[Doonz]

Client calls today in a panic...NT server is dumping the memory shutting down and upon boot up would dump the memory again...the stop error meesage is

STOP 0X00000001E Kmode_Exception_Not_Handled in Win32K.sys (Knowlege Base Q294728)

We droped another NT drive into the box and have a dual boot machine...by Dual booting we have the clean hard drive as the boot drive and we can search the "infected drive"

How do we see/open the registery on the other drive?

How do we see the logs for the other drive?

What do you think of the following files tftp879.exe, airfreight.pdf.exe,alot of the PC anywhere files were amended around 8:41 right when the server bogged, 20021003124206703.livereg, my profile.userprofile

There is an Built in User that is called Unkown...never heard of it and it doesnt shouw up in the user but if you go to rights under some of thoes files it has change rights...

any help...

 

[Pseudocyber]

There is a new virus that has double file extensions. I forget what the virus is called ...

W32/[email protected]

It is common for the attachment name to contain a double-extension (ie. .doc.pif).

http://vil.nai.com/vil/content/v_99728.htm

I don't know if this caused your problem, but from what I read, this thing terminates a @#$load of processes and has the ability to create funky files and spoof email addresses.

 

[Doonz]

thanks...were are looking at that as probley the main cause...but it appears someone has used the backdoor and gone deeper then that..:upset:

 

[Pseudocyber]

(Remembering back to my NT daze ...)

Does the server have a recent ERD? Could you pull the drive and put it on another machine and use the ERD to access the registry files (user.dat and system.dat)? Or use Regedit or Regedit32?

Didn't ever really mess with such low level stuff ...

 

[TheTechIsIn]

Is this NT system running an unpatched version of IIS? its sounds like this thing was throughly compromised and your probably even looking at backdoors having been installed. :no:

See if you can pull the logs as Pseudocyber suggested.

 

[Doonz]

The solution--Thanks

Thanks Tech, Merlin and Pseudocyber...:cheers:


The solution was totaly diffrent and just goes to show...everything is a clue...


When i commented about all the suspicous file and manliy the PC anywhere files ... we went to symantec's site to see what we could about PC anywhere being messed with...came across document 2001051016390712 @ http://service4.symantec.com/support/pca.nsf/pfdocs/2001051016390712


Symantec had a better solution then M$...go figure:thmbup:

 

[Pseudocyber]

Symantec had a better solution then M$...go figure

NO ... Way!!!

You're welcome!

Mmmmmm. Beer. - Homer Simpson

 

[Doonz]

One more question on the issue....

What should be in the C:Inet\scripts folder...have hundreds of TFTP with random number .exe
and I dont have another NT40 server to compare it to??

Plus an INI called ServUDaemon with refrences to things like

Allow logon=1

ftp.machtapotheker.org

User1=Admin

and refrence a D:/MP3 folder that is not on the D drive

 

[Pseudocyber]

I don't know about that one Doonz. Sorry!

 

[Uranium-235]

if you ever get an error like that, the first thing you do is put the main part of it in quotes in google

You'd be suprised how many sites have the same problem and/or a fix for it

 

[Zvalkor]

if you ever get an error like that, the first thing you do is put the main part of it in quotes in google

You'd be suprised how many sites have the same problem and/or a fix for it

That is the first thing I do when I encounter a problem. I try Google Groups (deja.com) first.