How do I remove virus/trojan from my infected server
I have windows Server 2003 enterprise edition, after infected by virus/trojan, its task manager and registery editor disabled and on network when I search this server gives below error message;
\\server is not accessible. You might not have permission to use this network resource.
Contact the administrator of this server to find out if you have access permissions.
Logon Failure: The user has not been granted the requested logon type at this computer.
When I enable task manager and registery editor by gpedit.msc, after some time it automatically disabled again. I have scanned server by Norton corporate 10 but could not detect any virus. How do I resolv this issue and prevent other servers from infection.
\\server is not accessible. You might not have permission to use this network resource.
Contact the administrator of this server to find out if you have access permissions.
Logon Failure: The user has not been granted the requested logon type at this computer.
When I enable task manager and registery editor by gpedit.msc, after some time it automatically disabled again. I have scanned server by Norton corporate 10 but could not detect any virus. How do I resolv this issue and prevent other servers from infection.
plug1
You need to boot into safe mode and scan the server with your AV software then. If there is a virus it should be picked up then, make sure its fully up to dare and until you have rectified the probles physically disconnect it from the network, i.e take the network cable out.
First, disconnect it from network, as plug said. Then look at all processes in taskmanager and check all suspicious ones at google. Or post tasklist here.
ASKER
Thanks for quick response. Please find below the process details after disconnecting from network;
agntsrvc.exe
cmd.exe
CpqRcmc.exe
cpqteam.exe
csrss.exe
dnsmp.exe
dfssvc.exe
explorer.exe
hpsmhd.exe
hpsmhd.exe
inetinfo.exe
lsass.exe
mmc.exe
msdtc.exe
omtsreco.exe
oracle.exe
rotatelogs.exe
rotatelogs.exe
rotatelogs.exe
service.exe
smhstart.exe
smss.exe
snmp.exe
spoolsv.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
sysdown.exe
System
System Idle Process
taskmgr.exe
TNSLSNR.EXE
winlogon.exe
wmiprvse.exe
Please advise any suggestions........Thanks
agntsrvc.exe
cmd.exe
CpqRcmc.exe
cpqteam.exe
csrss.exe
dnsmp.exe
dfssvc.exe
explorer.exe
hpsmhd.exe
hpsmhd.exe
inetinfo.exe
lsass.exe
mmc.exe
msdtc.exe
omtsreco.exe
oracle.exe
rotatelogs.exe
rotatelogs.exe
rotatelogs.exe
service.exe
smhstart.exe
smss.exe
snmp.exe
spoolsv.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
sysdown.exe
System
System Idle Process
taskmgr.exe
TNSLSNR.EXE
winlogon.exe
wmiprvse.exe
Please advise any suggestions........Thanks
Theres nothing out of the ordianry on that list and if youve scanned the server in safe mode with up to dat elibraries then I dont think its a virus causing your problem. What errors end up in the event log?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A different view.
I will go to almost any lengths to repair/disinfect a workstation/notebook - but on servers my advice has always been to back up the critical data/drivers and re-build it.
Just too critical a function in your network.
IMO
I will go to almost any lengths to repair/disinfect a workstation/notebook - but on servers my advice has always been to back up the critical data/drivers and re-build it.
Just too critical a function in your network.
IMO
^^ Thats a terrible idea on an SBS box or any Doman controller tbh. If it can be fixed then fix it.
plug1 - we don't do personal attacks on EE.
Maybe by the time you're around long enough to accumulate some points and answer a few questions, you will figure that out.
Maybe by the time you're around long enough to accumulate some points and answer a few questions, you will figure that out.
younghv, I know where you are coming from but i must admit I've always leaned the other way. laptops and workstations generally get rebuilt if they start exibiting problems/ virus type behaviour. Servers on the other hand are a work on till fixed if at all posible. (even if it means imaging the machine, rebuiling it and then working on the image until the problem is fixed.)
Just rebuilding the machine removes the posibility of finding root cause in most situations and if root cause isn't known then there is a chance that the problem will recur and leave you back at square one. The reasoning of this is because if a workstation fault reccurs one user being affected, with a server however the whole company could be.
Just rebuilding the machine removes the posibility of finding root cause in most situations and if root cause isn't known then there is a chance that the problem will recur and leave you back at square one. The reasoning of this is because if a workstation fault reccurs one user being affected, with a server however the whole company could be.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
best tip I can think of is to keep web surfing on servers to a minimum and at the least prevent anyone with admin rights from using the internet from a server OS (ie citrix or terminal servers).
Where posible prevent servers from accessing the internet completely.
Where posible prevent servers from accessing the internet completely.