Jump to content

reboot

Guest Kevin

By Guest Kevin
in Windows 2003 Server

 Share

Recommended Posts

Guest Kevin

Guest Kevin

Posted
Posted

I am running Windows 2003 server. I reboots for no reason a couple times a

day. All I notice in the event logs is a bunch of warnings about printers

being deleted (it's a Citrix server) but those are common. Then messages

about booting up and services starting. In order for the server to reboot

from a script created by a virus, wouldn't it have to be located somewhere

specific for Windows to apply it?

--

Thanks for your help.

 

Kevin

  • Replies 9
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Zonky

Guest Zonky

Posted
Posted

Re: reboot

 

=?Utf-8?B?S2V2aW4=?= <Kevin@discussions.microsoft.com> wrote in

news:DB175BA0-479C-4F65-B3A1-AE84A38D5049@microsoft.com:

> I am running Windows 2003 server. I reboots for no reason a couple

> times a day. All I notice in the event logs is a bunch of warnings

> about printers being deleted (it's a Citrix server) but those are

> common. Then messages about booting up and services starting. In order

> for the server to reboot from a script created by a virus, wouldn't it

> have to be located somewhere specific for Windows to apply it?

 

This may help

 

http://support.microsoft.com/kb/315263

 

--

Please remove my_pants when replying by email.

Guest Ace Fekay [MVP]

Guest Ace Fekay [MVP]

Posted
Posted

Re: reboot

 

In news:DB175BA0-479C-4F65-B3A1-AE84A38D5049@microsoft.com,

Kevin <Kevin@discussions.microsoft.com> typed:

> I am running Windows 2003 server. I reboots for no reason a couple

> times a day. All I notice in the event logs is a bunch of warnings

> about printers being deleted (it's a Citrix server) but those are

> common. Then messages about booting up and services starting. In

> order for the server to reboot from a script created by a virus,

> wouldn't it have to be located somewhere specific for Windows to

> apply it?

 

Is there an antivirus and antispyware solution installed on this server? If

so, are they updated with their latest signatures? It could also be a

software or a hardware issue, such as RAM, a bad drive or one going bad,

third party devices, USB devices, etc. What applications are installed as

well as what additional hardware is installed?

 

Here is more information:

 

Windows restarts without warning:

http://www.computerhope.com/issues/ch000605.htm

 

Windows randomly reboots, possibly hardware-related

http://forums.tweakguides.com/showthread.php?t=2075

 

 

--

Regards,

Ace

 

This posting is provided "AS-IS" with no warranties or guarantees and

confers no rights.

 

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,

MVP Microsoft MVP - Directory Services

Microsoft Certified Trainer

 

Infinite Diversities in Infinite Combinations

Guest John Sulko

Guest John Sulko

Posted
Posted

Re: reboot

 

Citrix can be very sensitive to printer drivers. Confirm that all installed

printer drivers are on the Citrix approved list.

 

 

"Kevin" <Kevin@discussions.microsoft.com> wrote in message

news:DB175BA0-479C-4F65-B3A1-AE84A38D5049@microsoft.com...

>I am running Windows 2003 server. I reboots for no reason a couple times a

> day. All I notice in the event logs is a bunch of warnings about printers

> being deleted (it's a Citrix server) but those are common. Then messages

> about booting up and services starting. In order for the server to reboot

> from a script created by a virus, wouldn't it have to be located somewhere

> specific for Windows to apply it?

> --

> Thanks for your help.

>

> Kevin

Guest Kevin

Guest Kevin

Posted
Posted

Re: reboot

 

The system was running fine until last Friday at 10pm. I received a call that

when staff tried to access the Citrix webportal remotely, they were

redirected to a webpage "discount pharmacy". At first I thought the external

IP was hijacked. But after a couple hours I found that a service had shut

down the default website in IIS basically redirected from the server. I

figured out which service and disabled it. I found the regestry key and

removed it. I then found the folder that it launch from and renamed it. That

process resolved my virus and citrix login issue and that's when the reboot

started happening. It reboots about 2 times a day. I have Symantec Client

Virus protection but we all know how weak that is on a Citrix server with

many users. I'm reading through the articles given but if anyone has any

furthur info after reading the above I would appreciate it. Have a great day.

--

Thanks for your help.

 

Kevin

 

 

"John Sulko" wrote:

> Citrix can be very sensitive to printer drivers. Confirm that all installed

> printer drivers are on the Citrix approved list.

>

>

> "Kevin" <Kevin@discussions.microsoft.com> wrote in message

> news:DB175BA0-479C-4F65-B3A1-AE84A38D5049@microsoft.com...

> >I am running Windows 2003 server. I reboots for no reason a couple times a

> > day. All I notice in the event logs is a bunch of warnings about printers

> > being deleted (it's a Citrix server) but those are common. Then messages

> > about booting up and services starting. In order for the server to reboot

> > from a script created by a virus, wouldn't it have to be located somewhere

> > specific for Windows to apply it?

> > --

> > Thanks for your help.

> >

> > Kevin

>

>

>

Guest Ace Fekay [MVP]

Guest Ace Fekay [MVP]

Posted
Posted

Re: reboot

 

In news:5DB50AD7-B85F-4394-A88A-EF12FDF68087@microsoft.com,

Kevin <Kevin@discussions.microsoft.com> typed:

> The system was running fine until last Friday at 10pm. I received a

> call that when staff tried to access the Citrix webportal remotely,

> they were redirected to a webpage "discount pharmacy". At first I

> thought the external IP was hijacked. But after a couple hours I

> found that a service had shut down the default website in IIS

> basically redirected from the server. I figured out which service and

> disabled it. I found the regestry key and removed it. I then found

> the folder that it launch from and renamed it. That process resolved

> my virus and citrix login issue and that's when the reboot started

> happening. It reboots about 2 times a day. I have Symantec Client

> Virus protection but we all know how weak that is on a Citrix server

> with many users. I'm reading through the articles given but if anyone

> has any furthur info after reading the above I would appreciate it.

> Have a great day.

 

What warranted the registry deletions and other changes? Did you follow an

article? Are you able to restore or recreate the registery entries that you

removed? What services did you stop or disable?

 

Try running a different antivirus scan and follow their instructions to

remove the detected culprit.

 

Ace

Guest Kevin

Guest Kevin

Posted
Posted

Re: reboot

 

The registry entry was ptmp.reg

the folder was ptmp2

the files within are

sptmp2.exe

install.bat & uninstall.bat

sc.txt

The service is no longer running but I believe it was sptmp2.exe

I have run other virus programs but they don't find anything. I'm going to

attempt to reinstall the last citrix service pack that is to resolve printer

issues.

--

Thanks for your help.

 

Kevin

 

 

"Ace Fekay [MVP]" wrote:

> In news:5DB50AD7-B85F-4394-A88A-EF12FDF68087@microsoft.com,

> Kevin <Kevin@discussions.microsoft.com> typed:

> > The system was running fine until last Friday at 10pm. I received a

> > call that when staff tried to access the Citrix webportal remotely,

> > they were redirected to a webpage "discount pharmacy". At first I

> > thought the external IP was hijacked. But after a couple hours I

> > found that a service had shut down the default website in IIS

> > basically redirected from the server. I figured out which service and

> > disabled it. I found the regestry key and removed it. I then found

> > the folder that it launch from and renamed it. That process resolved

> > my virus and citrix login issue and that's when the reboot started

> > happening. It reboots about 2 times a day. I have Symantec Client

> > Virus protection but we all know how weak that is on a Citrix server

> > with many users. I'm reading through the articles given but if anyone

> > has any furthur info after reading the above I would appreciate it.

> > Have a great day.

>

> What warranted the registry deletions and other changes? Did you follow an

> article? Are you able to restore or recreate the registery entries that you

> removed? What services did you stop or disable?

>

> Try running a different antivirus scan and follow their instructions to

> remove the detected culprit.

>

> Ace

>

>

>

Guest Ace Fekay [MVP]

Guest Ace Fekay [MVP]

Posted
Posted

Re: reboot

 

In news:33ECEF24-800E-412F-AF89-A91A187E60D5@microsoft.com,

Kevin <Kevin@discussions.microsoft.com> typed:

> The registry entry was ptmp.reg

> the folder was ptmp2

> the files within are

> sptmp2.exe

> install.bat & uninstall.bat

> sc.txt

> The service is no longer running but I believe it was sptmp2.exe

> I have run other virus programs but they don't find anything. I'm

> going to attempt to reinstall the last citrix service pack that is to

> resolve printer issues.

 

So you did catch the culprit. From the looks of the executable, it was

probably a mass mailer. Curious, what was in the sc.txt file?

 

Have you also checked the hosts file for anything other than what should be

default? Also use TCPView to see what ports are open and what executable is

listening. That will help indicate any other rogue apps running. Also check

if any third party DNS altering app is running that maybe hijacking DNS

requests.

 

Ace

Guest Kevin

Guest Kevin

Posted
Posted

Re: reboot

 

I'll verify today but I believe the sc.txt file only had the name of the

folder. I'm thinking that it's because the folder is named differently. I

just received another complaint because the server rebooted with nothing in

the event logs.

--

Thanks for your help.

 

Kevin

 

 

"Ace Fekay [MVP]" wrote:

> In news:33ECEF24-800E-412F-AF89-A91A187E60D5@microsoft.com,

> Kevin <Kevin@discussions.microsoft.com> typed:

> > The registry entry was ptmp.reg

> > the folder was ptmp2

> > the files within are

> > sptmp2.exe

> > install.bat & uninstall.bat

> > sc.txt

> > The service is no longer running but I believe it was sptmp2.exe

> > I have run other virus programs but they don't find anything. I'm

> > going to attempt to reinstall the last citrix service pack that is to

> > resolve printer issues.

>

> So you did catch the culprit. From the looks of the executable, it was

> probably a mass mailer. Curious, what was in the sc.txt file?

>

> Have you also checked the hosts file for anything other than what should be

> default? Also use TCPView to see what ports are open and what executable is

> listening. That will help indicate any other rogue apps running. Also check

> if any third party DNS altering app is running that maybe hijacking DNS

> requests.

>

> Ace

>

>

>

Guest Ace Fekay [MVP]

Guest Ace Fekay [MVP]

Posted
Posted

Re: reboot

 

In news:DA8BF2A5-DDA8-4556-806E-F9F453E1D62E@microsoft.com,

Kevin <Kevin@discussions.microsoft.com> typed:

> I'll verify today but I believe the sc.txt file only had the name of

> the folder. I'm thinking that it's because the folder is named

> differently. I just received another complaint because the server

> rebooted with nothing in the event logs.

 

Again? Unfortunate. Scan with a different AV program, as well as run

TCPView. If that's not it, it may be truly (guessing here) a hardware issue.

 

Ace

 Share
Go to topic listing
×
×
  • Create New...