Windows 2003 Server Weird Crashing

[machoman013]

Yesterday one of our 2k3 server computers which is also DNS, DHCP, DC and File server just imploded on itself yesterday and disconnected from the network. Server was restarted and everything appeared normal except that it kept popping up with IIS 6.0 crashing errors related to w3wp.exe. I've checked the event logs as well and found a bunch of 'fault bucket' errors 1001. When I opened up the cmd shell, and tried to do a typical command, it gave the following:

'dir' is not recognized as an internal or external command

Samething happens with the most basic of dos functions, however here's the catch, ipconfig, ver, etc works. Even more bizzare is that the other server running DC, DNS, and Exchange is having the same cmd shell issue.

Scanning both servers now, found hidden32.exe and hideexec.A in the system vol information on the first server that originally crashed. Both servers also turned up Smitfraud.C from spyboy 1.4 and adaware is still unclear yet for both too.

Is there a path issue or something much more serious?

 

[RebateMonger]

n.m.

 

[Fraggable]

Sounds like a simple spyware/malware/virus issue to me. I recently had a virus that disabled my ability to run cmd and the task manager. Ewido security suite took care of it and I got my system back easily.

Don't even tell me you didn't have a virus scanner running on your file server...

 

[machoman013]

No way man, what the hell.. that's like an insult. AVG Network Edition 7.1.x I also had spybot and adaware on there. Though I wasn't exactly scanning once a week like a good boy.

 

[stash]

You got something on there, it doesn't really matter how it got there. Although one possibility is web browsing. Web browsing on a server is Really Bad.

On a DC/Exchange server, getting infected with malware is a devastating event, since you can no longer assume your entire domain hasn't been compromised. You're looking at a complete rebuild of that system. If this is not the only domain controller, you're also looking at a reset of every account password at a minimum.

 

[stash]

Let me just add, if you want to have any chance of saving anything, I would highly, highly recommend a call to Microsoft PSS Security (1866-PCSAFETY)

 

[machoman013]

I don't have a gold or silver level membership with them, it'd be cheaper for me to use a professional consultant in our area that has such resources. Thanks for your insights.

 

[dclive]

Originally posted by: machoman013
I don't have a gold or silver level membership with them, it'd be cheaper for me to use a professional consultant in our area that has such resources. Thanks for your insights.

It's free.

 

[machoman013]

Oh. Well take a look at this I found on google, of similar behavior after installing a recent windows update:

http://groups.google.com/group/microsof...1f/75206a9144a43885%2375206a9144a43885

 

[dclive]

I don't understand. You're infected with malware and spyware and who knows what else - and you're blaming a MS update?

 

[machoman013]

I didn't say I was blaming them for it, but it was at the sametime this happened too on both servers right after rebooot of the updated patches.

 

[machoman013]

Originally posted by: stash
Let me just add, if you want to have any chance of saving anything, I would highly, highly recommend a call to Microsoft PSS Security (1866-PCSAFETY)

1866 pc saftey no longer works for me.

 

[Xtremist]

Either you have a typo in your post or you aren't dialing the correct number stash referred.

This is a little OT but you seem pretty defensive towards people that are trying to help you out.

Good luck with your issue though, the fact that it's a DC is absolutely terrifying.

 

[machoman013]

Thanks for the gl. I'm only defensive for people who don't seem to try to link other variables into the equation other than 'assumption'. If you would like to type out those #'s for the hotline, please do, because it ain't working from my logix T line phone or any phone I'm using.

p.s. please think about how people type to each other. read it out loud and see if you would someone to tell you either you're stupid or the fact is wrong.

 

[RebateMonger]

Direct from Microsoft's site: (I don't know if it works or not)
----------------------------------------
No-Charge Support
Call 1-866-PCSAFETY (866-627-2338) for virus related support at no charge (US and Canada only).
----------------------------------------
Contact your antivirus vendor for assistance with identifying or removing virus or worm infections. If you need more help with virus-related issues, contact Microsoft Product Support Services.

? For support within the United States and Canada, call toll-free (866) PCSAFETY (727-2338)