Overclock.net › Forums › Specialty Builds › Servers › Virus on WHS?
New Posts  All Forums:Forum Nav:

Virus on WHS?

post #1 of 14
Thread Starter 
Si was in the WHS console on my rig, and it said that the console lost connection to the server. Right aster that, I heard beeping from my server as if it is starting up. I connected the server to my minitor, and I saw a shutdown message saying:

"this shutdown was initiated by nt authority system"

I googled that, and apparently, it is from the "Blaster worm" that was sent out a couple of years ago, that affected win 2000, and XP. Apparently it can affect windows 2003 ( WHS), too.

There were cases that the computer will be on a restart loop, with the same shutdown message, However, I am not receiving the problem. Also, a registry entry that the virus makes to start the shutdown at startup wasn't entered into the registry, so I think that the virus is fully on my system.


Bottom line:
1) How do I make sure that it is not on my system
2) if it is on my WHS, how do I remove it
3) How can I prevent viruses from gettin on my server
4) I thought that WHS didn't get viruses?


Thanks
post #2 of 14
1,2,3:
Malwarebytes:

http://www.malwarebytes.org/


Also download and run MSE:

http://www.microsoft.com/security_essentials/
Best free anti-virus


4:
Any operating system can get viruses
Edited by CovertCover - 1/8/11 at 9:55am
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Core i7-930 D0 3.8Ghz ASUS P6T SE PowerColor HD5870 1GB 6GB Corsair Dominator XMS3 8-8-8-20 1200Mhz 
Hard DriveOSMonitorPower
1TB Wester Digital Windows 7 Home 64bit Acer 23" XFX 850w Black Edtion 
Case
HAF 932 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Core i7-930 D0 3.8Ghz ASUS P6T SE PowerColor HD5870 1GB 6GB Corsair Dominator XMS3 8-8-8-20 1200Mhz 
Hard DriveOSMonitorPower
1TB Wester Digital Windows 7 Home 64bit Acer 23" XFX 850w Black Edtion 
Case
HAF 932 
  hide details  
Reply
post #3 of 14
Thread Starter 
Quote:
Originally Posted by CovertCover View Post
I'm not sure that malwarebytes works on WHS
post #4 of 14
Thread Starter 
Bamp. Need help
post #5 of 14
Thread Starter 
Bummmp
post #6 of 14
WHS is based on Win server 2003 so it should work,give it a try(Safemode of course).If not I'd give Clamwin a go.

http://www.clamwin.com/
 
Event Ryzen
(18 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 6700k MSI Z170M Mortar  Sapphire RX470 8GB  Crucial Ballistix Sport (grey & black) 
Hard DriveHard DriveCoolingOS
240GB Transcend SSD  512GB Transcend SSD Corsair H80i V2 Windows 10 Pro 
MonitorKeyboardPowerCase
LG 29UM68-P & LG 23MP48HQ-P CODE 61(MX Clears) Evga SN 550w RaidMax Hyperion (Black & Silver) 
MouseMouse PadAudioAudio
Logitech G900 Hot Eagle XL mousepad Klipsch R-14M's Presonus audiobox usb. 
AudioAudioAudio
Akai Pro MPK Mini Audio-Technica ATH-M50x, Phillips SHP9500's MXL 990/991 
CPUMotherboardGraphicsRAM
Ryzen 1600x  ASROCK AB350M PRO Sapphire RX 470 8GB  Crucial Ballistic Sport LT 32GB 
Hard DriveHard DriveHard DriveCooling
x1 Intel S3500 240GB  x2 Intel S3700 400GB  5TB Toshiba NZXT Kraken x52  
OSOSMonitorMonitor
Windows 10 Pro Fedora workstation 25  29in LG ultrawide  25in LG ultrawide 
KeyboardPowerCaseMouse
MagicForce 68(Gateron Blacks) SeaSonic 620 ???? Open Air-Haven't decided Logitech 303 
Mouse PadAudio
xxl mousepad Same as before  
  hide details  
Reply
 
Event Ryzen
(18 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 6700k MSI Z170M Mortar  Sapphire RX470 8GB  Crucial Ballistix Sport (grey & black) 
Hard DriveHard DriveCoolingOS
240GB Transcend SSD  512GB Transcend SSD Corsair H80i V2 Windows 10 Pro 
MonitorKeyboardPowerCase
LG 29UM68-P & LG 23MP48HQ-P CODE 61(MX Clears) Evga SN 550w RaidMax Hyperion (Black & Silver) 
MouseMouse PadAudioAudio
Logitech G900 Hot Eagle XL mousepad Klipsch R-14M's Presonus audiobox usb. 
AudioAudioAudio
Akai Pro MPK Mini Audio-Technica ATH-M50x, Phillips SHP9500's MXL 990/991 
CPUMotherboardGraphicsRAM
Ryzen 1600x  ASROCK AB350M PRO Sapphire RX 470 8GB  Crucial Ballistic Sport LT 32GB 
Hard DriveHard DriveHard DriveCooling
x1 Intel S3500 240GB  x2 Intel S3700 400GB  5TB Toshiba NZXT Kraken x52  
OSOSMonitorMonitor
Windows 10 Pro Fedora workstation 25  29in LG ultrawide  25in LG ultrawide 
KeyboardPowerCaseMouse
MagicForce 68(Gateron Blacks) SeaSonic 620 ???? Open Air-Haven't decided Logitech 303 
Mouse PadAudio
xxl mousepad Same as before  
  hide details  
Reply
post #7 of 14
Boot to another environment and scan from there.

Secured2k using ESET is the one I like the best.
    
CPUMotherboardGraphicsRAM
Core i7 970 @ 4.0 GHz 1.22 Vcore Asus Rampage II Gene GTX 260 216SP G.SKILL PI 3x2gb DDR3 1600 @ 7-8-7-24 
Hard DriveOSMonitorPower
2x 500gb Seagates RAID 0, 1x 500gb non-RAID Windows 7 Professional x64 ASUS 24'' VH242H / Spectre 24'' WS Corsair 750TX 
Case
Corsair 300R 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Core i7 970 @ 4.0 GHz 1.22 Vcore Asus Rampage II Gene GTX 260 216SP G.SKILL PI 3x2gb DDR3 1600 @ 7-8-7-24 
Hard DriveOSMonitorPower
2x 500gb Seagates RAID 0, 1x 500gb non-RAID Windows 7 Professional x64 ASUS 24'' VH242H / Spectre 24'' WS Corsair 750TX 
Case
Corsair 300R 
  hide details  
Reply
post #8 of 14
Clamwin has a free beta module than can integrate with the WHS console. It doesn't have real-time scanner, but it is the only option I know of a part from the paid version of Avast.

Other way of checking would be to:
*install a free AV on the server to check only the C partition (using it on the DE drives may lead to data corruption)
*use the AV from a client to scan the DE shared folders

BTW, 5mn after installing WHS I saw the same screen you had. I had a nightmare flashback about MSBlaster, I had a real hard time with it a few years ago. However since XP SP2 all M$ OSes are immune from MSBlaster. Luckily I also remembered the solution to that screen: Win+R (Run) and type "shutdown -a". After this the restart counter stopped and never showed up again, it's over a month since it happened. This error can also appear due to some network thingy corruption or bad configuration (can't remember other details) and by using the "sutdown -a" command you override Windows, which wants to restart and correct the issue.

My 2 cents: it's not Blaster because it can't be (unless someone rewrote it and still works as it did at the time). Most likely this error has a different cause. Use Clamwin's WHS module to scan, it seems to be a good AV and likely it's gonna find the malware if there's anything to be found.
Centurion
(14 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 940 @3.3GHz 1.25V Gigabyte 790X-DS4 XFX 5850 8GB OCZ DDR2-800 
Hard DriveCoolingOSMonitor
Corsair Force 3 TRUE Win 7 Pro x64 ACER 23" TN  
PowerCase
400W Silverstone Strider Antec P182 
  hide details  
Reply
Centurion
(14 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 940 @3.3GHz 1.25V Gigabyte 790X-DS4 XFX 5850 8GB OCZ DDR2-800 
Hard DriveCoolingOSMonitor
Corsair Force 3 TRUE Win 7 Pro x64 ACER 23" TN  
PowerCase
400W Silverstone Strider Antec P182 
  hide details  
Reply
post #9 of 14
Thread Starter 
Well, I just installed Malwarebytes, and its scanning....
post #10 of 14
Thread Starter 
Here are the results:
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Servers
Overclock.net › Forums › Specialty Builds › Servers › Virus on WHS?