1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Plesk error causes server to restart

Discussion in 'Plesk for Windows - 8.x and Older' started by Henrique, May 10, 2006.

  1. Henrique

    Henrique Guest

    0
     
    This is the event log for the error:

    Event Type: Error
    Event Source: Plesk Miscellaneous Service
    Event Category: None
    Event ID: 1
    Date: 10/5/2006
    Time: 13:53:51
    User: NT AUTHORITY\SYSTEM
    Computer: NEXTSTEP
    Description:
    Unable to change the user (Plesk Administrator) password: (1722) The RPC server is unavailable. at RaiseException in C:\WINDOWS\system32\kernel32.dll
    at CxxThrowException in C:\WINDOWS\system32\MSVCR71.dll
    at 41C2C4 in C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
    at 4222AE in C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
    at 4273B1 in C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
    at 429133 in C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
    at GetModuleFileNameA in C:\WINDOWS\system32\kernel32.dll
    Execute file name:


    HELP!! I can't use plesk till this issue is solved.
     
  2. Henrique

    Henrique Guest

    0
     
    This is what pops up in windows alert

    Event Type: Information
    Event Source: Application Popup
    Event Category: None
    Event ID: 26
    Date: 10/5/2006
    Time: 13:54:07
    User: N/A
    Computer: NEXTSTEP
    Description:
    Application popup: System Shutdown : The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in 47 seconds. Shutdown message: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart..

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
     
  3. OlegB

    OlegB Guest

    0
     
    It looks like your server in infected by virus similar to Lovesan. You need to check your server on virus presence.
     
  4. dynaweb

    dynaweb Guest

    0
     
    Hi,

    Did you ever solve this problem? Was it a virus or something different?
     
  5. Henrique

    Henrique Guest

    0
     
    Was a virus

    In my case was a virus. After a serer restore and some policy changes the problem was gone.
     
  6. Laurence@

    Laurence@ Basic Pleskian

    26
     
    Joined:
    Nov 25, 2001
    Messages:
    73
    Likes Received:
    0
    We ahave been battling the same issue. We found the virus with this:

    http://download.drweb.com/drweb+cureit/

    I'd be curious to know how you found it because we found 3 programs prior to this and none of them found the files in c:\windows\system32 which were bjlmon.dll and toolhelp32.dll.
     
  7. dynaweb

    dynaweb Guest

    0
     
    I tried a few different virus scanners and finally had SW Soft help me. Here was their solution for me:
    This shows very positive for both plesk and drweb. Great service and thanks to them and Layeredtech for helping fix!
     
  8. samia

    samia Guest

    0
     
    I am facing the same problem.

    I scanned by server by Drweb cure utility and it shows me trojan in memory.
    BackDoor.HackDef.100

    How i can remove this from my system. My plesk is 7.5.6 reloaded.


    Waiting for your favorable response.


    Regards,

    Samia
     
  9. dynaweb

    dynaweb Guest

    0
     
    It is the same as other anti-virus utilities. You can rename the file or quarantine or delete the file.
     
  10. samia

    samia Guest

    0
     
    Dear Dynaweb,

    Actually this shows me BackDoor.HackDef.100 resides in memory it does not show me any file path. I can detect it only using drweb Cureit but it does not remove it.
    Drweb cureit shows me like this:

    Memory (7FFA488D);;BackDoor.HackDef.100;Eradicated.
    Memory (7FFA3CF0);;BackDoor.HackDef.100;Eradicated.




    Samia
     
  11. dynaweb

    dynaweb Guest

    0
     
    Good, now do a full drive scan. If you have any further issue, I suggest a new thread for it :)
     
  12. samia

    samia Guest

    0
     
    Dear DynaWeb,


    Actually problem not resolved. This just shows that eradicated but in really when i view the complete scan report it shows me
    Infected: 2
    Deleted: 0
    cured: 0

    and when i did full scan it found this virus again and i just
    tried to access my plesk
    this error appears and server goes down.
    -------------------------------------
    Fatal error: Run-Time error: Can't decrypt password in C:\Program Files\SWsoft\Plesk\admin\plib\common_func.php3 on line 217
    -----------------------------------------



    Means backdoor.hackdef.100 is still in memory and Drwebcureit utility just leave this message without deletion of this trojan that it is eradicated.


    Samia
     
  13. samia

    samia Guest

    0
     
    Dear Dynaweb,

    Hi,

    Let me tell you i scanned C:/Windows/System32 and found virus located in 2 dll files

    Names are:
    bjmon.dll
    toolhelp32.dll

    I deleted first dll file bjmon.dll and now i am trying to delete 2nd dll file: toolhelp32.dll but it gives me error: Access Denied.

    Not allowing me to delete this dll files. These files shows Backdoor located in them.
    Can you tell me the way how i can remove this toolhelp32.dll

    Samia
     
  14. samia

    samia Guest

    0
     
    You are great.

    I removed both these dll files and now scanning my server for full scan.
    But i want to ask you one thing why still Drweb cureit utility showing me
    BackDoor.HackDef.100 in memory and it shows me in this form.


    Memory (7FFA488D);;BackDoor.HackDef.100;Eradicated.
    Memory (7FFA3CF0);;BackDoor.HackDef.100;Eradicated.

    I am doing now full system scan.


    2ndly i have to say you thank you because my plesk is working fine now after removal of these 2 dll files.
    Now please let me know i should reinstall OS or now no need of OS reload what you suggest.

    Thank you very much for your kind response.

    Samia
     
  15. dynaweb

    dynaweb Guest

    0
     
    You may need to reboot/rescan a couple times to get it all cleaned out. Reinstall decision is up to you, but if you feel the system is safe and stable you may not need bother with that.
     
  16. samia

    samia Guest

    0
     
    Dear Dynaweb,

    Yeah i am rescanning the system and will do it on daily basis.
    Woudl you please suggest me which antivirus should i use on my servers for this problem of BackDoor.HackDef.100, .194 etc
    I am using currently F-Prot antivirus 3.17c for windows it is updated but it did not detected this virus.

    As i have more servers with plesk and i am currently facing this issue now in my second server. I want to get rid this problem is there any good antivirus in your mind so i will install that on all my servers.


    Thank you again for your favorable response.

    Have a nice time.

    Samia
     
  17. dynaweb

    dynaweb Guest

    0
     
    I am probably not the best person to ask about that. I suggest to search the forum and if you do not find an answer, open a new thread to inquire about that specific issue. Good luck to you.
     
  18. samia

    samia Guest

    0
     
    Dear Dynaweb,

    Anyway thank you again for your timely help.
    I resolved my problem on both servers with your kind suggestions.

    Thank you again.


    Have a nice time.


    Samia:)
     
  19. elenlace

    elenlace Guest

    0
     
    Re: Was a virus

    Hi,

    Do you mind to elaborate on the policy changes?

    Warmest Regards,

    elenlace
     
Loading...