OVH Community, your new community space.

Help me remove a virus!

guardhost

14-05-2009, 03:29

Originally Posted by Andy

You could speed it up by having it not e-mail at all, display the information in the Manager instead. Remember someone might host their e-mail on their server and won't have access to it if its down! Yes, I know you should have secondary e-mail addresses, but thats not the point is it?

I don't see why you should rely on e-mail which can sometimes take a while when its easier to display it on the web page right in front of you. Remember, some server uses are uptime critical. Some people don't have time to wait 15 minutes for an e-mail. Once it took 3 hours for me to get the vKVM e-mail so I suffered 3 hours extra downtime because of it. I only needed to change one option once in vKVM to sort my problem and get back online!

Remember KISS, keep it simple stupid. Don't over complicate things.

Another idea is allow us to set our own vKVM password so we don't even have to rely on receiving a password at all. You just select vKVM and login as soon as its online. Speed is everything to me, as I'm fairly impatient

Cant agree with you enough, uptime is vital on a live server so having to wait an hour for an email to come through then have to wait another 15 mins to reboot as the email has been delayed quite a few time's for me also.

The manager can be very annoying at times .

Myatu

14-05-2009, 00:17

That particular virus infects PE (.EXE, .DLL, .SCR) files. One such infected file (program or screensaver) must be run at least once before it can continue spreading to other files - it doesn't spread from the boot sector (that is, simply booting from a disk will not spread it).

So after a fresh install of Windows, the question would be, what else do you install afterwards and where did it come from? (Ie., are you installing any programs you've saved from the previous install that might be infected by now? It could even be the installer itself that got infected)

wackomoo

13-05-2009, 23:47

Suggested (free/trial) runtime anti-vir and firewall software? Win2k3. I'll try with something different if you guys have suggestions.

wackomoo

13-05-2009, 21:21

You're right. I'll give it a shot.

Andy

13-05-2009, 21:20

You can't be sure. All it might do is mirror an image onto it, or do a quick format. Thats why you should do the format yourself to be entirely sure.

wackomoo

13-05-2009, 21:19

Nothing was installed, except for Firefox.
When ovh manager reinstalls, it formats the drives. At least it says it does... and re-partitions and everything.

Andy

13-05-2009, 21:03

And you say this is after a full reinstall? Try another reinstall, but this time boot up into a rescue OS first and do a proper full format on the drive so make sure its not lurking and managing to somehow crop up. Then reinstall and see what happens. Check all your backups if you have any and don't download from an untrusted source.

wackomoo

13-05-2009, 20:58

No, the USB drives aren't detected so that can't be it :P

AVG free won't install on a server OS, but I've scanned with MS' May Malware Removal Tool, BitDefender's Parite Removal Tool, ClamWin Anti-Virus.. they all detect it and say they remove it, but it's still there anyway.

Andy

13-05-2009, 20:50

Do you have a USB disk attached? It will have copied itself over from there, unless its in any backups you may have restored. Had the same virus myself, cured it with AVG although it did destroy most of my EXE files on the system.

wackomoo

13-05-2009, 20:45

So after a re-install of windows via the OVH manager, it still has the same (Parite.B/Pinfi) virus! I set a (n even) more secure password, removed all accounts except mine, fully patched/windows updated. This hasn't happened to my other server.
What could it be?

freshwire

08-05-2009, 23:12

I can only think that there must be something more to it else OVH would just display it in the manager... something much be changed over... this can probably take the time.

Andy

08-05-2009, 13:01

You could speed it up by having it not e-mail at all, display the information in the Manager instead. Remember someone might host their e-mail on their server and won't have access to it if its down! Yes, I know you should have secondary e-mail addresses, but thats not the point is it?

I don't see why you should rely on e-mail which can sometimes take a while when its easier to display it on the web page right in front of you. Remember, some server uses are uptime critical. Some people don't have time to wait 15 minutes for an e-mail. Once it took 3 hours for me to get the vKVM e-mail so I suffered 3 hours extra downtime because of it. I only needed to change one option once in vKVM to sort my problem and get back online!

Remember KISS, keep it simple stupid. Don't over complicate things.

Another idea is allow us to set our own vKVM password so we don't even have to rely on receiving a password at all. You just select vKVM and login as soon as its online. Speed is everything to me, as I'm fairly impatient

Neil

08-05-2009, 12:08

Originally Posted by Myatu

It's one thing I really don't like about the vKVM - it takes forever to generate that e-mail, to the point you're wondering if it will ever arrive at all. That process ought to be looked at, IMHO.

What is the longest you have waited, if you select vKVM in the manger then reboot using the Hard Reboot - then this can take 10 minutes, plus when it is in vKVM it could take 15 Minutes to get the email, I am not sure how we could speed this up, but it should take no more than that.

However if there is a intervention on the server then we do allow you to change the netboot, which is why it could take a while to get the email.

stugster

08-05-2009, 11:53

If we're talking about security, surely displaying the password there and then over HTTPS is much better than over email?

wackomoo

08-05-2009, 11:39

Originally Posted by monkey56657

Random password is more secure

Still have to know the system password..

Seedbox Paradis

08-05-2009, 07:11

Originally Posted by monkey56657

Random password is more secure

So is using encrypted FTP protocol, but most people don't bother and send out their password over an unencrypted connection

freshwire

07-05-2009, 21:59

Originally Posted by wackomoo

Why not just always use the same vKVM password?

Random password is more secure

wackomoo

07-05-2009, 21:38

Why not just always use the same vKVM password?

freshwire

07-05-2009, 21:22

15 minutes to generate an email is super speedy

I think it must generate at least 0.3 characters per second!

Andy

07-05-2009, 20:58

Originally Posted by Myatu

It's one thing I really don't like about the vKVM - it takes forever to generate that e-mail, to the point you're wondering if it will ever arrive at all. That process ought to be looked at, IMHO.

Agreed. Even if you're just given the login on the page when you select vKVM, that would be a hell of a lot better. Remember time is valuable in some cases when running a server. It could be the difference between lost revenue and no lost revenue!

Myatu

07-05-2009, 19:38

It's one thing I really don't like about the vKVM - it takes forever to generate that e-mail, to the point you're wondering if it will ever arrive at all. That process ought to be looked at, IMHO.

wackomoo

06-05-2009, 13:02

They fixed that boot thing.

Originally Posted by email

Hi,

vkvm is now available for your server. at least one driver or pilot failed during system startup, I thinks its network driver. you can install the driver in vkvm.

Best regards,
Abdelhay

In vKVM, I can clearly see the network card listed in the device manager. But there is no network connection under the network settings...?

Neil

06-05-2009, 09:13

I see an incident ticket has been opened, however it looks like a corrupted bootloader, this should be able to be fixable in WinRescue but wait for the techs to get back to you.

Seedbox Paradis

05-05-2009, 17:10

Sure you're not accidentally pressing the 9 button

wackomoo

05-05-2009, 16:24

Just got emailed that the support ticket was closed, the hard reboot was a success and then a couple minutes later the vKVM password came in email.
Now...
http://i43.tinypic.com/t4teh3.jpg
What is that?

wackomoo

05-05-2009, 16:02

Here are the details of this operation:
Motherboard replacement

Neil

05-05-2009, 15:31

There is an intervention on your server right now, when it is finished the server will be placed into the correct mode and access codes will be sent.

wackomoo

05-05-2009, 15:23

Originally Posted by Neil

You have to wait for the email to be generated, it should be no more than 15 Minutes, if not not then contact us.

Been longer than that. But I guess that now it's now coming because it's in incident mode with a techie?

What I need is more communication with/from the incident/tech staff.

Is my server starting at all? (ns361581)
Or is it just the network that doesn't work?

Neil

05-05-2009, 15:18

Originally Posted by wackomoo

Yeah, I noticed that pretty quick.

Why does it take so long for vKVM to "kick in"? Isn't it automatic?

You have to wait for the email to be generated, it should be no more than 15 Minutes, if not not then contact us.

wackomoo

05-05-2009, 14:49

Yeah, I noticed that pretty quick.

Why does it take so long for vKVM to "kick in"? Isn't it automatic?
They decided to make an intervention during my switcharoo to kvm. I guess thats why? :/

Winit

05-05-2009, 14:44

FYI it spreads via infected files.

wackomoo

05-05-2009, 14:22

Oh, there is one thing I noticed through all this that maybe you can "fix".

In the email about WinPE Rescue Mode:

Originally Posted by WinRescue mail

You can connect also with VNC to your (91.121.111.11)server
with the following parameters:
- password: tPbxhvcv

You might want to say how to connect to VNC. I figured it out, but others might not know. Just add the whole URL with : port and everything there to help folks out

wackomoo

05-05-2009, 14:18

It's out of intervention now, and it's booted clean from viruses in vKVM mode. (Checked with 5 scanners :P)
Gonna reboot normally now and the servergods willing, it'll work!
If not, you'll hear from me Neil

Neil

05-05-2009, 13:36

Originally Posted by wackomoo

I think I got it all removed. But...
But when I boot back in normal mode - it doesn't boot. Or, if it does boot, it has no network connectivity (because it works fine in vKVM..)
vKVM, I can't activate now because there is an intervention on my server going on.

What's the server address? I might be able to check on the situation.

wackomoo

05-05-2009, 13:07

I think I got it all removed. But...
But when I boot back in normal mode - it doesn't boot. Or, if it does boot, it has no network connectivity (because it works fine in vKVM..)
vKVM, I can't activate now because there is an intervention on my server going on.

wackomoo

05-05-2009, 10:00

Hmhm! WinRescue mode, here I come.

Seedbox Paradis

05-05-2009, 09:39

I recommend using AVG Free Edition, it worked great for me and it might pick up your infected file.

freshwire

05-05-2009, 09:37

Use one of the OVH network boot options... whatever is best with windows... who knows.

Setup some anti virus software on that and then scan the hdd. It should be able to clean it up a lot better.

wackomoo

05-05-2009, 09:23

Cleaning utility for Win32/Pinfi.Virus 1.1.0
Copyright (c) 2003, Computer Associates International, Inc.

Running on .NET Server, build 3790 (Service Pack 2)
Executed on 2005-01-01 12:46h
--------------------------------------------------

Initializing virus scanning engine... ok
--------------------------------------------------
Scanning memory process space...
----File C:\WINDOWS\TEMP\mva1.tmp [Win32/Pinfi.A.DLL]... has been cured
System cure executed successfully

Please reboot the machine after scanning is complete.

----File C:\WINDOWS\TEMP\mva1.tmp [Win32/Pinfi.A.DLL]... has been cured
System cure executed successfully

Infected process [dmadmin.exe] was successfully terminated.

----File C:\WINDOWS\TEMP\mva1.tmp [Win32/Pinfi.A.DLL]... has been cured
System cure executed successfully

----File C:\WINDOWS\TEMP\mva1.tmp [Win32/Pinfi.A.DLL]... has been cured
System cure executed successfully

Please reboot the machine after scanning is complete.

Scanning all drives on the local system...

----File C:\WINDOWS\Temp\mva1.tmp [Win32/Pinfi.A.DLL]... has been cured
System cure executed successfully

--------------------------------------------------

The Win32/Pinfi virus variants have been cleaned from the local system:

A total of 35687 files were scanned.
A total of 5 files were infected.
A total of 5 files were cleaned. (cured and/or removed)
A total of 0 files were renamed. (with .AVB extension)

wackomoo

05-05-2009, 09:19

Because I didn't reboot after a batch of Windows Updates, my server got infected by a virus. The virus is W32.Pinfi.A -aka- W.32.Parite.A/B.

I've run scans - MS' own April 2009 malware remover detects and partially removes it. BitDefender's Parite scanner partially removes it. CA's Pinfi scanner partially removes it and kills the processes.

But each time I reboot: #1, the server doesn't shut down properly some times. (shows the "saving settings" box and then gray screen for ever. Only way is a hard reboot).
#2 when it starts back up - it's still/again infected. It's not infected every .exe/.scr as it had before (the AV scanners repaired nearly 100 infected files) but the one "base" infected .tmp file keeps being re-created, and the processes are still being launched.

Does anyone have any ideas?

I've googled, but can't find any way that really removes it.

http://www.symantec.com/security_res...011708-2030-99
http://www.bitdefender.com/VIRUS-100...ite.A-B-C.html
http://www.governmentsecurity.org/fo...howtopic=12786