Question : Info store came un mounted after w32.Hllw.gaobot virus can't resmount

Exchange 2000

After a quick infection, the info store became unmounted, and my m: drive was disconnected. when I tried to remount, I got the message that the db was corrupted. I ran eseutil /p /d and pointed them to another sever (lack of space) and ran it. It all ended perfectly. The DBs were fixed and defraged and were moved back over to the original location. I made back up of it  and now have a reference point.

When I went to run ISinteg, I set it up like this -

c:\exchsrvr\bin>isinteg -s myname -fix -test alltests.

With the Info store service started, I get the :

Database for server :
only databases marked as offline can be checked

Index       Status             Database name
starage    group name:    First starage group
   1          offline              Private info store (name)
   2          offline              Public
enter a number to select a db  press enter

I press enter and say yes - I get:

Isinteg cannot initiate verification process
please review log files for more info

Now, my databases reside on the E: drive, not the C: drive. not sure if that means anything.    

If I turn the infostore service off, I get:

error: unable to get database information from the server. the reason could be either wrong server name or networking problems Isinteg quits now

If I try to moun the drive from ESM, I get the error:

An internal processing error has occured. Try restarting the exchange system manager or the microsoft exchange information store service or both.

When I started all of this, THe error I got on it was Database is corrupted and cannot be mounted.

the event I see every couple of minutes is:
 MSExchangeSA
MAPI session
9175

The MAPI call 'OpenMsgStore' failed with the following error:
The Microsoft Exchange Server computer is not available.  Either there are network problems or the Microsoft Exchange Server computer is down for maintenance.
The MAPI provider failed.
Microsoft Exchange Server Information Store
ID no: 8004011d-0526-00000000
 
Which brings me back to the original virus - It seem to have attaced the mapi.exe and changed it to Imapi.exe - which ran the memory to 100% - this was happening on all machines infected with this virus

So I think it is tied to this. The symantec and mcafee scans quarenteened this file, so I am not sure if it has altered the maoi.exe service or whatever in exchange.

Can any one help me figure this out.

Thank you

Answer : Info store came un mounted after w32.Hllw.gaobot virus can't resmount

Closed, 500 points refunded.
Netminder
Site Admin