|
Home > Archive > IIS Server > June 2005 > IIS 5 services won't start at Win 2000
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS 5 services won't start at Win 2000
|
|
| Michal Krawczyk 2005-06-24, 2:48 am |
| Hello,
Following problem occurred on Windows 2000 Server SP4 with Microsoft
Exchange 2000 SP3 - only IISAdmin service can be started.
Other services report following system errors:
> net start w3svc
System error 87: The parameter is incorrect
> net start smtpsvc
System error 87: The parameter is incorrect
> net start nntpsvc
System error 2: The system cannot find the file specified
More details:
1. Event Viewer shows only Service Control Manager Errors (ID: 7023) with
messages above. No failure reports on metabase access.
2. IIS is installed with default settings in c:\WINNT\system32\inetsrv.
3. IISAdmin service starts with no errors.
4. inetinfo.exe is running
5. MetaEdit 2.2 opens metabase correctly with no errors.
6. Microsoft Exchange services are not running - they depend on IIS services
and failed to start at all.
So far I did:
1. Browsed thousands of Microsoft KB articles and web pages, tried to apply
some solutions - no progress so far
2. Checked with FileMon if some open requests to files or DLLs are failed
(esp. for nntpsvc) - not found any problems.
3. Checked with RegMon which registry requests are accessed - not found any
problems.
4. Checked with Microsoft Baseline Security Analyzer against missing updates
or old DLLs - no problems
5. Removed IIS completely and re-installed again (using Add/Remove programs
/ Windows components)
6. Removed NNTP protocol and re-installed again (using Add/Remove programs /
Windows components)
7. Removed "c:\Document and Settings\All Users\Application
Data\Microsoft\Crypto\\RSA\MachineKeys", reinstalled IIS, it recreated
machine keys but with no help on services startup.
9. Applied again Windows 2000 Server SP4
10. Reinstalled Microsoft Exchange 2000 + reinstalled Microsoft Exchange
2000 SP3
....end of ideas, no effect...
The only thing which left and I would like to avoid is reinstalling OS... I
have seen some people at this newsgroup with similar problems but with no
replies posted.
Maybe someone has fixed such issue already?
Best regards,
Michal
| |
| David Wang [Msft] 2005-06-24, 7:51 am |
| Did you delete %windir%\system32\inetsrv\metabase.bin on the re-installs?
Did IIS ever function on this server or did you try to "fix" things by
upgrading/repairing the OS.
It seems that you have a bad value that hangs around in the metabase
somewhere. I would focus on getting W3SVC working before trying anything
else.
One reason that this category of posts do not get many replies is because it
is often non-obvious what causes the problem (data corruption, mangled ACLs,
failed setup, etc can cause these sort of things but not really obvious to
fix).
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Michal Krawczyk" <irreality@o2.pl> wrote in message
news:d9gc41$24u$1@nemesis.news.tpi.pl...
Hello,
Following problem occurred on Windows 2000 Server SP4 with Microsoft
Exchange 2000 SP3 - only IISAdmin service can be started.
Other services report following system errors:
> net start w3svc
System error 87: The parameter is incorrect
> net start smtpsvc
System error 87: The parameter is incorrect
> net start nntpsvc
System error 2: The system cannot find the file specified
More details:
1. Event Viewer shows only Service Control Manager Errors (ID: 7023) with
messages above. No failure reports on metabase access.
2. IIS is installed with default settings in c:\WINNT\system32\inetsrv.
3. IISAdmin service starts with no errors.
4. inetinfo.exe is running
5. MetaEdit 2.2 opens metabase correctly with no errors.
6. Microsoft Exchange services are not running - they depend on IIS services
and failed to start at all.
So far I did:
1. Browsed thousands of Microsoft KB articles and web pages, tried to apply
some solutions - no progress so far
2. Checked with FileMon if some open requests to files or DLLs are failed
(esp. for nntpsvc) - not found any problems.
3. Checked with RegMon which registry requests are accessed - not found any
problems.
4. Checked with Microsoft Baseline Security Analyzer against missing updates
or old DLLs - no problems
5. Removed IIS completely and re-installed again (using Add/Remove programs
/ Windows components)
6. Removed NNTP protocol and re-installed again (using Add/Remove programs /
Windows components)
7. Removed "c:\Document and Settings\All Users\Application
Data\Microsoft\Crypto\\RSA\MachineKeys", reinstalled IIS, it recreated
machine keys but with no help on services startup.
9. Applied again Windows 2000 Server SP4
10. Reinstalled Microsoft Exchange 2000 + reinstalled Microsoft Exchange
2000 SP3
....end of ideas, no effect...
The only thing which left and I would like to avoid is reinstalling OS... I
have seen some people at this newsgroup with similar problems but with no
replies posted.
Maybe someone has fixed such issue already?
Best regards,
Michal
| |
| Michal Krawczyk 2005-06-24, 5:59 pm |
| Hello David,
Thanks for your fast answer - any help is valuable for me now and if
anything you thing can be checked I will appreciate this information.
> Did you delete %windir%\system32\inetsrv\metabase.bin on the re-installs?
Yes, the "c:\winnt\system32\inetsrv" was emptied completly and
"metabase.bin" was deleted as well.
At beginning I've suspected metabase damage but no problems with it were
detected. Finally I've decided to re-create it during IIS reinstallation.
MetaEdit does not report any errors, but it maybe it is possible that some
of values are out of the range.
> Did IIS ever function on this server or did you try to "fix" things by
> upgrading/repairing the OS.
I do not administer this server everyday - I was called as consultant to
repair it when after server reboot Exchange refused to start.
Unfortunatelly their internal IT support tried to "fix" the server exacly
mentioned way - by installing security updates, downloaded anti-spyware
programs etc. so before they decided to hire me they probably damaged few
things more....
I am MCP on Windows 2000 Server, and usually do not repair servers by just
formatting and reinstalling OS ;)
Here sittuation is quite bad because it is small office with only one server
full of different applications, databases, services etc. It acts as DSL
gateway, mail server, file server...
The server was setup correctly and functioned quite long time before, IIS
was running but with no Web sites hosted. Only SMTP/NNTP services were
running required by Exchange. I suspect during weekend there will be more
relaxed and creative atmosphere there ;) so I will try again to manage it
working again.
First problem I identified was trojan rootkit deeply integrated into system
and hiding itself from antivirus and security scanner (invisible files and
system services). Few hours of investigation revealed some parts of it - and
when I found key components of this trojan it was easier to search for more
information so finally I found single article where people described this
problem (quoted below) and how they removed it.
Now the system is repaired, seems to be stable and working correctly (except
mysterious problem with IIS services)... I have avoided reinstallation of
whole stuff but of course I can not be sure if I fixed everything - so it is
possible that OS is damaged itself (component registration, registry
settings... whatever...)
I am just looking for some ideas which can make me not to give up and try to
fix.
> It seems that you have a bad value that hangs around in the metabase
> somewhere. I would focus on getting W3SVC working before trying anything
> else.
This is valuable suggestion - and I will follow it. I've focused SMTP
service to make Exchange working as soon as possible...
> One reason that this category of posts do not get many replies is because
> it
> is often non-obvious what causes the problem (data corruption, mangled
> ACLs,
> failed setup, etc can cause these sort of things but not really obvious to
> fix).
I know that there are too many factors which can cause the failure but any
help in such situation can point you to right track and I believe not many
replies will arive.
Best regards,
Michal
PS: Maybe someone will find it usefull, so I will quote solution for this
well hidden trojan:
Source:
http://blogs.technet.com/robert_hen.../17/354471.aspx
"(...)
re: Advanced hiding techniques: The mystery of the trojaned Winlogon.exe
Saturday, February 12, 2005 9:18 AM by Martin
We just had a similar problem but we solved it in a different way. One of
our W2K Servers was behaving "strange" but there were absolutely NO visible
problems. All known virus scanners found NO problems. But there was one, we
felt it.
The solution was tricky :
We just dig a defrag on the server. In the report the server said : ...was
unable to defrag the following files... -> There was a listing of non
visible files. Their location was in %SYSROOT%\SYSTEM32\drivers\etc\fonts{00
08...}\
Impossible to browse, impossible to delete. There where also some services,
not showing up in the service list, only visible via msinfo32.
None of the services was visible with regedit.
The only way to stop them was to rename them with another server (visible)
and restart the infected one. Then it was also possible to delete the files
via the command line (looked like a complete operating system with storage
in RECYCLER.BIN).
We deleted the invisible services with another server (network registry).
The name of the services : Atarpisrv (calls ATA122.exe)
PowersupplyManager
r_server
Thank you for your interesting article. Best regards from Martin
(....)
> "Michal Krawczyk" <irreality@o2.pl> wrote in message
> news:d9gc41$24u$1@nemesis.news.tpi.pl...
> Hello,
>
> Following problem occurred on Windows 2000 Server SP4 with Microsoft
> Exchange 2000 SP3 - only IISAdmin service can be started.
>
> Other services report following system errors:
>
>
> System error 87: The parameter is incorrect
>
>
> System error 87: The parameter is incorrect
>
>
> System error 2: The system cannot find the file specified
>
> More details:
> 1. Event Viewer shows only Service Control Manager Errors (ID: 7023) with
> messages above. No failure reports on metabase access.
> 2. IIS is installed with default settings in c:\WINNT\system32\inetsrv.
> 3. IISAdmin service starts with no errors.
> 4. inetinfo.exe is running
> 5. MetaEdit 2.2 opens metabase correctly with no errors.
> 6. Microsoft Exchange services are not running - they depend on IIS
> services
> and failed to start at all.
>
> So far I did:
> 1. Browsed thousands of Microsoft KB articles and web pages, tried to
> apply
> some solutions - no progress so far
> 2. Checked with FileMon if some open requests to files or DLLs are failed
> (esp. for nntpsvc) - not found any problems.
> 3. Checked with RegMon which registry requests are accessed - not found
> any
> problems.
> 4. Checked with Microsoft Baseline Security Analyzer against missing
> updates
> or old DLLs - no problems
> 5. Removed IIS completely and re-installed again (using Add/Remove
> programs
> / Windows components)
> 6. Removed NNTP protocol and re-installed again (using Add/Remove programs
> /
> Windows components)
> 7. Removed "c:\Document and Settings\All Users\Application
> Data\Microsoft\Crypto\\RSA\MachineKeys", reinstalled IIS, it recreated
> machine keys but with no help on services startup.
> 9. Applied again Windows 2000 Server SP4
> 10. Reinstalled Microsoft Exchange 2000 + reinstalled Microsoft Exchange
> 2000 SP3
>
> ...end of ideas, no effect...
>
> The only thing which left and I would like to avoid is reinstalling OS...
> I
> have seen some people at this newsgroup with similar problems but with no
> replies posted.
>
> Maybe someone has fixed such issue already?
>
> Best regards,
> Michal
>
>
>
| |
| David Wang [Msft] 2005-06-25, 5:50 pm |
| Ok, I see where you are coming from.
From the perspective of IISADMIN (the service which loads the metabase.bin
into inetinfo.exe), both SMTP and W3SVC are peer services that depend on
IISADMIN. As you are just interested in getting NNTP/SMTP working, I would
just work on NNTP/SMTP and not worry about W3SVC (usually, people on this
group care about W3SVC since it is the web portion, but not in your case).
Can you run this on that server in the currently broken state:
cscript %systemdrive%\inetpub\adminscripts\adsut
il.vbs enum /SMTPSVC
This should come out with a list of settings, as well as show that you have
/SMTPSVC/1 to later navigate and view.
I am somewhat suspicious that something else may have certain metabase nodes
in IIS configuration opened/locked, so while IISADMIN runs just fine, any
other service like W3SVC/SMTP/NNTP tries to read the configuration it would
fail (because the common shared node in the metabase is locked by some other
bad app).
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Michal Krawczyk" <irreality@o2.pl> wrote in message
news:d9hs1s$ljt$1@nemesis.news.tpi.pl...
Hello David,
Thanks for your fast answer - any help is valuable for me now and if
anything you thing can be checked I will appreciate this information.
> Did you delete %windir%\system32\inetsrv\metabase.bin on the re-installs?
Yes, the "c:\winnt\system32\inetsrv" was emptied completly and
"metabase.bin" was deleted as well.
At beginning I've suspected metabase damage but no problems with it were
detected. Finally I've decided to re-create it during IIS reinstallation.
MetaEdit does not report any errors, but it maybe it is possible that some
of values are out of the range.
> Did IIS ever function on this server or did you try to "fix" things by
> upgrading/repairing the OS.
I do not administer this server everyday - I was called as consultant to
repair it when after server reboot Exchange refused to start.
Unfortunatelly their internal IT support tried to "fix" the server exacly
mentioned way - by installing security updates, downloaded anti-spyware
programs etc. so before they decided to hire me they probably damaged few
things more....
I am MCP on Windows 2000 Server, and usually do not repair servers by just
formatting and reinstalling OS ;)
Here sittuation is quite bad because it is small office with only one server
full of different applications, databases, services etc. It acts as DSL
gateway, mail server, file server...
The server was setup correctly and functioned quite long time before, IIS
was running but with no Web sites hosted. Only SMTP/NNTP services were
running required by Exchange. I suspect during weekend there will be more
relaxed and creative atmosphere there ;) so I will try again to manage it
working again.
First problem I identified was trojan rootkit deeply integrated into system
and hiding itself from antivirus and security scanner (invisible files and
system services). Few hours of investigation revealed some parts of it - and
when I found key components of this trojan it was easier to search for more
information so finally I found single article where people described this
problem (quoted below) and how they removed it.
Now the system is repaired, seems to be stable and working correctly (except
mysterious problem with IIS services)... I have avoided reinstallation of
whole stuff but of course I can not be sure if I fixed everything - so it is
possible that OS is damaged itself (component registration, registry
settings... whatever...)
I am just looking for some ideas which can make me not to give up and try to
fix.
> It seems that you have a bad value that hangs around in the metabase
> somewhere. I would focus on getting W3SVC working before trying anything
> else.
This is valuable suggestion - and I will follow it. I've focused SMTP
service to make Exchange working as soon as possible...
> One reason that this category of posts do not get many replies is because
> it
> is often non-obvious what causes the problem (data corruption, mangled
> ACLs,
> failed setup, etc can cause these sort of things but not really obvious to
> fix).
I know that there are too many factors which can cause the failure but any
help in such situation can point you to right track and I believe not many
replies will arive.
Best regards,
Michal
PS: Maybe someone will find it usefull, so I will quote solution for this
well hidden trojan:
Source:
http://blogs.technet.com/robert_hen.../17/354471.aspx
"(...)
re: Advanced hiding techniques: The mystery of the trojaned Winlogon.exe
Saturday, February 12, 2005 9:18 AM by Martin
We just had a similar problem but we solved it in a different way. One of
our W2K Servers was behaving "strange" but there were absolutely NO visible
problems. All known virus scanners found NO problems. But there was one, we
felt it.
The solution was tricky :
We just dig a defrag on the server. In the report the server said : ...was
unable to defrag the following files... -> There was a listing of non
visible files. Their location was in %SYSROOT%\SYSTEM32\drivers\etc\fonts{00
08...}\
Impossible to browse, impossible to delete. There where also some services,
not showing up in the service list, only visible via msinfo32.
None of the services was visible with regedit.
The only way to stop them was to rename them with another server (visible)
and restart the infected one. Then it was also possible to delete the files
via the command line (looked like a complete operating system with storage
in RECYCLER.BIN).
We deleted the invisible services with another server (network registry).
The name of the services : Atarpisrv (calls ATA122.exe)
PowersupplyManager
r_server
Thank you for your interesting article. Best regards from Martin
(....)
> "Michal Krawczyk" <irreality@o2.pl> wrote in message
> news:d9gc41$24u$1@nemesis.news.tpi.pl...
> Hello,
>
> Following problem occurred on Windows 2000 Server SP4 with Microsoft
> Exchange 2000 SP3 - only IISAdmin service can be started.
>
> Other services report following system errors:
>
>
> System error 87: The parameter is incorrect
>
>
> System error 87: The parameter is incorrect
>
>
> System error 2: The system cannot find the file specified
>
> More details:
> 1. Event Viewer shows only Service Control Manager Errors (ID: 7023) with
> messages above. No failure reports on metabase access.
> 2. IIS is installed with default settings in c:\WINNT\system32\inetsrv.
> 3. IISAdmin service starts with no errors.
> 4. inetinfo.exe is running
> 5. MetaEdit 2.2 opens metabase correctly with no errors.
> 6. Microsoft Exchange services are not running - they depend on IIS
> services
> and failed to start at all.
>
> So far I did:
> 1. Browsed thousands of Microsoft KB articles and web pages, tried to
> apply
> some solutions - no progress so far
> 2. Checked with FileMon if some open requests to files or DLLs are failed
> (esp. for nntpsvc) - not found any problems.
> 3. Checked with RegMon which registry requests are accessed - not found
> any
> problems.
> 4. Checked with Microsoft Baseline Security Analyzer against missing
> updates
> or old DLLs - no problems
> 5. Removed IIS completely and re-installed again (using Add/Remove
> programs
> / Windows components)
> 6. Removed NNTP protocol and re-installed again (using Add/Remove programs
> /
> Windows components)
> 7. Removed "c:\Document and Settings\All Users\Application
> Data\Microsoft\Crypto\\RSA\MachineKeys", reinstalled IIS, it recreated
> machine keys but with no help on services startup.
> 9. Applied again Windows 2000 Server SP4
> 10. Reinstalled Microsoft Exchange 2000 + reinstalled Microsoft Exchange
> 2000 SP3
>
> ...end of ideas, no effect...
>
> The only thing which left and I would like to avoid is reinstalling OS...
> I
> have seen some people at this newsgroup with similar problems but with no
> replies posted.
>
> Maybe someone has fixed such issue already?
>
> Best regards,
> Michal
>
>
>
| |
| Michal Krawczyk 2005-06-27, 5:53 pm |
| Hello David,
>cscript c:\inetpub\adminscripts\adsutil.vbs enum /SMTPSVC
(this is Polish version of Windows 2000 Server so "Prawda" means "True" and
"Fałsz" means "False")
Host skryptcw systemu Windows firmy Microsoft (R) wersja 5.6
Copyright (C) Microsoft Corporation 1996-2001. Wszelkie prawa zastrze?one.
KeyType : (STRING) "IIsSmtpService"
MaxConnections : (INTEGER) 2000000000
ConnectionTimeout : (INTEGER) 600
AuthAnonymous : (BOOLEAN) Prawda
AuthBasic : (BOOLEAN) Prawda
AuthNTLM : (BOOLEAN) Prawda
AuthFlags : (INTEGER) 7
LogType : (INTEGER) 0
LogFilePeriod : (INTEGER) 1
LogPluginClsid : (STRING)
"{FF160663-DE82-11CF-BC0A-00AA006111E0}"
LogFileDirectory : (EXPANDSZ) "C:\WINNT\System32\LogFiles"
LogFileTruncateSize : (INTEGER) 20480000
SmtpServiceVersion : (INTEGER) 5
EnableReverseDnsLookup : (BOOLEAN) Fa^sz
ShouldDeliver : (BOOLEAN) Fa^sz
SmartHostType : (INTEGER) 0
HopCount : (INTEGER) 15
MaxOutConnections : (INTEGER) 1000
MaxOutConnectionsPerDomain : (INTEGER) 100
RemoteTimeout : (INTEGER) 600
MaxMessageSize : (INTEGER) 2097152
MaxSessionSize : (INTEGER) 10485760
MaxRecipients : (INTEGER) 100
LocalRetryInterval : (INTEGER) 60
RemoteRetryInterval : (INTEGER) 60
LocalRetryAttempts : (INTEGER) 48
RemoteRetryAttempts : (INTEGER) 48
MaxBatchedMessages : (INTEGER) 20
SmartHost : (STRING) ""
RoutingDll : (STRING)
"C:\WINNT\System32\inetsrv\routeldp.dll"
DomainRouting : (LIST) (0 Items)
NTAuthenticationProviders : (STRING) "GSSAPI,NTLM"
SmtpRemoteProgressiveRetry : (STRING) "15,30,60,240"
SmtpLocalDelayExpireMinutes : (INTEGER) 720
SmtpLocalNDRExpireMinutes : (INTEGER) 2880
SmtpRemoteDelayExpireMinutes : (INTEGER) 720
SmtpRemoteNDRExpireMinutes : (INTEGER) 2880
SmtpRemoteRetryThreshold : (INTEGER) 3
SmtpDSNOptions : (INTEGER) 0
SmtpDSNLanguageID : (INTEGER) 0
SmtpAdvQueueDll : (STRING)
"C:\WINNT\system32\inetsrv\aqueue.dll"
SmtpInboundCommandSupportOptions : (INTEGER) 7697601
SmtpOutboundCommandSupportOptions : (INTEGER) 7
DataType: "IPSec" Not Yet Supported on property: RelayIpList
ErrNumber: 0 (0x0)
RelayForAuth : (INTEGER) 1
[/SmtpSvc/Info]
[/SmtpSvc/1]
I've made backup of metabase and removed "RelayIpList", it did not help to
SmtpSvc startup problem - anyways as I tested at Windows XP SP2 machine, the
same entry exist there and causes no problems.I've browsed through all
subkeys of SmtpSvc and it does not return othe errors.There are 5 backup
files in MetaBack directory. Probably these backups were created
automatically when I was reinstalling IIS (I've removed "inetserv" folder
content). But only two of them can be opened (by date: first and last)!
I've tested them by following commands:
>net stop iisadmin
>copy backupfile ../metabase.bin
>cscript c:\inetpub\adminscripts\adsutil.vbs enum /
These display correctly but have no /SMTPSVC key inside:
2005-06-24 05:00 191434 iischema-update.MD0
2005-06-24 08:26 191435 iischema-update.MD4
These fail to open:
2005-06-24 05:19 208594 iischema-update.MD1
2005-06-24 05:19 208599 iischema-update.MD2
2005-06-24 06:28 278029 iischema-update.MD3
Host skrypt˘w systemu Windows firmy Microsoft (R) wersja 5.6
Copyright (C) Microsoft Corporation 1996-2001. Wszelkie prawa zastrzeµone.
ErrNumber: -2146893818 (0x80090006)
Error Trying To ENUM the Object (GetObject Failed):
I will continue examination of metabase on this machine. Maybe I will try to
reinstall IIS again but with focus on what is happending to metabase file.
It seems to me that some of security updates / SP4 installed before the
crash are applying changes to metabase automatically after IIS
reinstallation but these changes are not compatible with DLL versions
installed in the system - but this is only my hypothesis.
If you have any ideas any help still welcome!
Best regards,
Michal
Użytkownik "David Wang [Msft]" <someone@online.microsoft.com> napisał w
wiadomo¶ci news:ee91fQceFHA.3376@TK2MSFTNGP10.phx.gbl...
> Ok, I see where you are coming from.
>
> From the perspective of IISADMIN (the service which loads the metabase.bin
> into inetinfo.exe), both SMTP and W3SVC are peer services that depend on
> IISADMIN. As you are just interested in getting NNTP/SMTP working, I
> would
> just work on NNTP/SMTP and not worry about W3SVC (usually, people on this
> group care about W3SVC since it is the web portion, but not in your case).
>
> Can you run this on that server in the currently broken state:
> cscript %systemdrive%\inetpub\adminscripts\adsut
il.vbs enum /SMTPSVC
>
> This should come out with a list of settings, as well as show that you
> have
> /SMTPSVC/1 to later navigate and view.
>
>
> I am somewhat suspicious that something else may have certain metabase
> nodes
> in IIS configuration opened/locked, so while IISADMIN runs just fine, any
> other service like W3SVC/SMTP/NNTP tries to read the configuration it
> would
> fail (because the common shared node in the metabase is locked by some
> other
> bad app).
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Michal Krawczyk" <irreality@o2.pl> wrote in message
> news:d9hs1s$ljt$1@nemesis.news.tpi.pl...
> Hello David,
>
> Thanks for your fast answer - any help is valuable for me now and if
> anything you thing can be checked I will appreciate this information.
>
>
> Yes, the "c:\winnt\system32\inetsrv" was emptied completly and
> "metabase.bin" was deleted as well.
> At beginning I've suspected metabase damage but no problems with it were
> detected. Finally I've decided to re-create it during IIS reinstallation.
> MetaEdit does not report any errors, but it maybe it is possible that some
> of values are out of the range.
>
>
> I do not administer this server everyday - I was called as consultant to
> repair it when after server reboot Exchange refused to start.
> Unfortunatelly their internal IT support tried to "fix" the server exacly
> mentioned way - by installing security updates, downloaded anti-spyware
> programs etc. so before they decided to hire me they probably damaged few
> things more....
>
> I am MCP on Windows 2000 Server, and usually do not repair servers by just
> formatting and reinstalling OS ;)
> Here sittuation is quite bad because it is small office with only one
> server
> full of different applications, databases, services etc. It acts as DSL
> gateway, mail server, file server...
>
> The server was setup correctly and functioned quite long time before, IIS
> was running but with no Web sites hosted. Only SMTP/NNTP services were
> running required by Exchange. I suspect during weekend there will be more
> relaxed and creative atmosphere there ;) so I will try again to manage it
> working again.
>
> First problem I identified was trojan rootkit deeply integrated into
> system
> and hiding itself from antivirus and security scanner (invisible files and
> system services). Few hours of investigation revealed some parts of it -
> and
> when I found key components of this trojan it was easier to search for
> more
> information so finally I found single article where people described this
> problem (quoted below) and how they removed it.
>
> Now the system is repaired, seems to be stable and working correctly
> (except
> mysterious problem with IIS services)... I have avoided reinstallation of
> whole stuff but of course I can not be sure if I fixed everything - so it
> is
> possible that OS is damaged itself (component registration, registry
> settings... whatever...)
>
> I am just looking for some ideas which can make me not to give up and try
> to
> fix.
>
>
> This is valuable suggestion - and I will follow it. I've focused SMTP
> service to make Exchange working as soon as possible...
>
>
> I know that there are too many factors which can cause the failure but any
> help in such situation can point you to right track and I believe not many
> replies will arive.
>
> Best regards,
> Michal
>
> PS: Maybe someone will find it usefull, so I will quote solution for this
> well hidden trojan:
>
> Source:
> http://blogs.technet.com/robert_hen.../17/354471.aspx
> "(...)
> re: Advanced hiding techniques: The mystery of the trojaned Winlogon.exe
> Saturday, February 12, 2005 9:18 AM by Martin
> We just had a similar problem but we solved it in a different way. One of
> our W2K Servers was behaving "strange" but there were absolutely NO
> visible
> problems. All known virus scanners found NO problems. But there was one,
> we
> felt it.
> The solution was tricky :
> We just dig a defrag on the server. In the report the server said : ...was
> unable to defrag the following files... -> There was a listing of non
> visible files. Their location was in
> %SYSROOT%\SYSTEM32\drivers\etc\fonts{00
> 08...}\
>
> Impossible to browse, impossible to delete. There where also some
> services,
> not showing up in the service list, only visible via msinfo32.
>
> None of the services was visible with regedit.
>
> The only way to stop them was to rename them with another server (visible)
> and restart the infected one. Then it was also possible to delete the
> files
> via the command line (looked like a complete operating system with storage
> in RECYCLER.BIN).
>
> We deleted the invisible services with another server (network registry).
> The name of the services : Atarpisrv (calls ATA122.exe)
> PowersupplyManager
> r_server
>
> Thank you for your interesting article. Best regards from Martin
> (....)
>
>
>
>
|
|
|
|
|