Windows NT Server Hit By Virus’
Immediate help is needed. Our NT web server has been hit by several virus'. We tried to clean it out but were unsuccessful because the processes must be stopped before doing so. We tried to stop them but they respawned immediately. How do we start NT in safemode? Your help is appreciated.
Software/Hardware used:
Software/Hardware used:
ASKED:
April 13, 2005 2:21 PM
UPDATED:
April 14, 2005 3:29 PM
Answer Wiki:
what version of NT are you running?
To see all answers submitted to the Answer Wiki: View Answer History.
From what I remember, NT 4.0 has no safe mode. You can boot to vga mode, which may not start the services, I don’t remember honestly. There is also a “last known good”
option you can try. Otherwise, it might be best to promote the backup domain controller to primary then reinstall the o/s on the one in question. I’m assuming you have your data backed up.
Unfortunately there is no real way to start NT in safe mode. You could try using last known good configuration but it sounds as though you may have already rebooted and logged in on the server. If so that kills the last known option.
I would try using the tools that can be found at http://securityresponse.symantec.com/avcenter/tools.list.html in trying to clean the server up.
Outside of that you may want to consider restoring the last good backup you have of the server.
Additional note, hope you have this server segregated from the rest of your network else it may infect other systems.
Good Luck
Randy
I would build a bootable CD and run several online virus scans from that enviroment. You can do a google search for these types of CDs but here are some that I use all the time:
The must have Bart’s CD found at
http://www.nu2.nu/pebuilder/
and you can add many plug-in that increase the power!
Another excellent CD found at http://ubcd4win.co
Try these on line scanners:
http://www.trendmicro.com
http://us.mcafee.com/root/mfs/default.asp?affid=294
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/indexie.php
http://www.bitdefender.com/scan/licence.php
When you build a bootable CD, you NT will not be active and you will be able to do a full system scan. You can also download autoruns from http://www.systernals.com to determine what programs/processes are set to automaticaly start on bootup.
Let us know if you need further assistance.
dwiebesick
1st “DISCONNECT” the network cable, and leave it disonnected until virus scanner runs a clean report.
2nd Now would be a really good time to consider upgrading to Windows 2000/20003 or Linux with Apache.
3rd Since NT4 et Al is no longer supported:
1 – when you get it back up make an image backup for
future restores.
2 – an excellent firewall / anti-virus package is
mandatory or you won’t own the system from one day
to the next.
3 – There are some exploits that are unpatched and
REQUIRE 3rd party solutions (i.e. SMTP).
Good Luck.
My favorite last-ditch method is a little harder than many, but I keep an old Pentium II box around which has been modified to have a separate disk controller with cables coming out of the box onto a ground plane (tied to the chassis) so that I can connect a “guest” hard drive to it and run all the anti-virus, and other scanning tools on the guest system without allowing the infected system to operate.
As other have suggested BartPE and BootPE are alternative methods if you don’t have a spare box, but I like my system because I can do drive clones, high-end (meaning paid-for) utilities of various sorts without the install/uninstall headache and such. But, if you’re working with servers, you’ll need IDE, SCSI, SATA controllers to deal with everything
Bob