w98 cannot logon to W2K AD

[peysha]

Environment:

Clients : all win98 (10-20)
Single Server : W2K with SP3 domain controller in AD
running Lotus Notes Server

Problem : The environment was running fine since
installation for the past 1 year until last week. None
of the users (including administrator) could logon to the
domain. Error message given "password supplied is not
correct or access to your logon server has been denied"

What we have tried so far :
1) Create new user and tried to logon but still failed
2) Check the trailing space on workstation and even
rename computer name but result still same
3) Enable NTLM2 using registry as well as install DS
client on W98 workstation but no improvement
4) Tried to install WINS on domain controller but having
problem ("error could not locate the server")
5) Even tried to uninstall and reinstall (dcpromo) active
directory but w98 client still couldn't logon
6) Bring another new w98 workstation but problem still
same.


Next Steps:
1) will remove the existing network adapter and replace
with another network adapter
2) Format and reinstall OS and recreate DNS server :-( I
hope we don't have to do this.

We could not simply upgrade to w2K service pack 4 due to
incompatibility with Lotus Notes.

Anybody face this problem before or have any solution or
any idea would appreciate your advice. Thanks.

 

[Diana Smith [MSFT]]

Is the sysvol shared out on the 2000 Domain Controller?

Diana

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[peysha]

yes, sysvol was shared. I also just discovered that IPC$
and Admin$ share also disappeared. I manually add the
share using net share but the share drop/disappear again
after few seconds. I also add
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanma
nserver\parameters]
AutoShareWks=1 and AutoShareServer=1 but they still
disappear few seconds after reboot. All the other
administrative share still there (C$, D$, Print$ except
Admin$ and IPC$)

I have now demote the active directory and putting it
back to workgroup model, client logon to local and access
the server share manually. I will try to format and
reinstall the OS partition tomorrow.

Could it be one of the hot fixes causing the problem?
The system has no problem til last week. Initially I
only installed KB823980 & KB824146 to protect from
blaster. I have now have additional hot fixes : Pre-SP4 -
Q323172, Q324096, Q324380, Q326830, Q326886, Q329115,
Q329834,Q328310, Q329170, Q331953, Q810833, SP4- Q329553,
Q811493, Q814033, Q815021.

 

[peysha]

yes, sysvol was shared. I also just discovered that IPC$
and Admin$ share also disappeared. I manually add the
share using net share but the share drop/disappear again
after few seconds. I also add
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanma
nserver\parameters]
AutoShareWks=1 and AutoShareServer=1 but they still
disappear few seconds after reboot. All the other
administrative share still there (C$, D$, Print$ except
Admin$ and IPC$)

I have now demote the active directory and putting it
back to workgroup model, client logon to local and access
the server share manually. I will try to format and
reinstall the OS partition tomorrow.

Could it be one of the hot fixes causing the problem?
The system has no problem til last week. Initially I
only installed KB823980 & KB824146 to protect from
blaster. I have now have additional hot fixes : Pre-SP4 -
Q323172, Q324096, Q324380, Q326830, Q326886, Q329115,
Q329834,Q328310, Q329170, Q331953, Q810833, SP4- Q329553,
Q811493, Q814033, Q815021.

 

[Diana Smith [MSFT]]

Hello,

The most likely cause of missing admin shares is malware that is running on
the computer, such as a virus, worm, trojan, backdoor, spyware application
or other
type of hacker tool.

To check for malware, start by running a full anti-virus scan on the
computer using the latest definitions, or use one of the free scanning
services available on the
Web. See below for links to definition updates and free online scans from
the most popular anti-virus software vendors.

After completing the anti-virus scan, check the system for other types of
malware, such as spyware or hacker tools. See below for links to popular
spyware and hacker detection tools.

Next, check the AutoShareServer and AutoShareWks registry values to make
sure they are not set to 0:

1. Start Registry Editor (Regedt32), and then locate the following registry
sub-key:


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

2. If the AutoShareServer and AutoShareWks DWORD values exist with a value
data of 0, set them to 1 or delete them. If these values do not exist, you
do not need to create them because the default behavior is to create the
admin shares automatically.

3. Quit Registry Editor.

4. Restart the computer and make sure the shares are active.

PS. Check run keys in registry to see if there is a batch file that is set
to delete the admin shares.

Below is a list of suspect files that have been found on computers affected
by this
problem. Many of these overwrite or spoof the names of legitimate files and
services. They often load from the registry subkey
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run:

abc.bat
ADMDLL.DLL
Adobea.exe
adobes.exe
Arial.exe
Arialfont.exe
Close.bat
clt.exe
cmd.exe
CRSS.EXE
CSIFCSVC.EXE
dll32.exe
Dvldr32.exe
expiorer.exe
fd.exe
filter.dll
FireDaemon.exe
Gates.txt
Gg.bat
HCMD.EXE
hidden32.exe
INST.EXE
invoker.exe
iroffer.exe
lps.exe
LSASS.EXE
Mirc.ini
MP Tclockvv.exe
msapp.exe
MSASP.EXE
msexplorer.exe
mskces32
mskernel32.exe
mspass.exe
MSSAVE.EXE
net.exe
netbios.exe
Ocxdll.exe
pckill.exe
psexec.exe
PSEXESVC.EXE
READWRITE.EXE
regedit32.exe
registry.exe
root.bat
r-server.exe
screwed.exe
sec32.exe
secure.exe
Servudaemon.ini
SERVUEVENT.DLL
Shares.bat
shell32.exe
SOCK3.EXE
SPAC.TXT
start.bat
svchost32.exe
sys32.exe
Syscfg.exe
Taskmngr.exe
tasp.exe
t-exec.dll
vmn32.exe
whynot.exe
win32.exe
win32load.exe
WINCPU.EXE
windowsupdate.bat
windowsupdate.exe
winmem.exe
Winmgnt.exe
Winshell
winspsv.exe
wmiprvse.exe
xsecure.bat
xsetup.bat
xshare.bat
ZMOKE.EXE

Below are some worms, trojans and backdoors that have been found on
computers
affected by this problem:

Backdoor.IRCBot.gen
Backdoor irc.flood.c
Backdoor irc.flood.e
Backdoor irc.flood.f
Backdoor.Dvldr
Backdoor.IRC.Aladinz
Backdoor.irc.flood
Backdoor.IRC.Zcrew
Backdoor.subseven
BackGate Kit Trojan
boncer
Deloder
HIDLE
ILoveYou
MIRC
mirc/shaz.a.worm
Sdbot
servu
Troj/Litmus-108
W32.HLLW.Deloder
W32/Deloder.worm
W32/Deloder-A
W32/Nackbot-A
Worm.Win32.Deloder
WORM_DELODER.A