Member Avatar for jime0726

hey all,
on my exchange server, i dont know if i'm infected with anything, but it keeps going down (mostly late at night) but has gone down a few times real early in the morning and a maybe once or twice before noon time. i noticed a service that kept starting around the time it went down which was the ati hotkey poller, so i disabled that, now another server keeps starting, server administrator, which i disabled, deleted most of the reg keys (that would be started) and its still starting! i dont know if that service has anything to do with it rebooting, as its logged (shows up) before the error of "the previous system shutdown was unexpected" but the server administrator event time is logged after that system shutdown error <<shrug>>

anyway, i've done sooo many scans with nod32, ad-aware, microsoft antispyware, spybot, and come up clean. so what i think thats telling me is that a virus already snuck in and is hiding itself maybe somewhere in the registry. i've used hijack this and used an online analyzer, but really dont come up with any unusual. my exchange is 2000 server and windows 2000 server also. if anyone has any ideas how to fix this or need more info, please let me know. thanks!

  • 2 Contributors
  • 5 Replies
  • 142 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by chrisbliss18

Recommended Answers

All 5 Replies

Member Avatar for jime0726

one thing i want to mention is we're also using GFI Mailsecurity for emails and have 2 av scanning engines enabled, the bitdefender and norman. could nod32 be conflicting with either of these? i could test it by disabling those but i'm only using a trial of nod32 and need email scanning. when i had symantecs corporate edition on that server, it ran fine with those 2 scanning engines.....any ideas? thanks!

Member Avatar for jime0726

i correct my subject....i did another scan and nod32 did pick up the bagle.bl virus and it didnt give the option to delete, only leave alone. so i located the emails in the quarantine folder and deleted the infected emails. i'm assuming something is still infected because my server just went down an hr ago during the scan.

Member Avatar for chrisbliss18

Welcome to the really crappy world of administrating a Windows server. I really don't know the best way to fix your problem since the Server lines of Windows always want to be "special cases" and not work like everything else. There's a very comprehensive guide linked to from the bottom of my sig that might give you access to some tools that you haven't tried yet. I'd recommend that you start there.

As for finding software conflicts, I'd recommend trial and error. Try removing one of the suspect software packages and seeing if it fixes the problem. Keep trying with different packages until you have found the problem or have found that it's not the issue.

Member Avatar for jime0726

how true your statement is! :) yea, i'll check out some of those new tools and see what i come up with....as for the trial and error, i would normally use that method, however, i really dont want to disable any sort of virus protection on that server because soo many emails are getting quarantined from threats of viruses and if i disable anything, my fear is having it reach a user and infect more then just our mail server....i'll play around with some things to see where that takes me....thanks for the help!

Member Avatar for chrisbliss18

If you think it may be a software conflict, send an email to all the users indicating the mail system will be down for however long you think it will take to diagnose, shut off the mail server and go from there. One thing I've discovered in my time as a mail admin is that people would rather experience an hour of downtime that they knew about than ten minutes of downtime that they didn't know about, so fixing the problem as quickly as possible without any further unexpected downtimes is the best way to approach the problem. Since the mail server will be off, there won't be a risk of unscanned emails getting through.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.