Hi Ken,
Do you have Small Business Server installed and running on this machine? or
did you Install/Uninstall ASP/SBS or any software/hardware recently?
What version of service pack this machine up to? Is it SP1,SP2 or SP3?
I would like to make sure the machine clean from malware/viruses by running
a thorough scan.
Go through these Cleaning steps:
1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .
Click on General Tab (1st Tab on the left) and you will see a Button called
[ Clear History ..] click on it to clear your History caches, then click on
[Delete Files..] to delete Internet Files created over the time, click on [
Delete Cookies...] to delete your cookies left by visiting websites.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
= Then try to Disable the Add-Ons on your Browser somehow installed on your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there Disable
the Non/Not Verified Plug-ins/Add-ons ( you need to Renable them one-by-one
later and see which is the culprit .
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (off-line scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
If you need further help and your machine infected download the Hijackthis
and send the report to one of many forums for analysis and troubleshooting or
you can send it to me on my email provided at the bottom:
When all else fails, download HijackThis v2.0.2
(
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
Can you please send me a copy at (e-mail address removed) ,
remove the obvious to email me.
Please read the info below and apply when apropriate.
Application
Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1524
Date: 4/1/2009
Time: 12:58:08 AM
User: YOUR-58AA870609\Geraldine
Computer: YOUR-58AA870609
Description:
Windows cannot unload your classes registry file - it is still in use by
other applications or services. The file will be unloaded when it is no
longer in use.
Solution::
User Profile Hive Cleanup Servic
http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en
The system may not unload your user profile correctly when you log off from
a Windows XP-based computer
http://support.microsoft.com/kb/842827
========================================================================
Event Type: Error
Event Source: Application on Demand - IEXPLORE
Event Category: None
Event ID: 0
Date: 3/31/2009
Time: 11:28:54 PM
User: N/A
Computer: YOUR-58AA870609
Description:
The description for Event ID ( 0 ) in Source ( Application on Demand -
IEXPLORE ) cannot be found. The local computer may not have the necessary
registry information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following information is
part of the event: ALoggerFileCyclic: Failed to delete an old log file Last
error code: 32
Type:ERROR
Location::
0) : error 0:
Computer:
Id: 0, Name:Null
Solution::
Event ID 0 Source .NET Runtim
http://www.eventid.net/display.asp?eventid=0&eventno=2142&source=.NET Runtime&phase=1
Detailed Usage of the Event Viewer /AUXSOURCE Switch Option
http://support.microsoft.com/?kbid=312216
===============================================================
Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 3/22/2009
Time: 7:17:22 PM
User: N/A
Computer: YOUR-58AA870609
Description:
Hanging application iexplore.exe, version 7.0.6000.16791, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
==================================================================================
Event Type: Warning
Event Source: MsiInstaller
Event Category: None
Event ID: 1015
Date: 3/15/2009
Time: 5:14:04 PM
User: YOUR-58AA870609\Kenny
Computer: YOUR-58AA870609
Description:
Solution::
MSI Installer and Failed to connect to server Event
http://blogs.msdn.com/mpoulson/archive/2005/11/30/498586.aspx
Event ID 1015 is logged in the Application log when you use the OHotFix
program to install Office updates
http://support.microsoft.com/kb/907341
==============================================================================
Event Type: Error
Event Source: Microsoft Management Console
Event Category: None
Event ID: 1001
Date: 3/15/2009
Time: 1:24:14 PM
User: N/A
Computer: YOUR-58AA870609
Description:
The description for Event ID ( 1001 ) in Source ( Microsoft Management
Console ) cannot be found. The local computer may not have the necessary
registry information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following information is
part of the event: 598251248.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 35 39 38 32 35 31 32 34 59825124
0010: 38 0d 0a 8..
schedule
Solution::
Event ID 1000, 1001 is logged every five minutes in the Application event log
http://support.microsoft.com/kb/290647
Event ID 1001 — Performance Library Availability
http://technet.microsoft.com/en-us/library/cc775086.aspx
Event ID 1001 — Network Performance Counter Availability
http://technet.microsoft.com/en-us/library/cc774942.aspx
Step-by-Step Guide to the Microsoft Management Console
http://technet.microsoft.com/en-us/library/bb742442.aspx
Microsoft Management Console - Overview
http://technet.microsoft.com/en-us/library/bb742441.aspx
========================================================================================
Event Type: Warning
Event Source: System.ServiceModel.Install 3.0.0.0
Event Category: None
Event ID: 0
Date: 3/9/2009
Time: 8:33:05 PM
User: N/A
Computer: YOUR-58AA870609
Description:
Configuration section system.serviceModel.activation already exists in
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.
Solution::
Cannot Find Server (404) or Get Plain Text for WCF .svc Files From IIS?
http://blogs.msdn.com/wenlong/archive/2006/09/10/748294.aspx
Hosting WCF service on IIS/XP - browsing to the .SVC gives a plain text view
of the contents
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/b109a13a-7258-49dd-a90d-66bf257ce63e/
Setup .NET 3.0 fails
http://social.msdn.microsoft.com/Fo.../thread/be94b523-e802-4f76-8494-450ea571da44/
===================================================================
Event Type: Warning
Event Source: ASP.NET 2.0.50727.0
Event Category: Setup
Event ID: 1020
Date: 3/9/2009
Time: 8:32:13 PM
User: N/A
Computer: YOUR-58AA870609
Description:
Updates to the IIS metabase were aborted because IIS is either not installed
or is disabled on this machine. To configure ASP.NET to run in IIS, please
install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.
Solution::
KB928365 bootstrapper package
http://social.msdn.microsoft.com/Fo.../thread/ba572097-7639-48cf-8d45-227f83e8ea97/
Error 1335 When trying to install VCS
http://social.msdn.microsoft.com/Fo.../thread/255e6619-a2cc-488c-8f23-3a7b57a1cf7d/
===============================================================================
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 3/5/2009
Time: 6:20:51 PM
User: N/A
Computer: YOUR-58AA870609
Description:
Fault bucket 752609324.
Solution::
RAM test, you may have a bad RAM stick!
================================================================
Security
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 3/23/2009
Time: 8:23:42 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-58AA870609
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Kevin
Source Workstation: YOUR-58AA870609
Error Code: 0xC000006A
Solution::
<Q::>Justin S. (Last update 5/3/2005):
- Error code: 0xC0000064 - I discovered one of our workstations had somehow
managed to add a stored password (under Control Panel -> Users -> Advanced ->
Manage Passwords) with the form (e-mail address removed). This created thousands
of failure events as the user browsed our intranet. Removing the offending
entries stopped the events.
</Q::>
<Q::>Adrian Florin Moisei (Last update 4/18/2003):
- Error code: 0xC000006A (Error code 0xC000006A) - According to Microsoft
Windows XP attempts a limited logon for each account that is displayed on the
Welcome screen to determine whether to prompt the user for a password. An
attempted logon is logged for each account displayed. To resolve this
problem, obtain the latest service pack for Windows XP. To prevent these
events from being logged, disable the Welcome screen and use the classic
logon screen or turn off auditing of logon events.
</Q::>
http://www.eventid.net/display.asp?eventid=680&eventno=2267&source=Security&phase=1
How to troubleshoot Kerberos-related issues in IIS
http://support.microsoft.com/default.aspx?scid=kb;en-us;326985
Account Lockout Tools
http://technet.microsoft.com/en-us/library/cc738772.aspx
========================================================================
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 4/1/2009
Time: 1:02:25 AM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-58AA870609
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Kevin
Domain: YOUR-58AA870609
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: YOUR-58AA870609
Solution::
http://blogs.msdn.com/puneetgupta/a...name-or-bad-password-inetinfo-exe-advapi.aspx
<Q::>
Unknown username or bad password - InetInfo.exe – ADVAPI
A few days back I worked on a very interesting case and when I searched on
Internet I found that a lot of people are running in to the same problem
which prompted me to write this blog entry.
You will run in to this issue only if you have Exchange/SMTP running on the
machine.
You keep on getting these failure audits in your event viewer and you dont
konw why they are coming. After some time the account listed in the failure
audit just gets locked out and you have to go and unlock the account very
frequently. In a lot of cases I saw this was happening in less than 30
seconds.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 8/16/2007
Time: 10:13:24 AM
User: NT AUTHORITY\SYSTEM
Computer: <server>
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: <USER>
Domain: <Domain>
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: <ServerNAme>
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 2464
Transited Services: -
Source Network Address:
Source Port:
Proceed further only if you see the above text in bold in the event viewer
entry.The process id 2464 is determined to be InetInfo. If yes then read
further...If no you might be able to use some troubleshooting steps from this
blog entry.
The interesting thing to note here is that the Logon Process is ADVAPI.
ADVAPI is the DLL for advanced Windows api's and is used in a lot of OS
related code. The function on which you can concentrate on for now are
LogonUser, LogonUserA, LogonUserExW and LogonUserExA. The code which is
generating these events is calling one of these functions for sure.
To find out the code, we can use the Debugging Tools For Windows -
www.microsoft.com/whdc/devtools/debugging/default.mspx. Install them on your
machine and after install just attach to InetInfo.exe (you can attach to a
process by going to WinDBG and then selecting File -> Attach to Process.
After that select InetInfo.exe from the list.
NOTE: The moment you do this you have stopped InetInfo and every execution
is blocked. In other words what this means that InetInfo is waiting for you
to do something and once you are done only then it will be able to proceed.
After that run the following commands one by one.
1) .symfix c:\symcache
2) bp ADVAPI32!LogonUserA "k 100;.time;g"
3) g
(You should be able to connect to Internet from the machine where you are
Debugging as WinDBG goes to
http://msdl.microsoft.com/downloads/symbols to
download the PDB files for the DLL's. You will still be able to debug the
process but the function names will not be correct)
After that wait for some time till the problem happens. Once you get the
failure Audit in Event Viewer, scroll up in the WinDBG window to see the time
when the problem happend and if you see a stack like the following it will
just confirm that the failure is coming from exchange.
advapi32!LogonUserA+0x23
exps!CExchAuthContext::HrCheckClearTextLogin+0x1af
exps!CExchAuthContext::HrServerNegotiateClearTextAuth+0xb6
exps!CExchAuthContext::HrServerNegotiateAuth+0x18
exps!CSessionContext::OnEXPSInNegotiate+0x14a
exps!CSessionContext::OnSmtpInCallback+0x2ae
smtpsvc!SMTP_CONNECTION:
rocessPeBlob+0xc1
smtpsvc!SMTP_CONNECTION:
rocessInputBuffer+0x12b
smtpsvc!SMTP_CONNECTION:
rocessReadIO+0xb7
smtpsvc!SMTP_CONNECTION:
rocessClient+0x146
smtpsvc!SmtpCompletion+0x16
isatq!AtqpProcessContext+0x1db
isatq!AtqPoolThread+0x1d1
(You might see the different functions if the symbols have not matched but
exps.dll in the stack would be enough to point to this issue)
So why is Exchange doing that. From the call stack we can see that we are
just trying to process a SMTP message that came to this server. Your next
would be to check the SMTP message and get more details around it
Use Ethereal to capture a trace and after the problem has happened, stop
the trace and analyze it using Ethereal
Use the following filter in Ethereal - smtp.rsp.parameter contains
"Authentication unsuccessful"
and in the list of the packets, right click on one of them and say follow
TCP Stream. Confirm that this failure for the same user (The user name and
password are base64 decoded)...
So yes, this is the guy...
220 maine.anr.msu.edu Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959
ready at Tue, 14 Aug 2007 14:46:08 -0400 EHLO CYF-162-WILKINS
250-maine.anr.msu.edu Hello [10.10.144.11] <---This is the guy sending the
SMTP message
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK AUTH LOGIN
334 VXNlcm5hbWU6ZmFydXFp
334 UGFzc3dvcmQ6
535 5.7.3 Authentication unsuccessful.
Use a Base64 Decoder to Decode VXNlcm5hbWU6ZmFydXFp and it should out to be
a user name and UGFzc3dvcmQ6 would be the password. In our case
VXNlcm5hbWU6ZmFydXFp decodes (Base64 decoder) to "Username:faruqi" . Try to
find out what is the IP Address 10.10.144.11 which is listed there and
diagnose it further as to if it is an Internal IP or if someone is trying to
HACK YOUR MACHINE.
Published Monday, August 20, 2007 3:38 PM by puneetg
</Q::>
Event Message:
http://technet.microsoft.com/en-us/library/cc957091.aspx
Security Event 529 is logged for local user accounts
http://support.microsoft.com/kb/811082
====================================================================
System
Event Type: Error
Event Source: ati2mtag
Event Category: CRT
Event ID: 45062
Date: 4/1/2009
Time: 11:55:45 AM
User: N/A
Computer: YOUR-58AA870609
Description:
CRT invalid display type
Solution::
Graphic Card need to be updated!
Do you have ATI Radeon
Nvidia Geforce drivers downloads:
http://www.nvidia.com/content/drivers/drivers.asp
ATI Radeon drivers downloads:
http://ati.amd.com/support/driver.html
====================================================================================
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 4/1/2009
Time: 12:58:23 AM
User: YOUR-58AA870609\Geraldine
Computer: YOUR-58AA870609
Description:
The server {5F36DC27-B076-4D0C-BD8C-7AEE14022193} did not register with DCOM
within the required timeout.
Event ID 10010 Source DCOM
http://www.eventid.net/display.asp?eventid=10010&eventno=508&source=DCOM&phase=1
An event ID 10010 error message may be logged many times in the event log of
your Windows Server 2003-based computer that is running Terminal Services
http://support.microsoft.com/kb/873375
=============================================================================
Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 36
Date: 3/29/2009
Time: 6:34:26 AM
User: N/A
Computer: YOUR-58AA870609
Description:
The time service has not been able to synchronize the system time for 49152
seconds because none of the time providers has been able to provide a usable
time stamp. The system clock is unsynchronized.
In Windows Server 2003 and in Windows XP, W32Time frequently logs Event ID
50, and poor time synchronization occurs
http://support.microsoft.com/kb/830092
========================================================================
Event Type: Warning
Event Source: USER32
Event Category: None
Event ID: 1073
Date: 3/20/2009
Time: 12:41:32 AM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-58AA870609
Description:
The attempt to unknown YOUR-58AA870609 failed
Event ID 1073 Source USER32
http://www.eventid.net/display.asp?eventid=1073&eventno=1960&source=USER32&phase=1
Explanation
This event is written when a user or application attempts, but fails, to
restart or shut down the computer by using either the graphical user
interface (GUI) or the shutdown command.
User Action
If you still want to restart or shut down the computer, save any open files,
close any applications that are running, and then you can:
* Use either the graphical user interface (GUI) or the shutdown command
again.
* Press CTRL+ALT+DELETE, and then while pressing CTRL, click Shut Down
to force a shutdown.
* Press the reset or power button on the computer.
=================================================================
Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 3/15/2009
Time: 9:02:30 PM
User: N/A
Computer: YOUR-58AA870609
Description:
TCP/IP has reached the security limit imposed on the number of concurrent
TCP connect attempts.
Solution::
Deploying Windows XP Service Pack 2 using Software Update Services
http://technet.microsoft.com/en-gb/library/bb457097.aspx#EHAA
Windows 2k/XP Registry Tweaks
http://www.speedguide.net/read_articles.php?id=157
http://www.microsoft.com/technet/su...ProdVer=5.2&EvtID=4226&EvtSrc=Tcpip&LCID=1033
Explanation
The TCP/IP stack in Windows XP with Service Pack 2 (SP2) installed limits
the number of concurrent, incomplete outbound TCP connection attempts. When
the limit is reached, subsequent connection attempts are put in a queue and
resolved at a fixed rate so that there are only a limited number of
connections in the incomplete state. During normal operation, when programs
are connecting to available hosts at valid IP addresses, no limit is imposed
on the number of connections in the incomplete state. When the number of
incomplete connections exceeds the limit, for example, as a result of
programs connecting to IP addresses that are not valid, connection-rate
limitations are invoked, and this event is logged.
Establishing connection–rate limitations helps to limit the speed at which
malicious programs, such as viruses and worms, spread to uninfected
computers. Malicious programs often attempt to reach uninfected computers by
opening simultaneous connections to random IP addresses. Most of these random
addresses result in failed connections, so a burst of such activity on a
computer is a signal that it may have been infected by a malicious program.
Connection-rate limitations may cause certain security tools, such as port
scanners, to run more slowly.
User Action
This event is a warning that a malicious program or a virus might be running
on the system. To troubleshoot the issue, find the program that is
responsible for the failing connection attempts and, if the program might be
malicious, close the program as follows.
To close the program
1. At the command prompt, type
Netstat –no
2. Find the process with a large number of open connections that are not
yet established.
These connections are indicated by the TCP state SYN_SENT in the State
column of the Active Connections information.
3. Note the process identification number (PID) of the process in the PID
column.
4. Press CTRL+ALT+DELETE and then click Task Manager.
5. On the Processes tab, select the processes with the matching PID, and
then click End Process.
If you need to select the option to view the PID for processes, on the
View menu, click Select Columns, select the PID (Process Identifier) check
box, and then click OK.
======================================================================
Event Type: Warning
Event Source: Print
Event Category: None
Event ID: 7
Date: 3/15/2009
Time: 5:31:40 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-58AA870609
Description:
Printer HP Officejet 5600 series fax was resumed.
Solution::
HP All-in-One Products - Performing a Partial Reset of the All-in-One
http://h10025.www1.hp.com/ewfrf/wc/document?lc=en&dlc=en&cc=us&docname=c00060793
==================================================
Event Type: Warning
Event Source: Print
Event Category: None
Event ID: 6
Date: 3/15/2009
Time: 5:31:40 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-58AA870609
Description:
Printer HP Officejet 5600 series fax was paused.
Solution::
================================================================
Event Type: Error
Event Source: Cdrom
Event Category: None
Event ID: 7
Date: 3/15/2009
Time: 5:14:00 PM
User: N/A
Computer: YOUR-58AA870609
Description:
The device, \Device\CdRom0, has a bad block.
Solution::
This can happen on a dirty/greasy CD/DVD or scratched ones.
- Click the Start button, click Run. Type Regedit in the Open box and
then click OK.
- Browse to the following key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}
In the right pane/Window Delete the "upperfilter" and "lowerfilter" entries
if these strings are
present in your registry.
Restart your computer and check if the problem resolved and you no longer
have error for the bad block.
- or Reinstall the device driver
==================================================
Event Type: Warning
Event Source: Print
Event Category: None
Event ID: 20
Date: 3/15/2009
Time: 5:07:42 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-58AA870609
Description:
Printer Driver HP Officejet 5600 series for Windows NT x86 Version-3 was
added or updated. Files:- hpz2ku12.dll, hpzpm312.dll, hpop5612.dat,
hpfmom12.hlp, hpzimc12.dll, hpzstw12.exe, hpzslk12.dll, hpzr3212.dll,
hpzrm312.dll, hpzcon12.dll, hpzcfg12.exe, hpzeng12.exe, hpzflt12.dll,
hpzime12.dll, hpzjui12.dll, hpzpre12.exe, hpzres12.dll, hpzstc12.exe,
hpztbi12.dll, hpztbu12.exe, hpztbx12.exe, hpzlnt12.dll, hpzsnt12.dll,
hpzcoi12.dll, hpzvip12.dll, hpzims12.dll, hpzpcl12.dll, hpofax08.dll,
hpof5612.dat.
Solution::
This can happen if the printer been updated or reinstalled/Repaired.
HTH,
nass
