RE: iis...not happy (and me)

  • From: "Patrick Cote" <Patrick.Cote@xxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Wed, 13 Aug 2003 13:59:53 -0400

George,

The IIS symptoms you are describing sound like symptoms of the MSBLASTER virus 
that's running rampant right now.  

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

AUTOMATIC REMOVAL INSTRUCTIONS 

To automatically remove this malware from your system, please use the Trend 
Micro System Cleaner. 

MANUAL REMOVAL INSTRUCTIONS 

Terminating the Malware Program 

This procedure terminates the running malware process from memory. 

Open Windows Task Manager press
CTRL+SHIFT+ESC, and click the Processes tab. 
In the list of running programs*, locate the process:
MSBLAST.EXE 

Select the malware process, then press either the the End Process button. 
To check if the malware process has been terminated, close Task Manager, and 
then open it again. 
Close Task Manager. 
Removing Autostart Entries from the Registry 

Removing autostart entries from the registry prevents the malware from 
executing during startup. 

Open Registry Editor. To do this, click Start>Run, type Regedit, then press 
Enter. 
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run 
In the right panel, locate and delete the entry:
"windows auto update" = MSBLAST.EXE 
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as 
described in the previous procedure, restart your system. 

Verify the registry key to see if you have MSBLAST.EXE in the autostart.  

Additional precautions would be to block 135,139 and 445 @ your firewall.

Additionally download and install the patches for your OS from MS.

http://support.microsoft.com/?kbid=823980

Patrick Cote
InnEight IT Solutions Inc.
167 Russell Ave, Suite 1B
Ottawa, Ontario
K1N 7X3

Phone: (613)231-2357



-----Original Message-----
From: George Duncanson [mailto:geo@xxxxxx]
Sent: Tuesday, August 12, 2003 7:24 PM
To: [ExchangeList]
Subject: [exchangelist] iis...not happy (and me)


http://www.MSExchange.org/



Dear All

Grateful for any thoughts. Win 2k sp4, e2k sp3

I can no longer configure iis. I get an "error connecting to.... The system 
cannot find the path specified etc"  or I get "unable to connect to target 
machine". I've even had "access denied".

I've tried reinstalling IIS to no avail. I think there is an RPC problem at the 
root of this as the RPC service eventually unexpectedly stops.(7031 error)

I also  get a couple of nasty errors when I try to reinstall Exchange. The 
install log gives me an Access denied error(0x80070005) when trying to write 
IIS Metabase objects for the information store.

The first error I have is a 116 error "the service metabase path /LM/MSFTPSVC 
could not be opened" , then a 7023 FTP publishing can't find the path 
specified, then the exchange routing engine terminates "cannot find specified 
path". 18 mins or so later the RPC service unexpectedly quits.

I'm sorry if I sound a bit vague here. I've tried KB and the web but I'm not 
exactly sure anymore (was I ever?) what is causing the problem and everything 
I've tried gets me no further ahead.

Metaedit tells me that it can't connect to the LOCALHOST.
Could this be something with DNS?
I'm not exactly new to Exchange 2000, I merely feel like it everytime I get 
this sort of grief.


Thanks for any input.
George

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as: 
patrick.cote@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



Other related posts: