Event ID 2000
in [Windows Servers]
|
From: Mitch W on 14 Jan 2007 07:48 Our Univeersity recently had a number of machines infected with the Win32.Lokkest virus and other variants. While no machines that were infected attach to our servers directly they spewed out traffic to everyone. We still have machine left to be cleaned on campus, but since that infection started our Windows 2003 servers systems (which are fully patched) have recorded the following event in the log: Event Type: Error Event Source: Srv Event Category: None Event ID: 2000 Date: 1/10/2007 Time: 9:55:26 PM User: N/A Computer: WWW1 Description: The server's call to a system service failed unexpectedly. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 00040000 00540001 00000000 c00007d0 0010: 00000000 80090302 00000000 00000000 0020: 00000000 00000000 15e6032c What is going on and how do we stop it, so far we can't see any adverse effects on the server, but we are concerned. thanks, mitch
From: Dave Patrick on 14 Jan 2007 11:06 This article might help. http://support.microsoft.com/default.aspx?scid=kb;en-us;134759 -- Regards, Dave Patrick ....Please no email replies - reply in newsgroup. Microsoft Certified Professional Microsoft MVP [Windows] http://www.microsoft.com/protect "Mitch W" wrote: > Our Univeersity recently had a number of machines infected with the > Win32.Lokkest virus and other variants. While no machines that were > infected > attach to our servers directly they spewed out traffic to everyone. We > still > have machine left to be cleaned on campus, but since that infection > started > our Windows 2003 servers systems (which are fully patched) have recorded > the > following event in the log: > > Event Type: Error > Event Source: Srv > Event Category: None > Event ID: 2000 > Date: 1/10/2007 > Time: 9:55:26 PM > User: N/A > Computer: WWW1 > Description: > The server's call to a system service failed unexpectedly. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > Data: > 0000: 00040000 00540001 00000000 c00007d0 > 0010: 00000000 80090302 00000000 00000000 > 0020: 00000000 00000000 15e6032c > > What is going on and how do we stop it, so far we can't see any adverse > effects on the server, but we are concerned. > > thanks, > mitch >
From: Mitch W on 14 Jan 2007 13:40 Dave, Thanks for the attempt, but the article you referenced is titled Event 2000 Occurs When You Print to a Shared Printer. This just started on machines that have been running for 2-3 years. In fact I can tie the events into the outbreak of the Lokkest (Symantec Title) virus, I am just not sure what caused the events in the first place. Any other suggestions would be greatly appreciated. thanks, mitch "Dave Patrick" wrote: > This article might help. > > http://support.microsoft.com/default.aspx?scid=kb;en-us;134759 > > -- > > Regards, > > Dave Patrick ....Please no email replies - reply in newsgroup. > Microsoft Certified Professional > Microsoft MVP [Windows] > http://www.microsoft.com/protect > > "Mitch W" wrote: > > Our Univeersity recently had a number of machines infected with the > > Win32.Lokkest virus and other variants. While no machines that were > > infected > > attach to our servers directly they spewed out traffic to everyone. We > > still > > have machine left to be cleaned on campus, but since that infection > > started > > our Windows 2003 servers systems (which are fully patched) have recorded > > the > > following event in the log: > > > > Event Type: Error > > Event Source: Srv > > Event Category: None > > Event ID: 2000 > > Date: 1/10/2007 > > Time: 9:55:26 PM > > User: N/A > > Computer: WWW1 > > Description: > > The server's call to a system service failed unexpectedly. > > > > For more information, see Help and Support Center at > > http://go.microsoft.com/fwlink/events.asp. > > Data: > > 0000: 00040000 00540001 00000000 c00007d0 > > 0010: 00000000 80090302 00000000 00000000 > > 0020: 00000000 00000000 15e6032c > > > > What is going on and how do we stop it, so far we can't see any adverse > > effects on the server, but we are concerned. > > > > thanks, > > mitch > > > >
From: Dave Patrick on 14 Jan 2007 13:45 Sorry, I missed the part about the virus. The machines can no longer be trusted. Flatten and rebuild. -- Regards, Dave Patrick ....Please no email replies - reply in newsgroup. Microsoft Certified Professional Microsoft MVP [Windows] http://www.microsoft.com/protect "Mitch W" wrote: > Dave, > > Thanks for the attempt, but the article you referenced is titled Event > 2000 > Occurs When You Print to a Shared Printer. This just started on machines > that > have been running for 2-3 years. In fact I can tie the events into the > outbreak of the Lokkest (Symantec Title) virus, I am just not sure what > caused the events in the first place. > > Any other suggestions would be greatly appreciated. > > thanks, > mitch
From: Mitch W on 14 Jan 2007 13:57 Dave, Wow. Flatten and rebuild. The servers were not infected as far as we know, just other machines around campus that don't directly connect. It seems to have something to do with the traffic that the systems saw on the network. There are 11 servers in just my department that have these events in the event log and others on campus. The are not members of the same domain and in fact none of the systems share any ties. They are all independent. According to everything I can find about the virus that hit our campus the virus tries to attack systems with the following The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-040). The systems are patched, but could something else be getting through? thanks, mitch "Dave Patrick" wrote: > Sorry, I missed the part about the virus. The machines can no longer be > trusted. Flatten and rebuild. > > -- > > Regards, > > Dave Patrick ....Please no email replies - reply in newsgroup. > Microsoft Certified Professional > Microsoft MVP [Windows] > http://www.microsoft.com/protect > > "Mitch W" wrote: > > Dave, > > > > Thanks for the attempt, but the article you referenced is titled Event > > 2000 > > Occurs When You Print to a Shared Printer. This just started on machines > > that > > have been running for 2-3 years. In fact I can tie the events into the > > outbreak of the Lokkest (Symantec Title) virus, I am just not sure what > > caused the events in the first place. > > > > Any other suggestions would be greatly appreciated. > > > > thanks, > > mitch >
|
Next
|
Last
Pages: 1 2 Prev: Kernel Stack InPage Error when data is written to Server Next: Kerberos & lsass errors |