On June 1st 2009 I got a call from a customer that their server was not accessable. I had them reboot the 2003 server and thats when all the problems started hapening. Once the server was restarted the customer was unable to log in under administrator getting the "not enough server storage is available to process this command" I imediatly thought that this was due to the server running out of storage space. I ended up going over to the customer site and troubleshooted the problem. First I checked storage space by login in with safe mode. There was plenty of space left. Eventually the problem ended up being a nasty new malware/trojan that mcafee picked up off of the jump drive I had connected to the server to transfer removal utilties and rootkit scanners. Aparently this bug will use the jump drives to transfer itself. Luckily my mcafee caught it under the name of Artemis!B6BB2CC73101.
degcs.exe was found to be the culprit problem by running "netstat -b" in the command line. It showed degcs.exe running multiple connections to many private ip addresses out in the world. it was also causing excessive network traffic and was tying up the internet connection. Norton was installed on the server but not suprising it did not detect the variant, I used ultimate boot cd and the registry editor to remove the troubled program. After the server was back online or at least I thought, it still was broke to the network. no one could access the server. they were getting
"The user has not been granted the requested logon.."
I am not sure if the virus caused this problem but it appears that somthing at the same time of the infection (either the infection or a improper shutdown) had removed an important Domain Policy that prevented any PC from accessing the file shares of the server. So I figured that putting bag the domain policy or restoring the users/groups that should have access to the policy would be a sinch, nope it was PITA. after hours of research I ended up finnaly getting the problem resolved.
First make sure you have gpmc.msc (type it in the command prompt) THis is for 2003 servers, if you dont have it you can download it from microsofts (google it)
Once you have the GPMC.msc then go and change the order of your adapter binding in the Network Connections Screen. From there go to advanced > advanced settings > adapters and bindings > and connections. Just move one of the adapters up (you may have to change this back later) For some reason this seams to fix the log on security that was preventing any changes to the Group Policy. Until I did this I was unable to make any changes to the Group Policy. I kept on getting errors on that I did not have access to make the changes (alt hoe I was signed in under administrator) I also ended up resetting the group policy all together (refer to dcgpofix) make sure to read up on it because it can have serious effects on your domain especially if its part of a large corporation consisting of domain controllers. Since this server was the only domain controller I was confident that it would be OK.
Once the Domain policy was successfully reset (would only work after changing adapter priority - odd) then Clients were able to access the file shares to the server. I also had to reset the password policy since the customer originally had the complex password policy off.
Hope this helps someone out there
Drop me a comment if you have problems
Chris Rees
Subscribe to:
Post Comments (Atom)
Posts
Hi, I
ReplyDeleteIt must be a malware,
Please check at http://www.nictasoft.com/viruslib/virus_description.php?virus_id=Backdoor.Win32.SdBot.mpv
rgds
Sorry, I have the same malware on my A.D. with 12 DCs an dozens of servers.
ReplyDeleteI cant remove it following this instructions.
¿How can I change my adapter binding? UI don't understant this and it seams to be the solutions.
Thanks
Hi
ReplyDeleteEmail me at chrisr (at/@) 59com.com