Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Server 2003 OS issues that seem viral or malicious

  • Please log in to reply
1 reply to this topic

#1 ClickOnce


  • Members
  • 1 posts
  • Local time:06:50 AM

Posted 27 December 2012 - 02:24 PM

At the risk of being verbose, I have included as much information as I can think of to describe symptoms being experienced.
I have issues on server 2003 R2, SP2. Normal authentication, No AD. it just happened in the last day or so. Turned the monitor on for the server and it was asking why it had shut down unexpectedly, . I keyed in unknown and proceeded to logon. After Logon, I saw the green "recently updated" icon in the sys tray and thought that was odd, because Windows always tells itself it restarting for updates – did updates cause some issues??

I then noticed that the My Computer icon, Network Places icon and recycle icons are displayed with unknown file icons.(see attached thumbnail) Here are some other issues observed: When I right click the icons it sees them as folders, giving me only typical folder options. Can't open mmc.exe (see attached thumbnail) to see the event viewer to see what happened. I get a class not registered error. The All Programs won't display the programs list when I click on it. On a whim I tried installing malwarebytes, I get "regsvr32 failed with exit code 0x5" Research tells me "Access Denied" issues. Administrator tools link doesn't work either.

I right click the desktop then select add short cut, just to browse the computer another way or create a shortcut (see attached thumbnail)... the MS wizard opens, I click browse, and my only option is make new folder or cancel, clicking make new folder does nothing, it doesn't browse. There are so many things that don't work I don't even know where to start with what things that don't work to help in a diagnosis, Also I can see IE 8 open up in the task manager when I click on it and then immediately disappears from the process list without ever opening on the screen. Tried re-installing it and I get an immediate error after selecting run, install, and check install updates, then it errors "Internet Explorer installation did not complete"

I can install a program, for example Firefox from a flash drive, I select launch and get to the internet just fine. When I close it, I cannot run the program again because it never created a shortcut and I cannot browse the computer in anyway to find the .exe. Windows key+E, Win key +R doesn't work, right click the desktop and properties. I can't even browse from the task manager the machine freezes. I have been able to browse by using other applications like ClamAV. So I can have a look around but serious Windows apps will not run, eg. Mmc.exe

I can get to control panel, in details view lets say...but the first four items listed do not have identifiable icons, they are the Windows generic "I don't know what these are" icons and no text adjacent to them, the rest of the icons are there with text descriptions as normal. When I select add/remove it doesn't populate the list. So I can't look to see what updates have been installed. When I first logged on I was able to get add/remove to populate. In fact I removed software Yahoo Toolbar, Yahoo updater, Freeze.com, and some PC registry fixer that were not there a week ago. Ironically the owner has a Yahoo account and swears he hasn't downloaded anything. He also accesses the server from home with VNC

The odd part is all our Practice Management Applications are running fine, It only seems to be the OS side of the server.

A) can I run sfc /scan now on sever2003? And Should I run sfc? Will it affect any of our Applications installed? Reasoning is so many things are not accessible, reminds me of a desktop that has had a rootkit change permissions and settings.

B) Is it a windows update that may have caused this? If so how can I roll back? roll back to registry from say the 9th of Dec?
C) Raid Degraded?
The reason I even question the RAID condition is that the server will hang for a minute sometimes longer and eventually repaints the screen. For example when logging in, what icons are left on the desktop take way too long to display. Or I can click on something, with task manager up and see little if any CPU activity and then suddenly the machine appears to freeze and then catches up with the clicks. I've seen this in the PC desktop world when a drive has bad sectors or crosslinked files. They act really slow, not a lot if any CPU usage going on while it's waiting and then suddenly it's displayed.
Is there anything like combo fix that can run on servers?
thanks for any help!

Attached Files

Edited by hamluis, 28 December 2012 - 07:03 AM.
Moved from Win NT to Am I Infected - Hamluis.

BC AdBot (Login to Remove)


#2 SleepyDude


  • Malware Response Team
  • 3,125 posts
  • Gender:Male
  • Location:Portugal
  • Local time:12:50 PM

Posted 29 December 2012 - 01:35 PM


If I was in your situation I will run chkdsk against the C: drive and SFC.
As far I know there is no way to rollback the registry because there is no System Restore on Server 2003, you need to have backups or use a tool like ERUNT to backup the registry.

Edited by SleepyDude, 29 December 2012 - 01:35 PM.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

Proud graduate of GeekU and member of UNITE


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users