Programs not starting anymore on SBS 2003 server

Hi there,
I have running a SBS2003 server with a client. This morning I tried to add a laptop to the domain, but it gave an error not finding a good DNS server. So I logged in on the server to see what's wrong with the DNS, but found out the DNS management console is not starting. So I tried services.msc, but that doesn't do anything also. Then I tried to run msc directly from system32 without luck too. I checked auto updates and it seems to have installed en bunch of security upgrades since last time I added computers to the domain (about 3 weeks ago).
So I wanted to remove these updates, but find out that the program manager isn't starting also. So I am a little bit stuck now.

Thanks,
Roger
rogerbergerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
usually you want to check the ipconfig on the client. at times, the DNS settings must be manually set as small offices often let the router allocate IPs while manually configuring the DNS settings on the clients. once you set the name server on the system that you want to join to point to the SBS IP you should be able to join the system into the domain.

You would likely need to use one of the existing domain workstation and install the support/resource tools as well as the adminpak and the group policy management console to allow for remote management.  The issue is likely a virus infection that altered the mapping.
Using remote access you should be in a better position to manage the sbs, creating a separate administrative user to see whether the issue is isolated to the one user (which is often the case).


You could also use regedit (make sure you are extremely careful) when checking the attributes/classes/suffixes)......
0
Larry Struckmeyer MVPCommented:
Hi:
There are no updates that are known to cause this.  I suspect malware.  From a thumb drive install, update and run malware bytes.  If it won't run either, try safe mode or safe mode with networking so you can update.

As a last resort, if exchange is running , export the recent mail, copy off the data, and restore from backup.
0
bbaoIT ConsultantCommented:
ever tried to simply restart the SBS server? any issue can fixed ths way?
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

arnoldCommented:
restart is an unknown, and could have a significantly worst than exists now. i.e. the malware/virus is embeded in the HKLM run/etc and upon restart will run ......
0
pgm554Commented:
I second for just restart the server.
You could just have memory corruption or a memory leak and it is M$ Windows after all,not Netware.

You said it installed a bunch of updates.
Has it been rebooted since then?
They could just be stale and in need of a reboot anyway.
0
rogerbergerAuthor Commented:
Yes,
I also tried restarting, but that didn't help. I am running an uptodate Clamwin virusscanner on the server. I'll let it run a full run, to see if it finds something. After that I'll try a malware bytes, but I don't know how a virus/malware have gotten on the server. Nobody has been on the server, but me.

Thanks,
Roger
0
bbaoIT ConsultantCommented:
> I am running an uptodate Clamwin virusscanner on the server.

if you really worry about malware infection, the HD is better to be scanned off-line rather now scanning itself (the malware may be still active, if any, and preventing you from catching itself)

> Nobody has been on the server, but me.

does it mean it is unlikely infected as only you can operate on the console?

anyway, after rebooting the server, did you observe anything abnormal in the system event logs?
0
Davis McCarnOwnerCommented:
On another, working PC, create a Windows Defender Offline CD: http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline
If it 2003, you want the 32 bit version.  Boot it and let it scan the server.
I'll bet there are tons of access denied in the event logs; but, we can't get there yet!
0
pgm554Commented:
Have you tried last known working config?

http://support.microsoft.com/kb/325375
0
rogerbergerAuthor Commented:
Hmm.. This morning the server was recovered. I had malwarebytes left running yesterday. It now shows an error:
sbs2003.jpg
Now I want to run sfc / scannow but offcourse the sbs2003 discs are not available anymore. :-|

Ps. pgm554: your link is not working for me.
0
Davis McCarnOwnerCommented:
MalwareBytes is not anywhere near as effective as it was a few years ago which is why I suggested Windows Defender Offline.  The fact that it got clobbered strengthens the case for a malware infection.
If you'd rather try other tools, TDSSKiller, RogueKiller, and ADWCleaner are far better than MalwareBytes:
http://www.bleepingcomputer.com/download/tdsskiller/
http://www.bleepingcomputer.com/download/roguekiller/
http://www.bleepingcomputer.com/download/adwcleaner/
0
Larry Struckmeyer MVPCommented:
@ DavisMcCarn:

MalwareBytes is not anywhere near as effective as it was a few years ago

Davis I respect your opinion as your opinion, but wondering if you have any substantiating data or evidence for this claim?  Or perhaps you might be willing to add "in my opinion" to your comment?

Note that other than an occasional user I have no relationship with MBAM or any of its owners, staff, affiliates or any other entity or person associated with them.  But I have not experienced the reduction in effectiveness that you apparently have, nor have I ever seen this statement in public before.

Not to take away from the effectiveness of the alternatives you listed, but MBAM has been our place to start as it has found lots, cured most, and if there are still malware on the system we can move on to other, often more draconian, malware killers.  Next to last resort is "ComboFix", from the same location you list.  Last resort is  "Restore from Backup", followed by "wipe and reload", which may be first choice depending on the nature of the system and the time involved to clean or rebuild.
0
Davis McCarnOwnerCommented:
Larry,
In the past 3 years I have seen at least a hundred PC's where MalwareBytes was either already resident or was tried by the owner prior to them calling me for help and, in most cases, the infestation was still present and not detected.  Based on that, my conclusion is that the bad guys have countered MalwareBytes as it is quite popular and its efficacy isn't what it used to be.
As a note, I have had to "wipe and reload" two PC's in the last 3 years out of the hundreds I have serviced.  I was able to clean all of them; but, those 2 had Windows damage preventing full recovery.
Roguekiller is a little easier on the system which is why I prefer it to ComboFix.
0
Larry Struckmeyer MVPCommented:
Wipe and reload is often more time effective than hours running various anti malware programs, and even if the removal appeared to be successful one cannot be sure what was left behind.  Like you, we have been able to clear most, but we still like MBAM for the initial screen as the users can do it themselves.  If there are remaining threats we can get involved and use other tools, one of which, as mentioned, is wipe and reload.  If there is a MBAM subscription in place, then obviously we would not lead with that.
0
pgm554Commented:
the link I posted works for me in here the US.
It looks like you have corruption someplace or possibly a dll hell issue.
I doubt if it is a virus,but this from Norton actually does a nice job of sorting out malware infections.

https://security.symantec.com/nbrt/npe.aspx

My 2 cents,one ain't gonna cut it these days.
I had a customer get backdoored when the were using Forefront 2010 and it erased the program.
I had to use MBAM,Norton PE,M$ Defender offline and ADWcleaner and all of them caught something different.
It's ugly out there these days.
0
rogerbergerAuthor Commented:
OK,
I found a Windows 2003 SBS cd and started sfc/scannow. Then it ran for an hour or so. I restarted the server and everything is back to normal.
Thanks guys for thinking with me.

roger
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rogerbergerAuthor Commented:
I was able to do a simple sfc/scannow and that solved the problem.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.