• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk error causes server to restart

H

Henrique

Guest
This is the event log for the error:

Event Type: Error
Event Source: Plesk Miscellaneous Service
Event Category: None
Event ID: 1
Date: 10/5/2006
Time: 13:53:51
User: NT AUTHORITY\SYSTEM
Computer: NEXTSTEP
Description:
Unable to change the user (Plesk Administrator) password: (1722) The RPC server is unavailable. at RaiseException in C:\WINDOWS\system32\kernel32.dll
at CxxThrowException in C:\WINDOWS\system32\MSVCR71.dll
at 41C2C4 in C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
at 4222AE in C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
at 4273B1 in C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
at 429133 in C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
at GetModuleFileNameA in C:\WINDOWS\system32\kernel32.dll
Execute file name:


HELP!! I can't use plesk till this issue is solved.
 
This is what pops up in windows alert

Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 10/5/2006
Time: 13:54:07
User: N/A
Computer: NEXTSTEP
Description:
Application popup: System Shutdown : The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in 47 seconds. Shutdown message: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart..

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
It looks like your server in infected by virus similar to Lovesan. You need to check your server on virus presence.
 
Hi,

Did you ever solve this problem? Was it a virus or something different?
 
Was a virus

In my case was a virus. After a serer restore and some policy changes the problem was gone.
 
We ahave been battling the same issue. We found the virus with this:

http://download.drweb.com/drweb+cureit/

I'd be curious to know how you found it because we found 3 programs prior to this and none of them found the files in c:\windows\system32 which were bjlmon.dll and toolhelp32.dll.
 
I tried a few different virus scanners and finally had SW Soft help me. Here was their solution for me:
Hello

I've scaned C:WINDOWSsystem32 folder by the following software
http://download.drweb.com/drweb+cureit/
and deleted two .dll files detected as viruses:
bjmon.dll
toolhelp32.dll

Now it seems that Plesk works well.
I was able to log into it and it is ok for at least one hour.
Please perform full system scan.
Also I recommend you to update your Plesk 7.5.1 to 7.5.6
To do it you should download and install:
ftp://download1.swsoft.com/Plesk/Pl...plesk_patch_7.5.1_to_7.5.6_build051107.20.msp
ftp://download1.swsoft.com/Plesk/Autoupdate/plesk7.5.6_update060502.17.msp
Click to expand...

This shows very positive for both plesk and drweb. Great service and thanks to them and Layeredtech for helping fix!
 
I am facing the same problem.

I scanned by server by Drweb cure utility and it shows me trojan in memory.
BackDoor.HackDef.100

How i can remove this from my system. My plesk is 7.5.6 reloaded.


Waiting for your favorable response.


Regards,

Samia
 
It is the same as other anti-virus utilities. You can rename the file or quarantine or delete the file.
 
Dear Dynaweb,

Actually this shows me BackDoor.HackDef.100 resides in memory it does not show me any file path. I can detect it only using drweb Cureit but it does not remove it.
Drweb cureit shows me like this:

Memory (7FFA488D);;BackDoor.HackDef.100;Eradicated.
Memory (7FFA3CF0);;BackDoor.HackDef.100;Eradicated.




Samia
 
Good, now do a full drive scan. If you have any further issue, I suggest a new thread for it :)
 
Dear DynaWeb,


Actually problem not resolved. This just shows that eradicated but in really when i view the complete scan report it shows me
Infected: 2
Deleted: 0
cured: 0

and when i did full scan it found this virus again and i just
tried to access my plesk
this error appears and server goes down.
-------------------------------------
Fatal error: Run-Time error: Can't decrypt password in C:\Program Files\SWsoft\Plesk\admin\plib\common_func.php3 on line 217
-----------------------------------------



Means backdoor.hackdef.100 is still in memory and Drwebcureit utility just leave this message without deletion of this trojan that it is eradicated.


Samia
 
Dear Dynaweb,

Hi,

Let me tell you i scanned C:/Windows/System32 and found virus located in 2 dll files

Names are:
bjmon.dll
toolhelp32.dll

I deleted first dll file bjmon.dll and now i am trying to delete 2nd dll file: toolhelp32.dll but it gives me error: Access Denied.

Not allowing me to delete this dll files. These files shows Backdoor located in them.
Can you tell me the way how i can remove this toolhelp32.dll

Samia
 
You are great.

I removed both these dll files and now scanning my server for full scan.
But i want to ask you one thing why still Drweb cureit utility showing me
BackDoor.HackDef.100 in memory and it shows me in this form.


Memory (7FFA488D);;BackDoor.HackDef.100;Eradicated.
Memory (7FFA3CF0);;BackDoor.HackDef.100;Eradicated.

I am doing now full system scan.


2ndly i have to say you thank you because my plesk is working fine now after removal of these 2 dll files.
Now please let me know i should reinstall OS or now no need of OS reload what you suggest.

Thank you very much for your kind response.

Samia
 
You may need to reboot/rescan a couple times to get it all cleaned out. Reinstall decision is up to you, but if you feel the system is safe and stable you may not need bother with that.
 
Dear Dynaweb,

Yeah i am rescanning the system and will do it on daily basis.
Woudl you please suggest me which antivirus should i use on my servers for this problem of BackDoor.HackDef.100, .194 etc
I am using currently F-Prot antivirus 3.17c for windows it is updated but it did not detected this virus.

As i have more servers with plesk and i am currently facing this issue now in my second server. I want to get rid this problem is there any good antivirus in your mind so i will install that on all my servers.


Thank you again for your favorable response.

Have a nice time.

Samia
 
I am probably not the best person to ask about that. I suggest to search the forum and if you do not find an answer, open a new thread to inquire about that specific issue. Good luck to you.
 
Dear Dynaweb,

Anyway thank you again for your timely help.
I resolved my problem on both servers with your kind suggestions.

Thank you again.


Have a nice time.


Samia:)
 
Re: Was a virus

Originally posted by Henrique
In my case was a virus. After a serer restore and some policy changes the problem was gone.
Click to expand...

Hi,

Do you mind to elaborate on the policy changes?

Warmest Regards,

elenlace
 
You must log in or register to reply here.

Similar threads

I
Issue Got error 176 "Read page with wrong checksum" from storage engine Aria
Replies
1
Views
16K
Kaspar@Plesk
Kaspar@Plesk
Daerik
Resolved Plesk Migrator Failing to Sync Database Records After Server Upgrade
Replies
8
Views
465
Maarten
M
A
Resolved 500 Plesk\Exception\Database
Replies
1
Views
588
ayadai
A
M
Resolved Server Error 500 Plesk\Exception\Database
Replies
2
Views
2K
mrcx
M
C
Issue Getting error when trying to set SmarterMail 14.7 to be default email server
Replies
10
Views
2K
scsa20
scsa20
Back
Top