Server 2003 Locks

My windows 2003 domain controller keeps locking up all the time and i have to run this command to make it accessible again:

secedit /configure /cfg c:\windows\repair\secsetup.inf /db secsetup.sdb /verbose

After a few hours it locks up again. I've scanned for viruses with the lates NOD32 AV but the system seems clean.
slekkasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zelron22Commented:
Are there any errors in the event logs?  When you say it locks up, how exactly do you mean it locks up?  Can you log in locally, access shares, use remote utilities to access it?

What do you have for antivirus on it?  
0
slekkasAuthor Commented:
I can log in locally but i cannot access any shares on the computers on the domain and other computer cannot access the shares on that server. They get access denied error. I can log in through terminal services or logmein and i have access to the internet. The only problem are the shares and the authentication. Lets say i try to add a computer to the domain it wont allow it. As soon as i enter the above command everything is back to normal but it lasts only for a few hours. I really think it's a virus but since the antivirus does not pickup anything i don't know what to do. Is there another command that will make those settings permanent? I read someware in experts-exchange that the secedit command is for windows 200 and that there is another command for windows 2003. If this is the case can you tell me the syntax?
I havent seen any unusual logs in the event viewer.
0
slekkasAuthor Commented:
A few event logs i get are these:

Event ID: 53258

MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1

Event ID: 1000

Faulting application explorer.exe, version 6.0.3790.3959, faulting module unknown, version 0.0.0.0, fault address 0x71c04f3b.

Event ID 5603

A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property.  This provider will be run using the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.  Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.  

Event ID 1030

Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Event ID: 1863

This is the replication status for the following directory partition on the local domain controller.
 
Directory partition:
CN=Schema,CN=Configuration,DC=trofodotikh,DC=local
 
The local domain controller has not received replication information from a number of domain controllers within the configured latency interval.

0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

zelron22Commented:
The reason I asked about what version of antivirus you were using is that Symantec Endpoint Protection had some issues with certain versions.  We only experienced it on Windows Server 2008, but I know that depending on the version it could also be an issue with 2003.

http://blog.ralfelt.com/post/Symantec-Endpoint-Protection-suddenly-(radomly)-blocks-clients-from-accessing-shared-files.aspx

This link (it's a long thread) has a solution that worked on 2008 and improved things on 2003 but didn't fully resolve it.
0
zelron22Commented:
0
slekkasAuthor Commented:
But i am not running symantec
0
slekkasAuthor Commented:
Any other ideas?
0
slekkasAuthor Commented:
I also get Event ID 40960

The Security System detected an authentication error for the server ldap/server1.trofodotikh.local.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.

Witch is the best way to reset my kerberos settings on the domain controller?

Common guys help me out here. I'm about to go crazy.
0
zelron22Commented:
This is the solution for the MSDTC error.  http://support.microsoft.com/kb/923977

This is the solution for the 5603 RSOP error.  http://support.microsoft.com/kb/915148

Okay, so these don't solve your problem.  How did you figure out that the secedit update fixed the problem?  It may be part of the puzzle.

You may want to call microsoft PSS it's only like $500 per incident.  

That being said, have you run a DCDIAG or NETDIAG on the server?



0
slekkasAuthor Commented:
I finally figured it out. I had a worm running as a REGVI.EXE process that was messing up my security settings. The exact think it did was to make blank the "access this computer from the network" policy under group policy editor-windows settings-security settings local policies-User right Assignment. I manually removed all the entries from the registry. The problem is that this infected all the computers on the network and if one is not cleaned it spreads again. I'm very disappointed with ESET since i bought NOD32 for business use and even when i scanned the file it didn't see it as a worm. Not even a removal tool at their website. I have to remove manually on 30 pc's.

Any advise on tha?
0
ChiefITCommented:
I think you have far worse problems that RegVI.

The symtoms you are experiencing coincide with a pretty nasty bug called conflicker.

RegVI is a clocking software and can accompany a number of different pieces of malware. It uses a specific type of packing software that is hidden from some AV scanners. If an AV scanner can't get into the code to see its contents, how can it decipher if it is a virus or packed malware? RegVI could have been used to hide from ESET.
http://www.prevx.com/filenames/218558656102694852-X1/REGVI.EXE.html

I am really liking this particular malware scanner. It is called malwarebytes. Some fellow experts on EE turned me onto it. The website boasts it can scan up to 1 billion infections and does a pretty good job at going to the root of the issue..
http://www.malwarebytes.org/


For something free and proven helpful, consider downloading Hijackthis and posting your findings on this web site:
http://www.hijackthis.de/index.php?langselect=english#anl
0
ChiefITCommented:
I also requested this be placed within the security and antivirus zones for experts with an IT security and cleanup background.
0
slekkasAuthor Commented:
After i removed the regvi.exe, regv.exe and regview.exe hidden files under windows\system32\driver folder and all the related registry keys. The Servers worked just fine. Then at some point i noticed that the server was one again infected. I looked at all our workstations and i found out that all my windows 2000 clients were infected. None of the windows xp clients seemed infected. The virus did not do any harm at the windows 2000 clients but as soon as you initiated any kind of connection the server immediately got infected again. I removed all the clients from the network and i cleaned them manually one by one. It was a little painful since the virus ran as a service and i had to manually change permissions on some registry files.  After i cleaned all the clients i left the last one disconnected from the network and i did some experiments to see if any AV software would detect anything. I tried: Symantec AV, NOD32, McFee, Superantispyware, antimalware, spybot S&D without any results. INCREDIBLE. I contacted ESET and i sent them sample of the virus and the registry keys. They are now working on a fix. Since yesterday morning my network works great and my security settings are intact. It really caused me a lot of trouble.

Thanks for trying to help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChiefITCommented:
So, did you conclude that this is the conficker/downadup virus, or is this a new code?
0
ChiefITCommented:
Sorry for double posting:

Some viruses take adavantage of system restore. If you enabled system restore, the virus could immediately reinfect the computer.

Remember that RegVI is a cloaking software used to hide viruses, not the virus itself. Also the symptoms you describe still look like conficker {also known as downadup}
0
csncocCommented:
Microsoft has sent us a reply to a cxase we have open stating that there is a known issue with NOD32 running on Domain controllers. We have been able to isolate it down to NOD32 v4 running on domain controllers. Try down grading the NOD
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server Apps

From novice to tech pro — start learning today.