Overclock.net banner

1 - 14 of 14 Posts

·
Registered
Joined
·
1,046 Posts
Discussion Starter · #1 ·
Si was in the WHS console on my rig, and it said that the console lost connection to the server. Right aster that, I heard beeping from my server as if it is starting up. I connected the server to my minitor, and I saw a shutdown message saying:

"this shutdown was initiated by nt authority system"

I googled that, and apparently, it is from the "Blaster worm" that was sent out a couple of years ago, that affected win 2000, and XP. Apparently it can affect windows 2003 ( WHS), too.

There were cases that the computer will be on a restart loop, with the same shutdown message, However, I am not receiving the problem. Also, a registry entry that the virus makes to start the shutdown at startup wasn't entered into the registry, so I think that the virus is fully on my system.

Bottom line:
1) How do I make sure that it is not on my system
2) if it is on my WHS, how do I remove it
3) How can I prevent viruses from gettin on my server
4) I thought that WHS didn't get viruses?

Thanks
 

·
Expand Always in Always
Joined
·
4,596 Posts
WHS is based on Win server 2003 so it should work,give it a try(Safemode of course).If not I'd give Clamwin a go.

http://www.clamwin.com/
 

·
Premium Member
Joined
·
7,249 Posts
Clamwin has a free beta module than can integrate with the WHS console. It doesn't have real-time scanner, but it is the only option I know of a part from the paid version of Avast.

Other way of checking would be to:
*install a free AV on the server to check only the C partition (using it on the DE drives may lead to data corruption)
*use the AV from a client to scan the DE shared folders

BTW, 5mn after installing WHS I saw the same screen you had. I had a nightmare flashback about MSBlaster, I had a real hard time with it a few years ago. However since XP SP2 all M$ OSes are immune from MSBlaster. Luckily I also remembered the solution to that screen: Win+R (Run) and type "shutdown -a". After this the restart counter stopped and never showed up again, it's over a month since it happened. This error can also appear due to some network thingy corruption or bad configuration (can't remember other details) and by using the "sutdown -a" command you override Windows, which wants to restart and correct the issue.

My 2 cents: it's not Blaster because it can't be (unless someone rewrote it and still works as it did at the time). Most likely this error has a different cause. Use Clamwin's WHS module to scan, it seems to be a good AV and likely it's gonna find the malware if there's anything to be found.
 

·
Registered
Joined
·
2,623 Posts

·
Registered
Joined
·
1,046 Posts
Discussion Starter · #12 ·

·
Expand Always in Always
Joined
·
4,596 Posts
Quote:
Originally Posted by Jtvd78;11963910
Here are the results:
From my research it looks as if it could/couldn't be a virus depending?Some are stating it's a false positive,so it could be something or nothing at all?Just to be sure before deleting I would run Clamwin(2 c if it picks it up),and do some more research.BTW some are reporting ill effects from deleting these entries.

http://forums.malwarebytes.org/index.php?showtopic=69312

http://www.dslreports.com/forum/r25176048-Update-MalwareBytes-Issues-two-

EDIT:Simple enough to use,base off Fedora Linux.

http://www.amahi.org/
 

·
Premium Member
Joined
·
3,582 Posts
I always get this immediately after I install WHS, Usually after it downloaded a few updates, I would get it once, then never see it again, its really weird. Ran a few scans on it and it never picked up anything.
 
1 - 14 of 14 Posts
Top