Malware
|
From: Sean on 27 Jul 2006 09:01 I am finding more and more missing files and several services stop and refuse to run. I have norton AV running on every computer and server. Is there anything running around that this app can't detect? It still may be something else, just seem to be moving around and some days better than others. Any help would be great. -- Sean
From: Susan Bradley on 27 Jul 2006 10:47 Missing files are typically due to "fatal finger"... folks dragging files under the folder of another folder. What services are stopping and refusing to run? Let's see exactly what services before we go to the next step of investigation. Sean wrote: > I am finding more and more missing files and several services stop and refuse > to run. I have norton AV running on every computer and server. Is there > anything running around that this app can't detect? > > It still may be something else, just seem to be moving around and some days > better than others. > > Any help would be great.
From: Sean on 27 Jul 2006 12:23 Thank you for your rapid response. I first suspected the "fatal finger" (I like that), but we have seen files disappear during periods of inactivity. But right now that is only a nuisance.... This morning I came in and nobody can browse, or use any network devices (network printers work, but not shared ones), Internet and mail work. My log files are huge, and I would be fine with forwarding copies to you, but here is just the summary report I was greated with this morning. Critical Alerts: Windows Small Business Server Backup failed (Event ID: 5634) Critical Errors in Application Log: MSExchangeAL 8026 7/27/2006 8:00 AM 1 LDAP Bind was unsuccessful on directory server.nghpower.local for distinguished name ''. Directory returned error:[0x51] Server Down. For more information, click http://www.microsoft.com/contentredirect.asp. Source Event ID Last Occurrence Total Occurrences MSExchangeDSAccess 2102 7/27/2006 8:00 AM 1 Process MAD.EXE (PID=2688). All Domain Controller Servers in use are not responding: server.nghpower.local nghserver.nghpower.local For more information, click http://www.microsoft.com/contentredirect.asp. Source Event ID Last Occurrence Total Occurrences SmallBusinessServer 5634 7/26/2006 11:00 PM 1 One or more components of Small Business Server Backup failed. For more information, click Backup in Server Management, and view the log files. Source Event ID Last Occurrence Total Occurrences NTBackup 8017 7/26/2006 11:00 PM 1 NTBackup error: 'The operation failed. Consult the Backup Report for more details.' Critical Errors in Security Log : Source Event ID Last Occurrence Total Occurrences Security 673 7/27/2006 8:35 AM 114 * Service Ticket Request: User Name: User Domain: NGHPOWER.LOCAL Service Name: host/server.nghpower.local Service ID: - Ticket Options: 0x40830000 Ticket Encryption Type: - Client Address: 127.0.0.1 Failure Code: 0xD Logon GUID: - Transited Services: - Source Event ID Last Occurrence Total Occurrences Security 675 7/27/2006 8:26 AM 3,240 * Pre-authentication failed: User Name: Administrator User ID: NGHPOWER\Administrator Service Name: krbtgt/NGHPOWER Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 192.168.1.71 Source Event ID Last Occurrence Total Occurrences Security 529 7/27/2006 5:48 AM 2 * Logon Failure: Reason: Unknown user name or bad password User Name: Sean Domain: NGHPOWER Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: SERVER Caller User Name: SERVER$ Caller Domain: NGHPOWER Caller Logon ID: (0x0,0x3E7) Caller Process ID: 5168 Transited Services: - Source Network Address: 192.168.1.100 Source Port: 49613 Source Event ID Last Occurrence Total Occurrences Security 537 7/27/2006 5:15 AM 9 * Logon Failure: Reason: An error occurred during logon User Name: Domain: Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: - Status code: 0xC000006D Substatus code: 0xC0000133 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.1.23 Source Port: 2363 * The text shown is for the most recent occurrence of this event. For more information, see the Event log. Critical Errors in System Log : Source Event ID Last Occurrence Total Occurrences TermServDevices 1111 7/26/2006 11:14 AM 1 Driver Adobe PDF Converter required for printer Adobe PDF is unknown. Contact the administrator to install the driver before you log in again. If it would be easier, I can forward any logs you may wish to view to an E-Mail. -- Sean "Susan Bradley" wrote: > Missing files are typically due to "fatal finger"... folks dragging > files under the folder of another folder. > > What services are stopping and refusing to run? > > Let's see exactly what services before we go to the next step of > investigation. > > Sean wrote: > > I am finding more and more missing files and several services stop and refuse > > to run. I have norton AV running on every computer and server. Is there > > anything running around that this app can't detect? > > > > It still may be something else, just seem to be moving around and some days > > better than others. > > > > Any help would be great. >
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] on 27 Jul 2006 14:24 http://www.ultimatewindowssecurity.com/events/com298.html You have 3,240 event 675s? What IP address is 192.168.1.71? Okay for the fatal finger we can turn on object auditing...but you have a lot of critical errors... I think I'm going to kick you to 1-866-pcsafety but before I do, let's go down the list.... I'm not quite concerned about 8026 as that typically occurs after a reboot...did you reboot? Same with 2102. The backup failure IS an issue and we'll need to deal with that after this issue..... But those security logs are a concern.... can you ping me directly to give you more explicit instructions that I don't want to post here? Sean wrote: >Thank you for your rapid response. I first suspected the "fatal finger" (I >like that), but we have seen files disappear during periods of inactivity. >But right now that is only a nuisance.... This morning I came in and nobody >can browse, or use any network devices (network printers work, but not shared >ones), Internet and mail work. My log files are huge, and I would be fine >with forwarding copies to you, but here is just the summary report I was >greated with this morning. > >Critical Alerts: >Windows Small Business Server Backup failed (Event ID: 5634) > >Critical Errors in Application Log: > > MSExchangeAL >8026 7/27/2006 8:00 AM 1 >LDAP Bind was unsuccessful on directory server.nghpower.local for >distinguished name ''. Directory returned error:[0x51] Server Down. For more >information, click http://www.microsoft.com/contentredirect.asp. > >Source Event ID Last Occurrence Total Occurrences > MSExchangeDSAccess >2102 7/27/2006 8:00 AM 1 >Process MAD.EXE (PID=2688). All Domain Controller Servers in use are not >responding: server.nghpower.local nghserver.nghpower.local For more >information, click http://www.microsoft.com/contentredirect.asp. > >Source Event ID Last Occurrence Total Occurrences > SmallBusinessServer >5634 7/26/2006 11:00 PM 1 >One or more components of Small Business Server Backup failed. For more >information, click Backup in Server Management, and view the log files. > >Source Event ID Last Occurrence Total Occurrences > NTBackup >8017 7/26/2006 11:00 PM 1 >NTBackup error: 'The operation failed. Consult the Backup Report for more >details.' > >Critical Errors in Security Log : >Source Event ID Last Occurrence Total Occurrences > Security >673 7/27/2006 8:35 AM 114 * >Service Ticket Request: > User Name: > User Domain: NGHPOWER.LOCAL > Service Name: host/server.nghpower.local > Service ID: - > Ticket Options: 0x40830000 > Ticket Encryption Type: - > Client Address: 127.0.0.1 > Failure Code: 0xD > Logon GUID: - > Transited Services: - > >Source Event ID Last Occurrence Total Occurrences > Security >675 7/27/2006 8:26 AM 3,240 * >Pre-authentication failed: > User Name: Administrator > User ID: NGHPOWER\Administrator > Service Name: krbtgt/NGHPOWER > Pre-Authentication Type: 0x2 > Failure Code: 0x18 > Client Address: 192.168.1.71 > >Source Event ID Last Occurrence Total Occurrences > Security >529 7/27/2006 5:48 AM 2 * >Logon Failure: > Reason: Unknown user name or bad password > User Name: Sean > Domain: NGHPOWER > Logon Type: 10 > Logon Process: User32 > Authentication Package: Negotiate > Workstation Name: SERVER > Caller User Name: SERVER$ > Caller Domain: NGHPOWER > Caller Logon ID: (0x0,0x3E7) > Caller Process ID: 5168 > Transited Services: - > Source Network Address: 192.168.1.100 > Source Port: 49613 > >Source Event ID Last Occurrence Total Occurrences > Security >537 7/27/2006 5:15 AM 9 * >Logon Failure: > Reason: An error occurred during logon > User Name: > Domain: > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: - > Status code: 0xC000006D > Substatus code: 0xC0000133 > Caller User Name: - > Caller Domain: - > Caller Logon ID: - > Caller Process ID: - > Transited Services: - > Source Network Address: 192.168.1.23 > Source Port: 2363 > > >* The text shown is for the most recent occurrence of this event. For more >information, see the Event log. > >Critical Errors in System Log : >Source Event ID Last Occurrence Total Occurrences > TermServDevices >1111 7/26/2006 11:14 AM 1 >Driver Adobe PDF Converter required for printer Adobe PDF is unknown. >Contact the administrator to install the driver before you log in again. > >If it would be easier, I can forward any logs you may wish to view to an >E-Mail. > > > >
|
Pages: 1 Prev: GRE 47 Next: Operation terminated with error -1808 (JET_errDiskFull, No space l |