We help IT Professionals succeed at work.

windows 2003 server keeps freezing and not allowing remote access

Hi,
just recently one of our windows 2003 servers was infected with virus Troj/TDL3mem-A and after installing version 9 sophos on it, was able to quarantine the 2 files.  Immediately after it quarantined the files, remote users could access it again(its a citrix server).  Then ran a full scan and it came up clean.  Then sophos support sent me a manual cleaner for it and when i ran it, it said no instance of that virus was present anymore.  Users were on it for about 4hrs and in the evening i tried to access it when everyone was off already but couldn't get in again via remote desktop.  Server keeps freezing and can't even run anything locally on it so they have to restart it by hitting reset button then right away everything works after reboot.  Sophos wants me to run an emergency boot cd on server but after reading instructions, worried it might do more harm and system wont be able to come up even since it gave 3 warnings about this possibility.  Possible the virus did some type of damage and even though is gone, maybe rpc service or other system files not working properly.  I checked event viewer but nothing in red or anything critical that is causing the freezing.  Is there any other logs i should look at.  Thanks.
Comment
Watch Question

Larry LarmeuPrincipal Consultant
Commented:
Start, Run, sfc /scannow

This will run Windows file checker and make sure core windows files are not damaged.

Author

Commented:
ok have done that before in the past so will try now, thanks.

Author

Commented:
tried it and it ran so fast couldnt even see anything, does that seem right?
Larry LarmeuPrincipal Consultant
Commented:
Usually takes awhile.  Do you have a backup of this machine?  I would think it might be a good idea to restore it to where it was before the virus.

Author

Commented:
its a production server so dont wanna do that right now coz infection is quarantined and if might make situation worse.  At least now they can do some work for few hrs at a time but needs restart when frozen.  

Author

Commented:
I tried it on workstation and it runs then i tried on another server as well but didn't work either.  Wondering if the sophos antivirus stops it from running since it touches system files and the setting on sophos is set to prevent any processes that do that.  I will test this first by turning off that setting temporarily.
Distinguished Expert 2019
Commented:
You may have other virus issues.  You should scan the system locally while it is booted in safe mode.

How many users that access the system have administrative rights?
The virus could be part of their local profile and spreads when they login.

Author

Commented:
there are 3 other users with admin rights but all the remote users using this particular server are logged in as regular users but i see your logic and it is definately a possibility.  If i turn off the heruristic scan and sfc /scannow works then i would feel more comfortable knowing that it was just that setting preventing command from executing.  Will let you know soon, thanks.

Author

Commented:
Hi sorry been working past couple of days on this server and this is status as of now.  Ran a full scan from a bootable cd from sophos antivirus and found 1 virus and removed it.  This is what i discovered as a pattern on the freezing.  I logged into server remotely from within the network using remote desktop on one of the pcs and almost immediately the server froze again.  Then i restarted it and left it on overnight but didn't allow anyone to go into it remotely and this morning it was up and running fine.  Then i had someone remote desktop to it from outside and few minutes later it froze again.  It is obviously affecting the rpc service so no remote access will work on it.  But strange thing is why would it cause server to freeze.  I am trying to install logmein service on it thinking that this is not using remote procedure call service and if it works then will have isolated the problem some more.  Any thoughts?  Also, was getting wfshell errors when logging in sometimes and read it has to do with going in as admin and have to change setting in citrix connection manager to tell it to disconnect on a failed session.  Any thoughts on this weird situation?