OVH Community, your new community space.

Help me remove a virus!


guardhost
14-05-2009, 04:29
Quote Originally Posted by Andy
You could speed it up by having it not e-mail at all, display the information in the Manager instead. Remember someone might host their e-mail on their server and won't have access to it if its down! Yes, I know you should have secondary e-mail addresses, but thats not the point is it?

I don't see why you should rely on e-mail which can sometimes take a while when its easier to display it on the web page right in front of you. Remember, some server uses are uptime critical. Some people don't have time to wait 15 minutes for an e-mail. Once it took 3 hours for me to get the vKVM e-mail so I suffered 3 hours extra downtime because of it. I only needed to change one option once in vKVM to sort my problem and get back online!

Remember KISS, keep it simple stupid. Don't over complicate things.

Another idea is allow us to set our own vKVM password so we don't even have to rely on receiving a password at all. You just select vKVM and login as soon as its online. Speed is everything to me, as I'm fairly impatient
Cant agree with you enough, uptime is vital on a live server so having to wait an hour for an email to come through then have to wait another 15 mins to reboot as the email has been delayed quite a few time's for me also.

The manager can be very annoying at times .

Myatu
14-05-2009, 01:17
That particular virus infects PE (.EXE, .DLL, .SCR) files. One such infected file (program or screensaver) must be run at least once before it can continue spreading to other files - it doesn't spread from the boot sector (that is, simply booting from a disk will not spread it).

So after a fresh install of Windows, the question would be, what else do you install afterwards and where did it come from? (Ie., are you installing any programs you've saved from the previous install that might be infected by now? It could even be the installer itself that got infected)

wackomoo
14-05-2009, 00:47
Suggested (free/trial) runtime anti-vir and firewall software? Win2k3. I'll try with something different if you guys have suggestions.

wackomoo
13-05-2009, 22:21
You're right. I'll give it a shot.

Andy
13-05-2009, 22:20
You can't be sure. All it might do is mirror an image onto it, or do a quick format. Thats why you should do the format yourself to be entirely sure.

wackomoo
13-05-2009, 22:19
Nothing was installed, except for Firefox.
When ovh manager reinstalls, it formats the drives. At least it says it does... and re-partitions and everything.

Andy
13-05-2009, 22:03
And you say this is after a full reinstall? Try another reinstall, but this time boot up into a rescue OS first and do a proper full format on the drive so make sure its not lurking and managing to somehow crop up. Then reinstall and see what happens. Check all your backups if you have any and don't download from an untrusted source.

wackomoo
13-05-2009, 21:58
No, the USB drives aren't detected so that can't be it :P

AVG free won't install on a server OS, but I've scanned with MS' May Malware Removal Tool, BitDefender's Parite Removal Tool, ClamWin Anti-Virus.. they all detect it and say they remove it, but it's still there anyway.

Andy
13-05-2009, 21:50
Do you have a USB disk attached? It will have copied itself over from there, unless its in any backups you may have restored. Had the same virus myself, cured it with AVG although it did destroy most of my EXE files on the system.

wackomoo
13-05-2009, 21:45
So after a re-install of windows via the OVH manager, it still has the same (Parite.B/Pinfi) virus! I set a (n even) more secure password, removed all accounts except mine, fully patched/windows updated. This hasn't happened to my other server.
What could it be?

freshwire
09-05-2009, 00:12
I can only think that there must be something more to it else OVH would just display it in the manager... something much be changed over... this can probably take the time.

Andy
08-05-2009, 14:01
You could speed it up by having it not e-mail at all, display the information in the Manager instead. Remember someone might host their e-mail on their server and won't have access to it if its down! Yes, I know you should have secondary e-mail addresses, but thats not the point is it?

I don't see why you should rely on e-mail which can sometimes take a while when its easier to display it on the web page right in front of you. Remember, some server uses are uptime critical. Some people don't have time to wait 15 minutes for an e-mail. Once it took 3 hours for me to get the vKVM e-mail so I suffered 3 hours extra downtime because of it. I only needed to change one option once in vKVM to sort my problem and get back online!

Remember KISS, keep it simple stupid. Don't over complicate things.

Another idea is allow us to set our own vKVM password so we don't even have to rely on receiving a password at all. You just select vKVM and login as soon as its online. Speed is everything to me, as I'm fairly impatient

Neil
08-05-2009, 13:08
Quote Originally Posted by Myatu
It's one thing I really don't like about the vKVM - it takes forever to generate that e-mail, to the point you're wondering if it will ever arrive at all. That process ought to be looked at, IMHO.
What is the longest you have waited, if you select vKVM in the manger then reboot using the Hard Reboot - then this can take 10 minutes, plus when it is in vKVM it could take 15 Minutes to get the email, I am not sure how we could speed this up, but it should take no more than that.

However if there is a intervention on the server then we do allow you to change the netboot, which is why it could take a while to get the email.

stugster
08-05-2009, 12:53
If we're talking about security, surely displaying the password there and then over HTTPS is much better than over email?

wackomoo
08-05-2009, 12:39
Quote Originally Posted by monkey56657
Random password is more secure
Still have to know the system password..

Seedbox Paradis
08-05-2009, 08:11
Quote Originally Posted by monkey56657
Random password is more secure
So is using encrypted FTP protocol, but most people don't bother and send out their password over an unencrypted connection

freshwire
07-05-2009, 22:59
Quote Originally Posted by wackomoo
Why not just always use the same vKVM password?
Random password is more secure

wackomoo
07-05-2009, 22:38
Why not just always use the same vKVM password?

freshwire
07-05-2009, 22:22
15 minutes to generate an email is super speedy

I think it must generate at least 0.3 characters per second!

Andy
07-05-2009, 21:58
Quote Originally Posted by Myatu
It's one thing I really don't like about the vKVM - it takes forever to generate that e-mail, to the point you're wondering if it will ever arrive at all. That process ought to be looked at, IMHO.
Agreed. Even if you're just given the login on the page when you select vKVM, that would be a hell of a lot better. Remember time is valuable in some cases when running a server. It could be the difference between lost revenue and no lost revenue!

Myatu
07-05-2009, 20:38
It's one thing I really don't like about the vKVM - it takes forever to generate that e-mail, to the point you're wondering if it will ever arrive at all. That process ought to be looked at, IMHO.

wackomoo
06-05-2009, 14:02
They fixed that boot thing.
Quote Originally Posted by email
Hi,

vkvm is now available for your server. at least one driver or pilot failed during system startup, I thinks its network driver. you can install the driver in vkvm.

Best regards,
Abdelhay
In vKVM, I can clearly see the network card listed in the device manager. But there is no network connection under the network settings...?

Neil
06-05-2009, 10:13
I see an incident ticket has been opened, however it looks like a corrupted bootloader, this should be able to be fixable in WinRescue but wait for the techs to get back to you.

Seedbox Paradis
05-05-2009, 18:10
Sure you're not accidentally pressing the 9 button

wackomoo
05-05-2009, 17:24
Just got emailed that the support ticket was closed, the hard reboot was a success and then a couple minutes later the vKVM password came in email.
Now...
http://i43.tinypic.com/t4teh3.jpg
What is that?

wackomoo
05-05-2009, 17:02
Here are the details of this operation:
Motherboard replacement

Neil
05-05-2009, 16:31
There is an intervention on your server right now, when it is finished the server will be placed into the correct mode and access codes will be sent.

wackomoo
05-05-2009, 16:23
Quote Originally Posted by Neil
You have to wait for the email to be generated, it should be no more than 15 Minutes, if not not then contact us.
Been longer than that. But I guess that now it's now coming because it's in incident mode with a techie?

What I need is more communication with/from the incident/tech staff.

Is my server starting at all? (ns361581)
Or is it just the network that doesn't work?

Neil
05-05-2009, 16:18
Quote Originally Posted by wackomoo
Yeah, I noticed that pretty quick.


Why does it take so long for vKVM to "kick in"? Isn't it automatic?
You have to wait for the email to be generated, it should be no more than 15 Minutes, if not not then contact us.

wackomoo
05-05-2009, 15:49
Yeah, I noticed that pretty quick.


Why does it take so long for vKVM to "kick in"? Isn't it automatic?
They decided to make an intervention during my switcharoo to kvm. I guess thats why? :/

Winit
05-05-2009, 15:44
FYI it spreads via infected files.

wackomoo
05-05-2009, 15:22
Oh, there is one thing I noticed through all this that maybe you can "fix".

In the email about WinPE Rescue Mode:
Quote Originally Posted by WinRescue mail
You can connect also with VNC to your (91.121.111.11)server
with the following parameters:
- password: tPbxhvcv
You might want to say how to connect to VNC. I figured it out, but others might not know. Just add the whole URL with : port and everything there to help folks out

wackomoo
05-05-2009, 15:18
It's out of intervention now, and it's booted clean from viruses in vKVM mode. (Checked with 5 scanners :P)
Gonna reboot normally now and the servergods willing, it'll work!
If not, you'll hear from me Neil

Neil
05-05-2009, 14:36
Quote Originally Posted by wackomoo
I think I got it all removed. But...
But when I boot back in normal mode - it doesn't boot. Or, if it does boot, it has no network connectivity (because it works fine in vKVM..)
vKVM, I can't activate now because there is an intervention on my server going on.
What's the server address? I might be able to check on the situation.

wackomoo
05-05-2009, 14:07
I think I got it all removed. But...
But when I boot back in normal mode - it doesn't boot. Or, if it does boot, it has no network connectivity (because it works fine in vKVM..)
vKVM, I can't activate now because there is an intervention on my server going on.

wackomoo
05-05-2009, 11:00
Hmhm! WinRescue mode, here I come.

Seedbox Paradis
05-05-2009, 10:39
I recommend using AVG Free Edition, it worked great for me and it might pick up your infected file.

freshwire
05-05-2009, 10:37
Use one of the OVH network boot options... whatever is best with windows... who knows.

Setup some anti virus software on that and then scan the hdd. It should be able to clean it up a lot better.

wackomoo
05-05-2009, 10:23
Cleaning utility for Win32/Pinfi.Virus 1.1.0
Copyright (c) 2003, Computer Associates International, Inc.

Running on .NET Server, build 3790 (Service Pack 2)
Executed on 2005-01-01 12:46h
--------------------------------------------------

Initializing virus scanning engine... ok
--------------------------------------------------
Scanning memory process space...
----File C:\WINDOWS\TEMP\mva1.tmp [Win32/Pinfi.A.DLL]... has been cured
System cure executed successfully

Please reboot the machine after scanning is complete.

----File C:\WINDOWS\TEMP\mva1.tmp [Win32/Pinfi.A.DLL]... has been cured
System cure executed successfully

Infected process [dmadmin.exe] was successfully terminated.

----File C:\WINDOWS\TEMP\mva1.tmp [Win32/Pinfi.A.DLL]... has been cured
System cure executed successfully

----File C:\WINDOWS\TEMP\mva1.tmp [Win32/Pinfi.A.DLL]... has been cured
System cure executed successfully

Please reboot the machine after scanning is complete.

Scanning all drives on the local system...

----File C:\WINDOWS\Temp\mva1.tmp [Win32/Pinfi.A.DLL]... has been cured
System cure executed successfully

--------------------------------------------------

The Win32/Pinfi virus variants have been cleaned from the local system:

A total of 35687 files were scanned.
A total of 5 files were infected.
A total of 5 files were cleaned. (cured and/or removed)
A total of 0 files were renamed. (with .AVB extension)

wackomoo
05-05-2009, 10:19
Because I didn't reboot after a batch of Windows Updates, my server got infected by a virus. The virus is W32.Pinfi.A -aka- W.32.Parite.A/B.

I've run scans - MS' own April 2009 malware remover detects and partially removes it. BitDefender's Parite scanner partially removes it. CA's Pinfi scanner partially removes it and kills the processes.

But each time I reboot: #1, the server doesn't shut down properly some times. (shows the "saving settings" box and then gray screen for ever. Only way is a hard reboot).
#2 when it starts back up - it's still/again infected. It's not infected every .exe/.scr as it had before (the AV scanners repaired nearly 100 infected files) but the one "base" infected .tmp file keeps being re-created, and the processes are still being launched.

Does anyone have any ideas?

I've googled, but can't find any way that really removes it.

http://www.symantec.com/security_res...011708-2030-99
http://www.bitdefender.com/VIRUS-100...ite.A-B-C.html
http://www.governmentsecurity.org/fo...howtopic=12786