[dba-Tech] Major site crash

Jim Lawrence accessd at shaw.ca
Sat Oct 31 12:52:13 CDT 2009


Hi John:

I have thrown every virus and malware and rootkit product against the drives
that failed. Nothing!

My current theory is that a Microsoft update is the culprit but have yet to
find any data on it. I checked the drive update logs and it reveals that MS
performed its last update at 3:00AM, the morning before the crash. The logs
show no errors or issues during the process but 5 hours later all the
computers were locked in an endless boot cycle.

I have been combing the net but have as yet found no references to that
particular update and errors...

Any thoughts?

Jim


-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of John Bartow
Sent: Friday, October 30, 2009 8:06 AM
To: 'Discussion of Hardware and Software issues'
Subject: Re: [dba-Tech] Major site crash

Hi Jim,
Holy crap! I haven't seen anything that extreme.

If all the stations were the same hardware, it may have been a system
update. I've had the reboot cycle happen to a couple of PCs because of that.
Although having all the same hardware in one office sounds great maybe
that's a drawback and I should feel lucky I have to work on such menageries
of equipment ;o)

If it was malicious software then it sounds like Vipre caught part of it
(probably a rootkit) and disabled it but missed another dependant part or
the malware damaged some part of the Windows startup system. If it is Vipre
Enterprise the malware detections would be listed in the server's
history/quarantine. I have mine set to now announce anything to the user but
to email the office administrator.

I suggest contacting Sunbelt immediately upon issues like this.

Of course if you have an imaging server system setup the easiest way to get
back up is to reimage all of the stations.

In the meantime I'd dismount one of the stations hard drives and attach and
scan it with a "cleaning" machine loaded with Malwarebytes, AntiVir,
Stinger, Rootkit Revealer and any other anti-malware products you have
confidence in. (I install them without active protection type services
running.) Once done I remount the HD and start in safe mode. Using Autoruns
I would disable all unnecessary startups and services. Run a deep scan with
Vipre in safe mode to clean the registry. (If this is Vipre Enterprise and
the agent's options did not include these abilities via the GUI there are
command line options available.)

If you copy the logs or zip the quarantine files from the other anti-malware
products you can submit them to Sunbelt via their support page. They
evaluate these and add them to their detections.

BTW were these PCs, terminal server stations or what? Odd that the server
didn't get hit at all. I'd be very suspicious of that. What security
software was on the server?

Arg, these mal-ware programmers are getting far too good at what they do.

Best of luck in resolving it.

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com




More information about the dba-Tech mailing list