Exchange terminates on Server when attaching files via OWA

[Guest]

I hope someone can help me out with this problem.

Whenever I use OWA, usually from home, and try to attach a file to an email
message the Exchange services terminate on the Exchange Server. The event
log entries are identical everytime this occurs.

Application Event Log Entry:

Source: MSExchangeIS
Event ID: 9673

An exception with code 0xc00000fd was thrown in module
c:\\windows\system32\ntdll.dll; spme parameters and their values were
<Exception address - 8962c983>. A significant section of the call stack is in
the data section.

System Event Log Entry:

Source: Service Control Manager
Event ID: 7031
The Microsoft Exchange Information Store service terminated unexpectedly.

Thanks in advance,

jim

 

[Milly Staples [MVP - Outlook]]

Try posting this to an Exchange group as Outlook Web Access, despite its
name, is a part of Exchange, not Outlook. The experts in that group will
probably be able to give you a better and faster answer than the folks here.

--
Milly Staples [MVP - Outlook]

Post all replies to the group to keep the discussion intact. All
unsolicited mail sent to my personal account will be deleted without
reading.

After furious head scratching, JimM asked:

| I hope someone can help me out with this problem.
|
| Whenever I use OWA, usually from home, and try to attach a file to an
| email message the Exchange services terminate on the Exchange Server.
| The event log entries are identical everytime this occurs.
|
| Application Event Log Entry:
|
| Source: MSExchangeIS
| Event ID: 9673
|
| An exception with code 0xc00000fd was thrown in module
| c:\\windows\system32\ntdll.dll; spme parameters and their values were
| <Exception address - 8962c983>. A significant section of the call
| stack is in the data section.
|
| System Event Log Entry:
|
| Source: Service Control Manager
| Event ID: 7031
| The Microsoft Exchange Information Store service terminated
| unexpectedly.
|
| Thanks in advance,
|
| jim

 

[Guest]

Anybody interested in helping me out on this ?

I checked other postings, the most useful was that a rootkit was discovered.
So far I have found nothing of the kind. Any and all assistance is
appreciated.

jimm

 

[Guest]

Milly,

I did not repost this to an Exchange Group because it appears to me that you
did that for me since it is listed in the Exchage Server forum. If I am
worng please let me know.

But if my assumption is correct, them nobody has responded.

thanks,

jim

 

[Milly Staples [MVP - Outlook]]

Perhaps some other kind soul did that for you but I did not.

--
Milly Staples [MVP - Outlook]

Post all replies to the group to keep the discussion intact. All
unsolicited mail sent to my personal account will be deleted without
reading.

After furious head scratching, JimM asked:

| Milly,
|
| I did not repost this to an Exchange Group because it appears to me
| that you did that for me since it is listed in the Exchage Server
| forum. If I am worng please let me know.
|
| But if my assumption is correct, them nobody has responded.
|
| thanks,
|
| jim
|
|
| "Milly Staples [MVP - Outlook]" wrote:
|
|| Have you TRIED posting to an Exchange group as I suggested??? This
|| is not an Outlook problem.
||
|| --Â
|| Milly Staples [MVP - Outlook]
||
|| Post all replies to the group to keep the discussion intact. All
|| unsolicited mail sent to my personal account will be deleted without
|| reading.
||
|| After furious head scratching, JimM asked:
||
||| Anybody interested in helping me out on this ?
|||
||| I checked other postings, the most useful was that a rootkit was
||| discovered. So far I have found nothing of the kind. Any and all
||| assistance is appreciated.
|||
||| jimm
|||
||| "JimM" wrote:
|||
|||| I hope someone can help me out with this problem.
||||
|||| Whenever I use OWA, usually from home, and try to attach a file to
|||| an email message the Exchange services terminate on the Exchange
|||| Server. The event log entries are identical everytime this occurs.
||||
|||| Application Event Log Entry:
||||
|||| Source: MSExchangeIS
|||| Event ID: 9673
||||
|||| An exception with code 0xc00000fd was thrown in module
|||| c:\\windows\system32\ntdll.dll; spme parameters and their values
|||| were <Exception address - 8962c983>. A significant section of the
|||| call stack is in the data section.
||||
|||| System Event Log Entry:
||||
|||| Source: Service Control Manager
|||| Event ID: 7031
|||| The Microsoft Exchange Information Store service terminated
|||| unexpectedly.
||||
|||| Thanks in advance,
||||
|||| jim

 

[Guest]

Milly,

I guess my inexperience using these forums is apparent. I assumed that
since the thread was showing up in the Outlook folder under Servers -
Exchange Server that it was listed in an appropriate place.

I did managed to neutralize the cause of my issue though. Apparently a
rootkit was installed some time in the past and was spawning Services that at
first blush appeared valid. The name of those processes were;

Microsoft Lan Manager
Microsoft Network Support
Microsoft Plug and Play Dectector
Security NTFS Manager

They all were kicked off by a program called Srunner.exe, as I said I
neutralized this by simply setting those processed to start manually and not
automatically.

Now all I need to do is figure out how to manually remove this rootkit.

jimm

 

[Guest]

Milly,

I guess my inexperience using these forums is apparent. I assumed that
since the thread was showing up in the Outlook folder under Servers -
Exchange Server that it was listed in an appropriate place.

I did managed to neutralize the cause of my issue though. Apparently a
rootkit was installed some time in the past and was spawning Services that at
first blush appeared valid. The name of those processes were;

Microsoft Lan Manager
Microsoft Network Support
Microsoft Plug and Play Dectector
Security NTFS Manager

They all were kicked off by a program called Srunner.exe, as I said I
neutralized this by simply setting those processed to start manually and not
automatically.

Now all I need to do is figure out how to manually remove this rootkit.

jimm

 

[Guest]

Posting, or attempting to anyway to the 'proper' exchange forums for those
that may be interested in how I neutralized this problem

 

[Ben Winzenz [Exchange MVP]]

I don't remember seeing the initial conversation, but what I would comment
is:

You don't remove rootkits manually - at least not if you want to ensure
server stability. Unless you are the hacker that created the rootkit, there
is almost no feasible way of knowing exactly what was added to the server.
Instead, you format and rebuild the server and then restore the Exchange
databases from backup. This is the only safe way to proceed.