Given this info there is really no way you can rely on this server build.
You need to blow it away and start a clean install.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"SB" wrote:
| Ok, I've been all through my system and think I might of had a hacker
| breach my network. I found a program called eggdropper.exe installed.
| I think it is some sort of irc bot.
|
| I think the problem is that the system key is being hidden. I ran
| regedt32.exe in interactive mode and the keys were also hidden.
|
| I can open the system log in event viewer if I open it manually, but
| under the drop down box log type systrem is not listed.
|
| I have googled everything having to do with hidden registry keys but
| I'm still lost on how to fix this.
|
| One side note: I installed a firewall and I'm sure it made changes to
| the system hive.
|
| Still at a loss.
|
| SB
|

In microsoft.public.win2000.registry SB wrote:

> Ok, I've been all through my system and think I might of had a
> hacker breach my network. I found a program called
> eggdropper.exe installed. I think it is some sort of irc bot.

eggdropper is a known cracker tool....
One Google hit is
http://www.mut.ac.th/~b1121625/crack.html

Your system is compromised and in my opinion must be wiped and re-
installed, then *secured before any Internet connection is allowed*
and *all* passwords changed. Consider anything on the server to be
owned now by someone else and act accordingly. Data stored elsewhere
on the LAN may also be now in the possession of another. This sounds
"worst case", but assuming the worst is the most defensive position
possible and quite reasonable unless it can be proved otherwise IMHO.
Any other LAN connected system may also be compromised and that must
be investigated as well.

Resolution-
I shelled out the $245 to MS to help resolve this problem. This is a
standalone web server with tons of stuff loaded. Exchange, DNS, SQL, AD
etc. To wipe it out and reinstall would be a huge undertaking.
After going through 3 or 4 departments at microsoft all them were
stumped. Off to the security team. Ran some tests and sure enough I
had some hidden proccess running on my system that were hiding my
system key. MS gave me some tools to block these services and allow me
to boot up without them running. Found the nasty directory and deleted
it wiped out the corresponding reg keys and knock on wood I think I'm
ok now. Now we are analyzing the logs to determine where this bastard
came from.

Thanks for all your help.
SB

In microsoft.public.win2000.registry SB wrote:

> Resolution-
> I shelled out the $245 to MS to help resolve this problem. This
> is a standalone web server with tons of stuff loaded. Exchange,
> DNS, SQL, AD etc. To wipe it out and reinstall would be a huge
> undertaking. After going through 3 or 4 departments at microsoft
> all them were stumped. Off to the security team. Ran some
> tests and sure enough I had some hidden proccess running on my
> system that were hiding my system key. MS gave me some tools to
> block these services and allow me to boot up without them
> running. Found the nasty directory and deleted it wiped out the
> corresponding reg keys and knock on wood I think I'm ok now.

That's your choice of course...

I'd be interested to know what were the tools?

John

SB wrote:

> Resolution-
> I shelled out the $245 to MS to help resolve this problem. This is a
> standalone web server with tons of stuff loaded. Exchange, DNS, SQL, AD
> etc. To wipe it out and reinstall would be a huge undertaking.
> After going through 3 or 4 departments at microsoft all them were
> stumped. Off to the security team. Ran some tests and sure enough I
> had some hidden proccess running on my system that were hiding my
> system key. MS gave me some tools to block these services and allow me
> to boot up without them running. Found the nasty directory and deleted
> it wiped out the corresponding reg keys and knock on wood I think I'm
> ok now. Now we are analyzing the logs to determine where this bastard
> came from.
>
> Thanks for all your help.
> SB
>

And what service name was stopped.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect