Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Webaccess/NT Virus Problem

Status
Not open for further replies.
stevenriz

stevenriz

IS-IT--Management
May 21, 2001
1,069
You all should get e nice kick out of this one... We had webaccess running for quite sometime up until that pesky Nimda virus came along... I cleaned the server and all the IIS pages that were affected, or so I think... I also hotfixed and patched the box to death.... even moved all executables (command, ftp, etc...) to a different directory that is not in the PATH. Well, each time I start the Web Publishing service, within a day Nimda is back in full force. I reboot the server to stop it, then clean the server and continue on my merry way (4 hours later)... without webaccess mind you. I want to be able to use it again. Any helpful hints out there? Otherwise I am considering Netware/Groupwise/GW Webaccess which I know how to use/configure very well and isn't succeptable to these virus attacks. Thank you all!
Steve
 
Sort by date Sort by votes
I belive Nimda makes some entries in your registry. you have to clean those values mannaully. If you dont do those i think it will come back because once your restart the server these values are reloaded into the memory and there you go your Nimda is back. i will post you these values if you like however you can also find them on Norton's website.

happy hunting

cheers and allah hafiz

Ahsan
 
Upvote 0 Downvote
I found the registry settings and verified that we DO NOT have these keys whatsoever. The virus seems dormant up until I start the Web Publishing Service. I don't know what to do other then reinstalling the box alltogether. Any other suggestions?
 
Upvote 0 Downvote
Hi, steve,

we had the same problem a while back, and traced all possible sources, where Nimda would drop itself to OWA, and try almost everything, including manually remove some entries from registry and restore registry which was back up before the red code(lucky). At the end, nothing helps but to rebuild the server, and never had any sight of Nimda since then.
Hope you have your best luck to kill the Nimda without the pain of rebuilding your server.
good luck!

dennis
 
Upvote 0 Downvote
HI All

Had the same problem a while back.

I cleaned Nimda out by using symantec's removal tool for Nimda A & E. Had to run it a few times.

After a week of cleaning and scanning the mailboxes I got rid of it.

I still have the files on hand and can send them to you.
You can run the cleaning in production time, no need to take the server off line.

Hope this Helps

Maruis
"I sleep at home not on my Job!"
 
Upvote 0 Downvote
Thank you Maruis and everyone. I might take you up on that offer for the cleaning tools you spoke of. I have been unsuccessful with my approach so any help I am willing to take. Seems the virus doesn't do anything until I run OWA.
Thanks,
Steve
srizkalla@cleanwise.com
 
Upvote 0 Downvote
Hi, Maruis,

I am just curious about your statement about scanning the mailboxs. Was on the exchange? I assume it was, but the Nimda is actually reside on the OWA server. or I am wrong. we did have some peaceful time after appling each fix tools, but the Nimda will appear after a while.

anyway you are very lucky few, we had try all the fix tools from symantec, trend micro, and others, but simply not effective.

Dennis
 
Upvote 0 Downvote
K
To answer your questions.

What we did was to clean all the servers. With all the WS's disconnected or switched off.
Then we cleaned each WS seperately. With the same tools, after this cruling operation we were cleaned.

The virus still pops up from time to time. But it does not go anywhere. Because we kill it as it comes in.
Hope this Helps

Maruis
"I sleep at home not on my Job!"
 
Upvote 0 Downvote
Thanks for your answer,

and we did the same thing, even reboot all the router and switch in a disconnected mode, but you mention the virus keep poping up, that is something we had after cleaning, and when reading the log those popups are really requsting/referring some resource on the server, and look at your performance monitor, it really eating up the resources, ok, if you don't mind that is another issue, but we did a full rebuild and no more popup messages.
Ok, I think we should end this thread here, it is already some other than the original thread that Steve wants to know.

Dennis
 
Upvote 0 Downvote
Dennis

That is no problem.
Nimda replicates itself on the server or machine. This will crash a machine in the end. We nearly lost a couple of machines.

When the virus starts to replicate on the machine, the Virus program starts to quarantine each file and there is hundreds of them. That spins up the HD's and eats your resources.
The only way to get rid of this is to set your virus program to delete the infected file as soon as it detected.
No quarantine no backup just delete it. By doing that it will ease the load on the machine. Hope this Helps

Maruis
"I sleep at home not on my Job!"
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

m245
  • Locked
  • Question
Outlook POP3 Problem
Replies
0
Views
174
m245
m245
pmf71
  • Locked
  • Question
Exchange 2007 / SBS2008 EAS problem. Cannot authenticate with mobile devices!
Replies
10
Views
384
ShackDaddy
ShackDaddy
nelsonsk2
  • Locked
  • Question
Problem with Exch2010SP1 install
Replies
11
Views
291
58sniper
58sniper
phonetech1
  • Locked
  • Question
edge dns load balancing connectivity problem
Replies
2
Views
182
phonetech1
phonetech1
dieter2
  • Locked
  • Question
weird exchange log problem
Replies
7
Views
204
Zelandakh
Zelandakh

Part and Inventory Search

Sponsor

Back
Top