now anyway. So, it may have a copy of the virus.

I will do those things. I am going to post a link soon to another question, because it doesn't completely fit here. But, it's rather important.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20340871
A bit more information which may or may not help. Last night I did run Trojan Hunter on all of the PCs. Two them including my PC in my office (which is a bit weird) had three Trojans mostly generic. They were cleaned and removed.

The server, ironically, had Trojan Hunter and NOD32 installed, and they tend to produce false positives -- I found this when I Googled the virus and tens of places talked about the false positive. Scared the hell out of me though.

Just to give an example of another weird thing. Within the last hour, my clock in my system tray changed from 5:07 to 17:07.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20340926
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20340940
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20340996
Just to give an example of another weird thing. Within the last hour, my clock in my system tray changed from 5:07 to 17:07.

I guess ComboFix changes that.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20341215
Yes, your clock change was probably due to ComboFix.

You can uninstall ComboFix as follows >
Start > Run > then type "ComboFix /u"    (with no quotes, and space between x and / )
Then hit enter, which should reset the clock settings, re-hide system hidden files, reset System Restore, etc..
       
Am studying your three logs.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20341259
Very nervous. One computer was given an IP address of something like 292.268.34.179 where it should be 192.168.1.x and it didn't have a default gateway.

The Room 1 computer had about 15 red X's. The server has 3. Some computers with correct IPs etc. can reach the Internet, some can't. I think DHCP is screwed up somehow or maybe DNS. I hope I don't have to redo the server.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20341261
I extremely appreciate your helping me. It must be rather late/early over there.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20341359
I opened another question at:

http://www.experts-exchange.com/index.jsp?qid=22979685

I know you are busy but just in case you can go between two. : )
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20341611
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20341738
Well, not sure if you had any luck. I am going to get some sleep. Pretty much had to get home to get Internet acces. Things seem to be getting worse. DHCP giving out bizarre IPs. Can't see the network even with assigned IPs. Looks like I will probably have to format all of the computers including the server.

Dumb question, but will a backup from Wednesday night whether image or not contain the same rootkits, and would data files be safe to back up or reinstall from backups?
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20342155
 > a backup from Wednesday night <
Doubt if it's a dumb question, but i can't give you an accurate answer !
Instinct says that it's worth trying, but not if it's going to take almost as long as your suggested format of all computers and server!

In fact if you get no further experts' comments(i appreciate that there is a considerable urgency to your problem!), suggest you post a quick "pointer question" (worth 20 points) in the HijackThis TA with a link to this
thread number http:Q_22977986.html, where you should get an additional & quick response.  This will give you input from experts specialising in virus & Malware removal.  
http://www.experts-exchange.com/Software/Internet_Email/Spy_Ad_Blockers/HijackThis/

Naturally we would stay with you throughout the process  :)

Now going to take a second look at your two most recent logs, and will regularly view your 2nd question.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20342400
Thanks. Hanging in there.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20342845
Once again the logs appear reasonably clean, but have only established that there appears to be no sign of 'Vundo' or 'FixWareout' infections.  That still doesn't prove that there's not something nasty present!

Only other suggestion at this time is to 'isolate' the Room 1 computer and
try the F-Secure "Blacklight" rootkit remover.  If successful you could move on to the server & others >>
"Rootkit Detection and Elimination Tool":
http://www.f-secure.com/security_center/

This Blacklight tutorial from 'bleepingcomputer' may help.  If not, post back for a cut/paste guide >>
"Using Blacklight to detect and remove Rootkits":
http://www.bleepingcomputer.com/tutorials/tutorial124.html

Or the Sophos scanner which has a good recommendation >
Sophos Anti-Rootkit Version 1.3.1
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20343014
OK. I will try that. When I look at the ones where they are easy to read with the green checks and yellow question marks and red X's, there appear to be 5 red X's on the server and quite a few on Office computer and Room1's computer.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20343238
OK, back at office. The only Internet access I have is from the server, which I know is not a good idea, but it is the only way to communicate to EE.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20343257
After uploading or making links to Hijack this, is there a way to know which computer you scanned? I am getting a bit confused as to which one I scanned given the overall confusion.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20343290
If you take a look at a particular HijackThis logfile it should list the "Platform"at top of log.  Here it may give you a particular computer number.  
If not, i guess it shouldn't take too long to re-scan.
Actually it may be quicker & more benificial to read, if you used the http://www.ee-stuff.com link and your Experts-Exchange username and password as mentioned earlier.  Thanks.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20343309
Confirming that i meant you could upload the whole 'un-analysed' HJT logfile, rather than the link to the log, on http://www.ee-stuff.com link.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20343333
Hi Bert, Read the posts, you are in quite a pickle are you not.
I think it's too much turkey <G> Sorry...

Though I have connected an un-updated PC directly to the Internet and received the sasser virus in under 2 minutes, I am afraid I am a skeptic that you received a virus due to removing Symantec for a day. You have the best in firewalls and I assume you are not opening mail attachments on the server, not to say you can't get a virus in other ways.

Many of these symptoms sound like a virus or root kit, but all of them at once seems quite unusual, unless someone actually has control of your network through a root kit. A scary thought. As mentioned earlier, virus software will generally not protect you from many root kits. Viruses are not my specialty, so I will pursue other avenues as you appear to be in very good hands. If you do suspect a root kit, and there is a possibility of remote access, I would immediately physically disconnect the business network from the Internet. You have a lot of very confidential information.

On the problematic computer, I know it's an over simplification, but have you rebooted it? The cursor issues could conceivably be fixed by a re-boot.

I was under the impression you only removed Symantec from the server, is that the case?

Removing Symantec can cause a disaster in itself. I have had to rebuild servers that Symantec, admittedly by their IT staff, have destroyed server services. The IP assigned to the PC is interesting (292.268.34.179 ), it's not a legitimate IPV4 IP it's greater than 255. Where you run an SBS domain, I assume you are using DHCP. Check the DHCP scope on the server to see if it has been changed in some way. The other clients DHCP leases may not have expired yet, so if DHCP has been affected, it may not have manifested itself yet.

By the way "GrooveMonitor.exe" and "ONENOTEM.EXE" are Office 2007 services, and possibly 2003, depending on version and options chosen.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20343384
PS -QuickMessenger and PopMessenger use Net Send which requires the messenger service be enabled. A know security risk.
-To many music related apps for a business environment in my opinion. Where do all the music files come from?
-Did you install iTivity on the server? If so OK, but make sure you did it and not a root kit. I ask as there is no need for it on an SBS.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20343423
Let's see. And, thanks Rob.

First, a bit of information. I ran Blacklight and it found nothing. I ran RegCure, and it seems like any registry cleaner. It found a bunch of things but not sure what it means. I had no AV on any computer for a bit.

I also ran Rootrevealer by sysinternals and it found over 400 discrepancies. I realize messenger service is a risk. But, QM is the only one that works. I guess I could use one other that doesn't use messenger service.

I will try rebooting. Many PCs can't see each other. Many PCs have the right IPs and DNS, etc. as does the server.

Someone may have tons of information, but even though that would be a HIPAA violation, hey, I tried to stay secure. I can't help that. Little Johnny had strep throat. Oh well.

The major problem is the Internet access. It is the classic Catch 22. The server is the only computer which has Internet access capability, and if I disconnect the network from the outside world, then I have no help from the experts.

iTivity is a program whereby Medware can add updates to the Medware program. Kind of like the other 3rd party LogMeIn remote type things.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20343427
The IP address in the address pool are all normal. Would the Windows Firewall have detected things trying to leave the PC?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20343442
RootRevealer is very good but it takes a lot of time to determine what each process is. May be your best bet though. However, interesting that nothing has really turned up any evidence of Virus or root kit so far. RootKits are very scary, and can be hard to detect. The other thing with rootkits is they are very easy to create. I am surprised they are not more prevalent.

>>"I can't help that. Little Johnny had strep throat. Oh well"
Do you accept credit card payments?

>>"classic Catch 22..."
Can you attach a laptop to the router or just one PC and remove the risk from all others?

>>"Many PCs can't see each other..."
Have you checked the DHCP scope on the server to see if it has been changed?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20343452
Sorry missed last post.
If the Windows firewall was enabled on all PC's, hopefully it would have helped protect the spread of any infection. One of the main reasons for having it.

One concern with rootkits is they can quite easily do key logging and remote control. The services they use may be allowed by the firewall. For example RDP is enabled on your network. Once access is gained and passwords collected the controller could  then use that information to access other PC's. This is possible, but not common.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20343465
We do accept credit card payments, but I don't think they are kept in billing. We just post the 20.00 copay, but not the credit card.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20343470
Btw, I uploaded the Hijackthis log, but I am not confident it went for whatever reasons.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20343564
Hopefully helpful information. I ran Blacklight and Sophos Rootkit finder or whatever on Room1. Neither found anything. Still couldn't get to the Internet. I can't recall, which is bad, but I think at the time IP address was normal. Scope still showed 1.24 in the address leases. DHCP enabled. The server's card is set up correctly as far as IP and DNS, etc.

I rebooted Room1, and it's IP address now is 169.254.114.38 with a subnet of 255.255.0.0 and no gateway. Still 192.168.1.24 on the server.
0
 
LVL 27

Assisted Solution

by:Jonvee
Jonvee earned 125 total points
ID: 20343653
Could not locate your HJT log.  See if this helps >
Select "Login".  Insert username & password.   Login.
Select "Expert Area" tab
Select "upload a new file"
In "Question", insert your address from top of page
Browse to your HJT logfile, for example, "HijackThis log1" (no quotes)
Select "Upload", & that should do it.  We'll find it.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20343753
Thanks reference Blacklight and Sophos!  
For no internet access you may wish to try IEFix.  It's a repair utility that repairs IE 6 by registering it's core DLL files, & more ..
http://windowsxp.mvps.org/IEFIX.htm
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20343841
https://filedb.experts-exchange.com/incoming/ee-stuff/5793-hijackthis.txt

This is the direct link to the file. The problem was (for a newbie like me -- welll I am not that bad, I did configure a Cisco PIX twice, lol). The problem was it won't take a .log extension. Had to be .txt.

I will check out the link above. I can't believe how long you are helping. I appreciate it tremendously.

I have thought a lot about reformatting. If I could just prove that my server wasn't infected, that would be hugh, although ironic. Is it possible a rootkit got in, changed some things and then left or do rootkit revealers miss some?
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20344007
Your log analysis >
http://www.hijackthis.de/logfiles/b34587a5772e16ea137bb1978290bb89.html
HJT analysis taking forever, because the "autoanalysis" does not 'recognise' about 25 of the entries!!   There are a number of "These are unknown process'" listed.  
Continuing to work through them manually, & it's slow going!
For example, do you recognise this one pls?>>
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\YVXSE.exe

> do rootkit revealers miss some?<
Conceivable i guess, but we get good reports.  
An expert in the HijackThis TA could no doubt tell you more  :)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20344028
>>"I rebooted Room1, and it's IP address now is 169.254.114.38 with a subnet of 255.255.0.0 and no gateway. Still 192.168.1.24 on the server."

169.254.x.x is APIPA addressing which is assigned automatically by the workstation itself when it cannot find a DHCP server. Either there is a physical break between it and the server, something has corrupted the Network adapter drivers, a bad network adapter or the server's DHCP is not working.

You mentioned "Scope still showed 1.24 in the address leases". First click on the DHCP server name in the DHCP management console.
1) Is there a colored icon or dot on the DHCP server? Should be green dot. Anything else let us know.
2) Click on scope to expand it, click on address pool. In the right hand window is the address pool correct? i.e. your subnet?
3) I assume DHCP for the LAN is disabled on the Cisco?? It should be.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20344057
Analysis on the HJT log grinding to a halt, even google does not recognise several of the exe entries!  
Suggest i backoff for a period while you follow Rob's suggestions.  
Monitoring ..
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344117
YVXSE is not recognizeable. I browsed to it, and it is a skull and crossbones. I didn't click on it.

Rob, there is a green arrow which looks like a dot, but is clearly an arrow on the DHCP icon.

The IP address pools are what they should be. Am I supposed to see a subnet number like 255.255...?

This basically all started when Room1's webpage would return to the home page is a cursor was placed in any field. And, the backspace key would make the cursor move over the last letter or it would do it anyway. All other compters have been normal.

Can a computer get out to the Internet if it can't see the server. I mean each network card has a default gates way along with a DNS point to the server's IP.

Jonvee. Don't back off please! Unless you have to. Where are all the HJT experts? Not that you haven't been great.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344181
Rob, No I am not running DHCP on the Cisco.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344216
Just trying to give as much info as possible. Rebooted office computer. Many times it can't restart due to a program's not closing, and you will get that window/screen which tells you that you can close it. I wasn't able to read the entire thing, because it went into reboot mode, but one said, I couldn't close it "Due to a Windows Form Parking Issue." I have never seen that one before.

The other said, "WMS notification issue..." or something to that effect.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344282
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20344345
Analysed log >>
http://www.hijackthis.de/logfiles/b34587a5772e16ea137bb1978290bb89.html
A quick read showed little change, still several 'unknowns'!

>YVXSE is not recognizeable <
Bert, when you have time i suggest above entry and any other that you *do not recognise*, be Fixed by HijackThis.  From the log your HJT program is located in it's own(safe) folder, and a backup of anything you Fix can be restored if it was accidently deleted, for example.

Here it's nearing the midnight hour again .. will drop by early tomorrow!  
For now, good luck.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20344433
YVXSE is in your temporary files is it not? May be part of Sysinternals install. Should delete all temp files anyway (need to enable "Show Hidden Files and Folders" (& un-hide protected system files on Vista):
C:\Windows\Temp\
C:\Documents and settings (Users if Vista)\User Name\Local settings\Temp
C:\Documents and settings (Users if Vista)\User Name\Local settings\Temporary Internet Files

>>"green arrow which looks like a dot"
Just checked you are right, my eyes are not what they once were. At least it's not yellow or Red, that's the main thing. Sounds like scope is OK. I was worried something changed the scope, giving the client an odd address and lost network connectivity.

>>""Due to a Windows Form Parking Issue." "
Any HP software installed?
WMS for the record is usually Windows Media Service or windows Messaging service.

>>"Can a computer get out to the Internet if it can't see the server. "
Depends on how the network is configured. If the SBS uses 2 NIC and it is the gateway for the clients, then no. If the Cisco is the gateway, yes, but the SBS is the DNS server so they will be able to access and ping by IP but not FQDN.

Try restarting the PC in "Safe Mode with Networking"
Also the results of both of the following may be helpful (from the PC that cannot connect to the server/Internet):
ipconfig  /all
route print
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344495
Using all XP Pro. Good call on the HP although we don't have an all-in-one and couldn't see it in Startup on msconfig.  None of the PCs can get to the Internet even with static IP address with IP, subnet and gateway of router both with and without DNS of the server's IP. Kind of strange.

Getting closer to reformatting. Yuk! Whole new question.  I will do the ipconfig /all route print
But, I will say something weird: Like all the other stuff isn't, lol. But yesterday when I ran a HJT and looked at the analyzed easy to read for beginners version, there were 5 red X's. Now, there are none.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344543
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20344590
I take it the results above are with both static and DHCP results?
Even so do you know why you have a 169.254.x.x address in the route print? This contradicts the IPConfig results. Or, were they from different time periods?
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344598
Static, DHCP and RP all at the same time.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344600
The only thing is I did reboot at some point. Probably after switchng to DHCP. I can't recall.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20344605
>>"Static, DHCP and RP all at the same time."
How can you have static and DHCP at the same time?
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344615
https://filedb.experts-exchange.com/incoming/ee-stuff/5797-New-IP-config-and-route-print.txt

You can't. I guess I misunderstood your different time periods. I took that to mean hours. What I meant was static, do a ipconfig /all, then do DHCP, do a ipconfig /all and then route print. All within two minutes. But the new one shows an IP address with a 255.255.0.0 subnet given by the PC, I guess.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20344656
The 169.254.x.x address it is receiving would indicate that the DHCP client service is working on the PC, but it cannot contact the server for the DHCP address. Something is blocking it. It could be a virus has caused problems, but I would tend to look more to a bad connection, cable, or router. Is the network adapter light on? If so, try rebooting the router. If that doesn't work, do you have a spare switch or hub around? Try connecting the PC and server to the other hub and see if it can get a proper address from the server.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344721
OK...installed new driver for NIC card. Light is on. All cables are the same. Rebooted modem, firewall/router and switch. Still could not see the server.

Tried getting out to the Internet from other PC (Office). Realized I would probably need my ISP's DNS. I guess I was right. With a static IP, subnet mask ending with 0, a default gateway of the private side of the PIX and the ISP's first DNS, I got right out to Yahoo.

That's the good news. The bad news deserves its own comment:
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344725
I decided to reboot the server to see if DHCP would start.

I got the message:

PXE-E51: No DHCP or ProxyDHCP offers were received.

PXE-MOF: Exiting HP PXE ROM.
Operating System not found

Now, I'm not even close to the smartest computer person, but I think that is bad.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20344735
Did you try static IP and DNS on the computer that could not connect to the Internet? The problem one?

>>"PXE-E51: No DHCP or ProxyDHCP offers were received."
That is normal. You probably don't have a PXE DHCP server. That is different from the DHCP server you are familiar with. It's for booting from a network to automatically start a Windows install. Usually only on big networks.

>>Operating System not found"
Now that is not good. I take it it did not boot??
What do you have for drives? SCSI, SATA, IDE ?
Are they in a hardware or software Raid configuration?
You haven't looked at the Event logs lately have you, and noticed any Disk errors in the System log? The SBS daily e-mailed reports should also show if there are any.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344754
No, it doesn't boot. Harddrives are SATA and set up in a RAID5 with a hardware (HP Array E200i) card. Looked at event logs yesterday. Nothing there.

I don't think a hard drive crashed. My take is some virus has done all this. Maybe in a boot sector, who knows?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20344769
You should be able to boot the raid controller and verify that all disks are present and healthy. Being RAID5 you would have to have 2 dead to cause a problem, in theory.

Still skeptical all these issues are related to a typical virus, too many different issues.  A rootkit with someone with remote access possibly, but that is not very common. But what do I know, I'm more a network guy.

I am "out-a-here" for the night but will check back tomorrow.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344776
K, thanks.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344810
OK, how much stupider can I get. I guess I need to go home and cry in my beer at this point. Yes, I booted to my RAID, and the entire configuration was OK. I kept watching it go to No Operating System was found. I decided to look at my boot options and a screen came up which gave me the options of booting from 1. CD 2. Removable devices, 3. Hard drives and 4. Floppy disk. Then it hit me. I had been moving the utility programs (HJT, etc) to computers using my USB thumb drive. So, it was trying to boot from it. (I guess I forgot to put an SBS 2003 OS on it, lol). So, I took it out and wahlah, it booted right up.

I could have ended up having to completely redo my server, although I may have to anyway.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344933
OK, so here is the question:

Basically, the computer in room1 had those weird things happening. The cursor in a username field or a field for the name of a medication would cause the web page to click right back to the home page. The cursor in the EMR would automatically move back OVER one letter. And, then the giant log on screen. The task manager would nowhere to be found on my office computer for about five hours, then it reappeared. Now, the computers aren't seeing each other. If you click on Windows Network on the server and get to Riverviewpediat icon and click there where you should see all of the PCs, you only see the server. All coputers can get to the Internet with fixed IPs and an ISP DNS. But, they can not receive DHCP.

We have not truly been able to discover a virus using HJT or Comfix or whatever that is nor with a few other tools. No definite evidence.

So, based on this, do I reformat the server and all seven workstations? Do I reformat room1 and the server? Or is there a different answer? I am pressed for time, because everything needs to be ready for Monday morning. And, I think doing all that will take all day.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20344935
Another though. This all happened when I uninstalled Symantec and installed Trend Micro the following day. Given that Symantec seems to cause problems no matter what is done with it, could I have caused a problem with the uninstall. It was uninstalled from the clients as well.
0
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20344985
A couple of thoughts for you.  Could the keyboard in room 1 have a keyboard with a "sticky" control key.  It sounds stupid but I have seen weird stuff when a control key gets partially stuck down.  Suddenly when you are pressing s you are getting control-s...etc.

Also, have you tried giving the computer a static IP address.  If you are not able to communicate with a static ip address you probably have a bad hub.  Try power cycling the hub.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20345485
Late night for you Bert !

>>"So, based on this, do I reformat the server and all seven workstations?"
Highly unlikely. It's an network error.
When you installed Trend Micro, which version did you install. They have a version that includes a software firewall. This will definitely block access to the server. Un-Install from the server if necessary, might be a good idea anyway.

As  Joediggity2 just mentioned, and as I did at 10:30 last night; have you tried replacing the router with any old hub or switch? You could also enable DHCP on the Cisco or another router to see if the clients get a DHCP address, but I wouldn't waste time on that, I'm doubtful all 7 have damaged DHCP client service.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20345507
Another thought, if you have +4 workstations/servers you must have a switch in place. Common for them to act up. Try getting rid of it and connect the server and a couple of PC's directly to the Cisco.

You may also have remnants of Symantec causing problems. This is one of the main curses of Symantec. They make dozens of tools and have instructions on how to get rid of it all. "Sometimes" they work <G>.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002031914291648
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20345586
OK, thanks everyone. I am headed in to start again.

The reason I am hesitant to do anything with the switch (which I did reboot last night) is that it costs $1,000. I would hate to replace it. Why $1,000? I 'll explain later.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20345600
You are just going to temporarily replace it as a test. There is no risk of harm.

If a $1000 switch (I assume not router) it must be manageable. You haven't changed the configuration have you?
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20345635
Rob,

It is manageable, yes. I haven't changed the configuration, not that I recall lately. When it is on, btw, some lights are amber and some green.

I need everyone's opinion, if possible. Given all this, what is the likelihood there are actually no viruses? I agree it's a network problem and will troubleshoot as above, but could it be a network problem from viruses on the server? I do have hundreds of backups where I could restore Drive C, the OS. Of course, that makes me a bit nervous if I could fix it otherwise.

I know viruses can spread within the network. Do these rootkit viruses spread compared to worms, etc. Or do they just hide whatever malware they have? I guess I could always go peer-to-peer until figured out. Off to Dunkin' Donuts and the office for more fun!

Thanks, thanks, thanks for the help.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20345665
>>"When it is on, btw, some lights are amber and some green."
You would have to look at the display or read the manual, but it usually means 100mbps connection for green and 10mbps for orange. It can also be 1/2 and full duplex, or even problems.

Anything is possible with a virus, but disabling networking would disable the virus from spreading, which is rather counter productive from the hacker's point of view.

Personally I am still very skeptical it is a virus or at least that the major issues are virus related.
I suspect the main issue is the server's LAN card. All PC's can connect to the Internet so chances are that the switch is working. However, removing Symantec, or more likely adding Trend Micro "broke" something.

I would run the CEICW
If that doesn't help, remove Trend Micro from the server,
If that doesn't work run CEICW again.
Also double check the NIC in device manager and if enabled, firewall exceptions.
I wouldn't un-install the NIC unless you get guidance from Jeff....this is SBS.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20345730
I'm scared of Jeff, he will be very disappointed in me.

Couple of things: I enabled DHCP in Cisco PIX and instantly got IPs, etc. for computers. I can't get Internet access from them, I guess due to DNS again. I installed Trend Micro (without the firewall). It is off. I also installed NOD32. I was trialing them, which is why I was so stupid as to have AV off at times.

I did run CEICW. I will do it again. I will try the Symantec thing. It was late last night, but I could have sworn that I had my office PC static and when I came in it was DHCP enabled. Very weird.

Prior to all this, I was getting 1GB to every computer over the network.

I bought coffee for everyone.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20345743
As info:

I ran NoNav to get Symantec off. There are still a couple of folders left: Quarantine with some files and some log files.

Trend Micro's folder on program files has quite a few folders left, like 20. Under PCVSRC which is shared.

How 'bout that save from the USB drive? I thought that was pretty good. Stupid to have it there, but none the less. Gotta throw me a bone now and then.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20345751
Sorry to keep giving random information.

Symantec has a service in services, but it is off.

Trend Micro has a service that is on.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 27

Expert Comment

by:Jonvee
ID: 20345817
Regret unavoidably late in loggingon ..
Your last HijackThis log still has puzzling entries, but little change from previous log.

Rob made a good point regarding Symantec remnants.  Here's another useful removal tool.  It uninstalls all Norton 2004/2005/2006/2007 products >
"Norton Removal Tool (SymNRT) 2008.0.1.19 ":
http://www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html

You asked our opinion and i would have to say that it does now look like a network problem and yes, possibly originating from Symantec removal.  
Rob has made some excellent suggestions!  
It is difficult yet to come to any conclusion about a virus/rootkit problem, perhaps only resolved with further scans once network issues have been cleared.
Because of my lack of network experience there's little i can add at this stage other than i'll be here to offer moral support where possible.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20345857
You guys are amazing. Yes, Rob does give great suggestions. He is one of the best. I would give the link, but now is not the time, but we spent, what Rob, about two weeks figuring out a PIX issue which turned out to be licenses.

I will try the Symantec thing. Wouldn't it be something if the virus thing was simply a red herring. I certainly hope so. And, don't worry about coming on late. What do you and Rob do all day that you can help so much?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20345858
>>"I bought coffee for everyone."
Can you drop it of? <G>

Don't forget after running CEICW you will need to disable DHCP on the Cisco, in order to test. Also when SBS sees the other DHCP server it will/should shut down the DHCP server service on the SBS, so you will have to restart that.

I don't know all the Symantec tools. Is NoNav compatible with your version of Symantec? Don't use the wrong one. You probably should do the manual removal as well, outlined in the link I provided. I mentioned I had a 2003 server that Symantec themselves couldn't remove it all.

>>"How 'bout that save from the USB drive?"
That is why from time to time you should leave the site for 20 minutes. You spot those things instantly when you come back. I have done it too, but haven't seen that issue on a server. Laptops yes. May be how the BIOS is configured. I don't allow boot from USB. Saves problems and adds a tiny bit of security.

Jonvee, don't discredit your virus removal suggestions. That would have been my first assumption with the cursor issues on the PC. Just at some point there were too many oddities for a single virus. Not to say it's not still a possibility. Virus detection and removal is defiantly not my strong point. I always like to look at things, even viruses, as what were they trying to achieve. Didn't seem to be a purpose.

I am painting this afternoon, but I will be around and check periodically.
I have my problems too. One of my dogs cut her tail somehow, and spent 3 hours unattended wagging it through the house. It looks like a CSI crime scene. At least I don't have a Monday AM deadline.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20345861
>>"What do you and Rob do all day that you can help so much?"
Not much! Pretty sad isn't it.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20345864
Any issue with the Trend Micro's service being on even though it is uninstalled plus many, many folders and files its folder which is still left on the server?
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20345902
Right now, there is no DHCP under computer management where it was green arrow last night. Can't run CEICW due to no DHCP. It is stopped on the services, and when I start it, it says it started but then stopped. Sorry about the dog. This is where I can help, but like you with antivirus, I am not a vet.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20345904
It's automatic on service. Should I just reboot?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20345916
>>"Right now, there is no DHCP under computer management where it was green arrow last night. Can't run CEICW due to no DHCP."
As mentioned, it saw the Cisco DHCP server and shut down the service.
Turn off the DHCP service on the Cisco, manually start the service (right click and choose start) and reboot the client PC's. It will not start while enabled on the Cisco.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20346052
Can start DHCP services. Still cannot connect. Should I be able to open Windows Firewall on server. Ipnat.sys is stopping it.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20346112
>>"Can start DHCP services. Still cannot connect. "
Try unplugging from the network and see if it will start.
If not right click on the service in services management console and choose properties. Click on the Dependencies tab. DHCP is dependent on 1/2 dozen services. One by one check to see if they are started. Especially "TCP/IP Protocol Driver". If any are not started, start them. If they won't start, check their dependencies.

>>"Should I be able to open Windows Firewall on server. Ipnat.sys is stopping it."
Probably not, especially on SBS. Ipnat.sys is used by RRAS as well as something else. That is an appropriate response if RRAS is enabled, and it seems to be always the case on SBS regardless.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20346292
Sorry, wasn't clear. I can start DHCP. I can not connect to the clients.

There is no TCP/IP Protocol Driver
Trend Micro has a service running.
I use Symantec (or did use) 10.1.
Wonder if I should reinstall it before uninstalling it or reinstall it and see if DHCP works correctly.

Remember, DHCP is running now although it is dependent on TCP/IP Protocol Driver which is not even present in the services.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20346332
>>"Wonder if I should reinstall it before un-installing it or reinstall it and see if DHCP works correctly."
Install which app? Re-installing and un-installing is sometimes a fix, but the less you have to "mess" with Symantec the better.

>>"There is no TCP/IP Protocol Driver"
Just noticed that service doesn't exist, but on 3 SBS servers it is present as a dependency. Interesting. I guess that list may include more than just services.
Is there 1 NIC or 2 on your server? If one and you have Internet access, TCP/IP is fine, but if two, make sure TCP/IP protocol is present on the LAN NIC.

Clients will have to renew their leases by rebooting....with the Cisco DHCP off. Have you done that?
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20346702
Sorry for the delay. Tried fixing DHCP/DNS thing from error message on System Errors. Lots of error messages and numbers of them. When I typed the command Microsoft suggested, DHCP instantly said it was running, but nothing changed.

I have one NIC card. Rebooted clients. Nothing. Cisco off. DHCP on server on.

By the way, when removed Symantec on Tuesday no network issues all day. Installed TM on Wednesday night and have been having these issues ever since.

I did have another weird occurrence on Room1. It is possessed.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20346733
1 NIC on the server and it communicates with the Internet fine, and the PC's communicate with the Internet fine. That means the network adapters are all working OK. Has to be a software firewall somewhere on all PC's or the server, or a problem with the switch or router, assuming PC's are getting an IP in the same subnet as the server, and all have the correct subnet mask.
Have you been able to try the SBS and 1 PC on a different switch/hub?

A virus would be more apt to kill Internet access than LAN access.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20346735
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20346844
Painting is coming along pretty good. On Schedule anyway. My office is next to my shop so I keep checking e-mail to see how you are making out when I head down to get something.

I'll continue to review, but I noticed. HP network adapter is configured to full duplex. If the switch is not set the same you can loose connectivity. Best to have both auto negotiate, rather than manually set.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
ID: 20346931
"Windows Firewall\Internet Connection Sharing (ICS) services keeps trying to start. Make sure it is stoped and set to disabled.

Routing and Remote Access Service may be enabled, if you have set up VPN access. Try stopping the service as a test. It can Interfere with routing and access.

Make sure server and PC time is within 2 minutes. Likely wouldn't affect DHCP, but will affect logons.

2011 and 7024 errors are Symantec issues.

You haven't configured the LAN to use IPSec have you?

There are a lot of errors relating to the network adapter having no connection. I assume you had it unplugged?

Looks like I was wrong on "YVXSE". It is a service as well. It was present at least yesterday. Might be part of Sysinternals root kit revealer. Maybe search the Sysinternals directory to verify.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20347298
It is part of Sysinternals, although I saw it somewhere else. But pretty sure Sysinternals. Isn't Sysinternals generally used to look for rootkits and viruses? Then why have a skull and crossbones on their icon?

PC time is exact due to being set by the navy. Of course, not at the moment, but still the same time.

Not sure how to LAN to IPSec. Is that on server or client?

The network adapter is disabled now. But, at the time it wasn't.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20347433
>What do you and Rob do all day that you can help so much?<
Some of us have just spent three hours backpacking around some local hills, it's a regular thing!   Main problem now is to resist falling asleep at the keyboard(yet again)!    <grin>

Here midnight is now approaching, good luck in your race to complete by Monday!

RobWill, thanks for the thoughts !    It's been good reading your comments throughout the last few hours.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20347511
Hiking sounds fun. We hike in Acadia. But, now just frazzled trying to figure this out. I just no that when I do a config /all it says DHCP enabled: No.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20347559
>>DHCP enabled: No."
Where?
Should say that on the server, shouldn't on the workstation.
If it does say it on the workstation, it is because it has a static IP.

Time doesn't matter as long as PC and server are close. The server should adjust. Just pointed it out as your log has above normal NTP errors.

Don't worry about IPSec on the LAN a couple of things I saw made me think you might have configured it. You would not have done so by mistake. It is a way of securing local traffic so that an employee cannot sniff local LAN traffic. since we have moved from hubs to switches, it's not as big an issue. Reduces performance too.

What about the GIG adapter being set to full duplex, have you checked that out.
Have you tried another switch.

Nice "talking" with you Jonvee. Hope all is well on your side of the "pond". I'm in Nova Scotia, Canada.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20347657
Sorry, Rob, I missed one of your answers.

All of the workstations have the Windows Firewall on by default, although they used to be greyed out and now they are not. When I disabled it for a bit, it didn't make a difference. I tried a Linksys 4 port switch and connected the server to port 32 and my computer to port 3. They couldn't see each other. Server did not give DHCP.

Is there a firewall besides the one on the service with the ICS on the server?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20347674
>>" tried a Linksys 4 port switch "
Good. It was a switch and not a router was it? I didn't know they had a 4 port switch.

>>"Is there a firewall besides the one on the service with the ICS on the server?"
Basic NAT one in RRAS, that is why I was suggesting turning it off temporarily.

0
 
LVL 1

Author Comment

by:Bert2005
ID: 20347713
Yeah, the Linksys has an uplink and four ports. Very tiny, very cute.

When I looked through the services, I saw one that caught my eye. But, of course, to IT people, it will be normal.

I tried to start the DNS server and it said it couldn't due to a 1222 error. The network is not present.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20347785
122 error for DNS, odd.

DNS is not started and you cannot start it?
Should be able to do that connected or not connected.
It too has a dependency of TCP/IP Protocol driver.

Wonder if your NIC driver is corrupt.
I wouldn't un-install but try updating the driver in device manager. (right click on the NIC and choose "update driver"). Windows should be able to provide a driver for that NIC. Allow it to check the Internet.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20347819
I actually tried earlier and wasn't very successful getting the exact driver. I will try now again.

By the way, R-K (in a PAQ earlier) told someone he never puts AV on servers. I am confused now. Maybe he doesn't use Internet on it?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20347943
>>"R-K (in a PAQ earlier) told someone he never puts AV on servers. I am confused now. Maybe he doesn't use Internet on it?"
However, there are doctors that refuse to prescribed drugs too. <G>  
I would consider that if the server was not a mail server, did not have Internet access, and was primarily a file or SQL server which may affect performance by continuously scanning files.
That is further support that 1 day without anti-virus software is not the end of the world......assuming you have a good firewall.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20347985
Couple of things. As usual, finding a simple NIC driver for HP is more difficult than it should be. I do have another card, maybe I should just throw it in. Why would a NIC card reach the Internet but not other hardware?

Don't yell at me, but when I went to the DHCP, window I deleted the DHCP and Added a new server which was basically just the DHCP with new scopes etc. That was just now. But, when I went to add or authorize a server, it gave me two choices: 192.168.1.100, my server IP address and 127.0.0.1?

I will keep looking.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20348130
I fixed it! But, I still have two questions.

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20348721
>I fixed it!<      Fixed the add or authorising of a server, or fixed the 'whole issue' .. sincerely hope it's the latter?
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20348811
Hey Jonvee!

I fixed the whole thing. But's hard to know what did it, although I have an idea.

First, an article said to change a registry setting to make the NIC card's Offload Checksum disabled. I could do it manually anyway, but I made the reg change. That seemed to  help along with a command line that did something, I forgot. It started working then, but then stopped. Tried doing the dnscmd /Config /Enable...something...Probes 0 but it wouldn't work.

I still couldn't turn the DNS server on. Just couldn't see the network. I uninstalled the NIC card, but when I added new hardware, it couldn't find a driver. Even though HP went out of their way to make it impossible to find, I found a driver for it. And, wham....the DNS service started right up. And everything worked.

So, I headed over to Room1. Just bizarre. Possessed. I was trying to download a driver for the NIC card, but it was like a game of cat and mouse. The very instant I would click to the page that had the driver, it would switch back. Click on the link...go to the page...try as fast as I could to move the scroll bar down, but click and back. Over and over again. About thirty times until somehow I managed to click on the driver link. This got me to the page where it would download, but then it clicked back to the home page. Over and over, but finally I dove to the download link and hit it just before the virus or ghost swithced back to the home page. Even windows would close. I had to browse to the server to open a folder so I could access a database. But, the moment, I tried, the window closed and I was back on the client.

As soon as I installed a new driver, everything was normal. So, could a faulty driver cause those symptoms? And, what would make two drivers become corrupted at the same time? Could it be the uninstall of Symantec on the server and the uninstall of the client NAV? But, that's generally an easy uninstall.

And, I have to ask? I chose the 192.168.1.100 as my authorized server. I have seen the 127.0.0.1 before, but I unauthorized it.

Well, mac and cheese, a beer, and some Ben and Jerry's before getting four hours sleep and seeing patients all day. What a nightmare this has been.

I certainly hope I didn't do all this work only to have viruses screw it all up. I wish I knew they weren't there.

Thanks.

Bert
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20349115
That's excellent news, so glad you made the deadline, and thanks too for the detailed report!!

On viruses >>I wish I knew they weren't there<
I still feel that the issue was related in some way to 'Symantec' , or of course your driver incident, but i guess it wouldn't hurt to 'definition update' & re-scan for virus or Malware, whenever it's practical.

Incidently (and it really goes without saying), if there are any 'points' for the above work, i am definitely *out of the running*.   You've done great, and Rob deserves '5000' if that were possible!  For me it was just good to come along for the ride with a couple of network hotshots .. thanks  :)

You'll be able to cheer up your patients today, following this earlier achievement!
0
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20349624
On the 127.0.0.1 address, that is the loopback address for the computer.  All computers and devices have a 127.0.0.1 address which is used for testing.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20349692
Jonvee,

Thanks. And, I thought I would spend more timed figuring out the points, lol. I'm sure you'll do fine there. It's always good to learn from Rob. I will try to posts a couple more interventions when I am awake.

@Joe, Thanks. Should it be listed as a choice under servers when you go to add one?
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20349802
Any comment on the probablility of removing a CLIENT Norton Antiviral program and issues. It seems less given I have done it often in the past compared with removing one from the server.

Also, if anyone has an idea how a bad driver would cause the issues with room1.

Thanks.
0
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20349977
Probably because the network card wasn't up it listed it.  In any event, both address identify the server you are working on and therefore should work (no guarantees as I really don't want to bring mine down to test).
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20350244
Hi all! Sorry left last night for what I thought was 20 minutes and never made it back.

Glad to hear it is working.

Any chance the computer in room 1 has the same NIC as the server? If so it could be related to a Windows update. They are automatically deployed by your SBS 2003 R2 unless you have changed the defaults.
As for the jumping around the screen, can't see how that would be related to a NIC driver, but I have been wrong about driver issues 100 times before. The jumping can be a bad mouse or keyboard, or week battery if wireless, should it come back.

On the server itself you can choose 127.0.0.1 to point to it's own internal DNS, but I don't recommend it, though it is an acceptable MS method. On the PC it won't work as it would be pointing to itself (the loopback adapter as Joe said). DNS needs to be set up in the DNS management console for the 192.168.x.x  subnet.

Removing Symantec can always be scary. It's a horrible product these days. However, your problems didn't seem to start until you installed Trend Micro. It may also be unrelated.

As for points, do as you see fit. However, in my opinion Jonvee's suggestions were a critical part of the troubleshooting. Regardless of the outcome.

Watch your event logs for any side effects from re-installing the network adapter, especially DNS.

--Rob
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20350555
I do need to get better at looking at the event logs. It's frustrating because when I find an error message and Error ID and go to Microsoft, it isn't always there. Then I Google it and get tens of message boards that are horrible compared to EE with stranded questions and flaming and such. EE rocks!

I will look at the battery. Wonder why changing the NIC card driver caused it to work better? I will change the batteries but only after the error comes back.

Should 127.0.0.1 show up as a possibility under the Add DHCP window? I don't think deleting the DHCP and adding it back should help but my friend was pressuring me, and he always does what I say, so I felt bad. What's breaking a server among friends? <G>

And, with Jonvee. What, he spent his entire Thanksgiving weekend reading HJT novels.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20350667
Rob, I thought you were mad at me for doing the DHCP thing without your approval. Seriously. Thought that's why I you didn't come back.

Everyone take a look at the upload I sent. It came from a SBS Systems Analyzer suggested by an SBS 2003 MVP on TechNet. Trust me, if you had to pass an interview to move from TechNet to EE, I don't think he/she would have passed. Good info. Not very user friendly, lol.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20351313
Not mad at all Bert. Sorry, just had to drive my daughter and got tied up when I got back.

>>"Wonder why changing the NIC card driver caused it to work better? "
Who knows, its the Widows way <G>. Possible some other system files were updated at the same time by the driver.

>>"Should 127.0.0.1 show up as a possibility under the Add DHCP window?"
Do you mean in the DHCP management console window? If so, no.

Which upload are you referring to?
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20351479
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20351581
OK, I know it's not polite to shout, but THIS IS JUST TOO WEIRD!

I am freaking out. There has to be something something going on here, or I am just in the middle of a Stephen King novel. This is Bangor by the way.

Everything network-wise is fine. But, get this. And, I will explain it the best I can.

We have the SBS 2003 Server and seven workstations as follows:

Room1  Used by me and generally logged into as a domain administrator (Sorry Rob, maybe I learned by lesson). I am only a user now.
Room2 Used by me only and generally logged into with my account as a domain administrator.
Nurse's station Used by my MA. User account
Checkout Rarely used. If so, generally user account.
Billing Used by biller and a user account
Receptionist Used by receptionist and user account
My Office Obviously, used by me and domain account

Again, I just changed to user. Everyone should know that any and all computers are logged into by me at some time or another.

The ones we had trouble with were Room1 and the server. Maybe mine, but I can't recall.

Ok, so over the weekend, we basically fixed things. So, here is what is going on today.

Each computer has a client version of AmazingCharts, an electronic medical record which accesses its main Access database on the server. This was the application where the cursor was moving backwards and the templates were entering automatically to a degree; see above on initial quetsion. This was the computer with the browser problems and windows clicking back to the previous window.

Anyway, on all computers except Office, Room1 and Server, things are fine. If you go to the one person's chart and open up the list of medications; you can click on each medication, and it will give how many days ago it was prescribed. So, like:

Amoxicillin 8 days
Fluoride 350 days
Bactroban 270 days

You can click on any medication and it is correct. On all computers except the above three, any patient's data is correct.

Now, in the Office, Room1 and Server computer, if you bring up the same patient, you get:

Bactroban  minus 1370 days
Fluoride 975 days
Amoxicillin 475 days
The other meds in the same chart were correct. Bear in mind, this patient is only 375 days old.

I get the same weird numbers on those three possessed machines. I looked in the actual Access database, and the dates are correct. The dates on the computer are correct and, remember, there are othere are other medications in the same chart which are normal dates. And, we didn't mess with room2.

This is bizarre, is it not?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20351715
Sounds like database corruption of some sort.
When accessing Amazing Charts do you have different user names within the program? i.e could this be related to the choice of AC user name or MS user name rather than PC.
0
 
LVL 4

Assisted Solution

by:Joediggity2
Joediggity2 earned 75 total points
ID: 20352112
Check the time and date on the all the pc's.  I have seen in some apps that they use the time and date from the computer that entered the information.  Then if you view it from a different computer with a different date, everything looks weird.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20352758
@Rob, I will look at around 5:30 PM my time. Can't do it now. I hope. Yes different logins for both.

@Joe, I thought of that and looked. I can look deeper. The reason that is hard to believe is because one medication will be normal and another abnormal. Plus a negative sign is strange.

It is happening on every patient now. Plus the other problems are coming back. The clicking back. Time came up because of Combofix or whatever which changes time to military time.

The odd thing is that everything is happening at once. Of course, I guess that could still be due to Symantec.

I bought some decent stand alone AVGs and running those on clients. Trend Micro scanned server. Nothing. I hate those rootkits. Then you never know.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20354041
I don't think your database issues would be related in anyway to Symantec or TrendMicro.

By the way, AVG is great on the workstations, but if you buy a server/client solution you set it up on the server and it automatically installs on the clients, manages updates, and does complete network reporting. One of the big advantages is the server software then can detect a network wide out break of a virus before it hits other systems, and alert you.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20354439
Yes, I had the Symantec Corporate 10.1 edition. I may have even stayed with it, but it wouldn't update my computer. All the others but not mine. Two Symantec support people couldn't fix it. They were great, though. I couldn't even download updates directly from the Internet site. I had some corrupt update folders. You know what is funny, and I am sure you know this already. But, when they wanted me to get something from their site, they had me Google it. They didn't even give me the URL to their page.

Last night, to get the driver for the NIC, I had to download a 168 MB file to extract. I couldn't just download one driver. Maybe it is there, but I couldn't find it.

You would be proud of me. A whole day logged in as a user.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20354495
Nothing Symantec does surprises me. Must say though their support tries hard.

HP driver should be:
http://h18007.www1.hp.com/support/files/networking/us/download/27942.html

Good man. You can't get into as much trouble as a user <G>.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20354913
Well, not to bore everyone, but I am flabbergasted. Grabbed a database from 10/16/07 (yes I do backups for six weeks at least even if I don't run AV). Used that database and same patient and the "bad" PCs would see 1200 days or so, while the good ones would see 34 days. Even with both Room1 and Room2 looking at the same patient at the same time on the same med, room1 would see 1200 while room2 would see 34 days. I then took that database and put it directly on room2. Perfect. Put the same database on room1 and saw 1200 days. Remember (if you care, lol) that room1 and my computer and the server see the same wrong number and all the time. It's not as if they see random wrong numbers.

So, if this were a virus so that I am reading information wrong, would data from the room1 PC be bad? Any ideas. Again, just leaning away or toward viruses would help. I could easily and within a couple of hours reformat room1. But, I really don't want to reformat my PC and the server.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20355274
If the data is wrong when read from a bad PC when on the server, and correct when read from from the same PC  it's not a virus.

What do you get for time when you run at a command prompt on computer 1:
Time /T
Date /D
Net Time \ServerName
Do they agree, both in value and format? Though I can't see a fixed difference in the numbers.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20355346
A couple of thoughts:
1) Are all workstations running the same version of Amazing charts?
2) Have all workstations been updated with the same virus software and old removed
3) From the Amazing Charts web site, where you have been playing with different AV software:
Be sure your anti-virus software (e.g., Norton, McAfee, AOL popup blocker is off during installation, and that once installed, Amazing Charts is an allowed program listed in the antivirus/firewall configuration file.
4) Do all PC's have the same DST updates installed
5) Have you contacted AC support?

Are we still on topic? <G>
Virus => Network => Database software
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20355609
I will do these. Hang in there. Would someone just shoot me. Here I am dead tired, and I decide to change my server IP address. No, I don't know why? After realizing it would take changing everything in the router, I just left it. Then, I did exclusion ranges and DHCP scopes. Should be easy should it not?

OK, so let me check.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20355635
>>"I decide to change my server IP address."
Are you trying hard to break that SBS <G>.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20355695
Time was correct. >Date /D   kept giving the error message:

The system cannot accept the date entered (mm-dd-yy)

I tried changing it in Control Panel (Regional options), but it still shows a date "balloon" of yyyy-mm-dd. Or do you change it in the BIOS?

I don't know what the Net Time \Server said.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20355717
Whoops, sorry should be Date /T

>>"I don't know what the Net Time \Server said."
You need that the point is to compare.

By same format I meant 12 and 24 hour clock but it shouldn't matter anyway.
0
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20355728
I think he meant date /t
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20355746
Yes, all the same version.
Same antivirus software.  I don't see any Symantec remnants on any of them.
I am using AVG currently. I haven't installed any Amazing Charts in awhile. Well, since the latest version.
I will look at putting it in firewall.
What are DST updates? The regular Microsoft updates? Yes.
I pretty much am AC support. Almost 800 posts on the boards. AC support is not very good. But, I don't think it's an AC issue. Well, not until a week ago or so.

On topic? Well, I can always end this one and start another.

But, rather than Virus -> Network -> Database software, it is more like

Computer acting weird -> Computer acting weirder.

I don't think this is a database issue. It just happens to be the lastest in what has become bizarre circumstances. Let me give you an example.

When I get an email that I have a new comment, I click on the link which takes me to the question. It immediately clicks shut. I then open it from the desktop, open the question, then print out the entire question. I can't get to the one comment and copy and paste it fast enough before it clicks back to the home page. Not the list of open questions but all the way back to where it first opened up.

Then I have to type my answer in notepad, copy it and they try to paste it in as fast as possible. Maybe I get it in after two or three tries. Of course, I could use a different PC. That would make sense. <G>
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20355766
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20355790
Time for bed, I'm making too many mistakes:
Net Time \\ServerName
                ^
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20355805
I agree. I only got 3 1/2 hours last night and had my busiest day yet. I will try the command. Tomorrow, when I am rested (I hope), I will close this question and award points. If it continues, I will just have to start a new question. It is bizarre.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20362715
More and more things happening on room1. Getting ready to reformat. It is almost unusable. Can't even highlight words or a sentence and delete it with the delete key or with backspace. It just basically laughs at me, i.e. doesn't do anything.

There are over 100 comments, so I am not even sure if I picked the right ones. They all kind of helped by putting them together.

By the way, after deleting and redoing my DHCP, I excluded the range where my static IPs (printers, etc.) were. But, then I read about making static IP ranges or scopes. Do you need to do that.

If you can't answer, that's OK. <G> It's kind of related.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20362817
DHCP is just that, dynamic not static, so the scope you create is for DHCP addresses. Traditionally you set a range for your scope like 192.168.100.101 to 192.168.100.150, but another method, which is the SBS default, is to make the entire subnet DHCP such as 192.168.100.1 to 192.168.100.254 and then create exclusions for know static IP's such as the server (very critical) and other devices like routers and printers.

By the way a scope includes the range (correctly named the address pool), scope options (router, DNS, WINS, etc), exclusions, and Reservations.

The problem with static addresses is you have to maintain a list of them. An alternative is the last option above, reservations. You can reserve an IP for a specific device such as a printer by creating a reservation which assures the DHCP server will always assign that IP to that MAC address. This is very useful in that you can centrally make changes very easily (allowing for lease expiries), and the DHCP management console maintains a dynamic list of reserved (effectively static) IP's. Do not assign your DHCP server an IP in this way.

My preference on the other hand is to maintain certain ranges of IP's for specific types of equipment such as the example below:
x.x.x.1 to x.x.x.19  Servers (I use static for all servers)
x.x.x.20 to x.x.x.49 Printers (I use reservations but can be static)
x.x.x.50 to x.x.x.99 Computers requiring a fixed IP (I use reservations)
x.x.x.100 to x.x.x.199  DHCP address pool
x.x.x.200 to x.x.x.254 Routers and other network devices

Make sure your DHCP doesn't conflict with any statics you have assigned. If they do create an exception.

Thanks Bert.
Cheers !
--Rob
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20362854
Thanks for the detailed explanation. Very helpful. I wonder what DHCP scope room1 belongs in? LOL J/K
0
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20363277
Just for giggles try hooking a different keyboard up to the computer and see what happens.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20365560
Joe,

Hope, you don't mind Joe. You know, at this point I will try anything. I will do just that today and get back to you on the results. Of course, that makes it hard to explain the different number of day son the scripts. I wish I could fly you all in to see this thing. That's the only way to really fathom it. But, then there must be a solution. Wait, if I only had one wish, I doubt I should use it for that. Maybe I would wish that one of you or TechSoEasy lived in Brewer. LOL

There is a thing in medicine called Occam's razor. He was a very famous physician from, I believe, the 1800s. He posited that if a patient had a headache, sore throat and abdominal pain, they probably don't have migraines, mononucleosis -> sore throat, and appendicitis. They probably have one thing that explains all = Strep throat which can give all the above symptoms especially in children.

But, I will try it. I wonder also if it could be a bad NIC card. I mean it works, but a new driver in the server seemed to help with DNS. But, I did replace the driver on Room1.

I'm sorry, the question is probably over so I shouldn't continue.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 20367223
>There is a thing in medicine called Occam's razor<
You probably already know Bert but it also crops up in Cosmology & elsewhere, but now i'm getting even further off track!

>reading HJT novels<        << That's a good one!  <G>

Anyway, good luck, & thanks (all) for a piece of the cake;  this must be one of the longest threads of all time!
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20370866
It was a long thread. I am not sure if it was quite as long as

http://www.experts-exchange.com/Networking/Misc/Q_21680714.html or the other questions linked in this question. There were three or four questions involved and to this day, still my favorite troubleshooting effort on here. And, so much help from the experts including our famous Rob.

The irony of the questions that took around two or three is that combined it was probably around 200 or more comments. While grsteed (Gary) finally solved it, there is a link to an almost exact same PAQ, where it was solved with one answer.

It's actually a great read -- for an IT guy.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20373204
OK, guys. We have a solution. Answers at 6PM EST.

Hint: There may not be an Occam's razor. Scary thought, given I have been practicing for over 13 years, and I have always gone by that.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20378796
It's now 7:30 EST <G> ??????
Hope it didn't die again.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20378876
Oh, that's right. I got caught up with my programmer, Mr. ED.

Well, let's just say I owe joediggityw 500 points. As I had promised him, just for laughts I changed the keyboard, mouse and the USB connector between rooms 1 and rooms 2. Rather than try room 1 first, I decided to try room 2. Well, wouldn't you know, all sorts of weird things started happening there. So, I went to room 1, and perfect. No click backs. No possessed back space key. No viruses except maybe in the keyboard, lol. It was perfect. So, then all we had to figure out besides why the keyboard (or mouse?) did that, was what was up with the dates.

Well, armed with the confidence that I probably did not have a virus, I figured there has to be something different on my computer and room 1's compter with the dates. I happened to look down at AmazingCharts and a patient was highlighted, which means he DOB was just below his name. The date of birth was 2007-08-23. That looked rather odd to me, so I checked out a good computer and the DOB was written as 08-23-2007 for the same patient. So I went to Regional and language settings in control panel, pulled up the date window and did a print screen. I compared this with the settings on the other two computers and, sure enough, the settings were different. I changed the settings and, wahlah!, the scripts were perfect. So, I was the first one at the door at Circuit City to buy a new keyboard and mouse, and I labelled the keyboard and mouse from room 1 as possessed and put it in the basement so they were quarantined. I will send them away later for testing. <G>

Now, all I have to find out is why the YVXSE service won't start secondary to its not find its path (which makes sense since I deleted the file when I thought it was a virus -- it looked like a skull and crossbones and seemed to be part of sysinternals) or if it is even necessary.

And, did this all happen due to the Symantec removal: DNS not starting, NIC card issues and Date issues or was it all coincidence?

By the way, I did go all day yesterday and today as a user, but it is driving me crazy. I must have had at least ten things occur where I needed to be an administrator. I know I can log on as an administrator, but when I have a download on my desktop and can't install it, if I log in as another user which has administrator rights, it will be a different desktop and I won't see the download. Maybe I can browse to it through Documents and Settings. It isn't the type of thing you can do a Run As on. Now, since I didn't have viruses, I will probably get all sloppy again.

But, hey, thanks Rob, and Jonvee and Joediggity. : )

PS Sorry about slipping in a few comments that cold be questions.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20378951
Interesting. Sounds good and thanks for the update.

What are you doing that requires admin rights that often? I have clients your size that no admin account is used for months at a time. Servers work best when you set them up and leave them alone except for monitoring and updates. SBS R2 will do both for you automatically.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20379066
Hi Rob,

No this is on my computer. I needed to download a program and couldn't. When I tried to click on the clock in the system tray to look at a setting, it wouldn't let me. Yesterday, while troubleshooting something, I needed to make a change to a setting on a NIC card on a static IP address (I use dymanic, but just needed to try something), and it wouldn't let me. Nothing to do with the server.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20379106
Ah! Different story. Contrary to all IT recommendations, every user is supposed to be an admin on their workstation, in an SBS network. It will set that by default when you run the connectcomputer wizard. Are you not getting an error at logon that the script could not be run, if you are not an admin?
0
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20379449
I know I am stupid for it but even in my larger domain (500+ nodes)  I allow the end user local admin rights on their individual computers...at least until they prove they can't handle the rights.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20379484
Well all of the other computers other than mine, have users located in the local administrator group -- just the ones that need access to those computers. (Remember the whole debate over locking and logging off).

My compuer, on the other hand, has only Administrator and Domain admins under the Local administrator group. I am not sure why I am not listed as a local admin, which I know you disagree with anyway. Since my user account specifically is not listed, when I am only a user and log in, I do not have any local administrator rights, which is why I get the message when I log on that I cannot install or configure applications in the Client Setup Wizard.

BUT, if I put myself in the local adminstrator group, even if I logged in as a user only, viruses and such would still be able to have access to areas that only users with admin rights have, correct?

So, either way: having myself listed in the local admin group and logging in as a user only or a domain admin for that matter OR logging in as a domain admin would be just as insecure.

BUT...this sounds like a whole new question. <G>

PS I can't find the website article now, of course, but I read an article by a techie where he talked about a lot of computer network stuff mainly referring to security. He gave many good tips, but ironically at the end talked about logging in with user privilegs only but admitted that he simply couldn't.
0
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20379515
I have a friend who runs his computer as admin but launches IE and OUTLOOK with a less priveleged non-admin accounts.
0
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20379520
and I can kick myself for not thinking of the region settings, that actually got me one time long ago.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20379525
Joe,

Thanks. That is a topic of great debate and one I have been a part of quite a bit. I finally did it, becaue my staff kept getting locked out of their computers. I know they should log off...

I guess the only time you would get in trouble is if the keyboard became infected with a virus. <G> But, it is true that they probably would not be able to change the date and time settings.

Wow. I have a difficult enough time managing seven computers. 500! But, then I am a doctor just playing as an IT admin.
0
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20379532
and I am an it admin just playing doctor for his kids..
0
 
LVL 1

Author Comment

by:Bert2005
ID: 20379583
"and I am an it admin just playing doctor for his kids.."

Too funny. And, I probably wish I were an IT admin and vice versa.

If you had remembered the regional thing, you definitely would be owed 500 points.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now