Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

XP & 2000 Server issues on Domain. Real bad!


  • Please log in to reply

#1
Gargoyle357

Gargoyle357

    Member

  • Member
  • PipPip
  • 36 posts
Thursday morning a number of Windows XP workstations failed to login. They hung during the "copying Computer Settings" screen and stayed there. One finally logged in after 45 minutes.

Removing the network cable while powered down, then turning it on and logging into the domain, then connecting the network cable, LOGGING OFF, then loggin back on gets the computer logged on. This provides basic functionality, but it is slow and you are not able to access network settings by any means I can think of.

It has effected 6 Windows XP systems, 1 Windows 2000, and 2 Windows 2000 Servers (which were also Domain controllers).

We run Symantec Corporate Antivirus. Effected systems had a combination of SAV 9 Client, SAV 10 Client, and SAV 10 Server.

I can not update antivirus definitions. I can run the update, but the program still displays 7/27. I can not un-install SAV.

I am unable to run Windows Update or install individual patches, getting a hang followed by an error message.

I have run virus scans, on-line virus scans, and some of your utilities, all to no avail. I am currently in the process of using the "SFC /ScanNow" that I found in another link to try and repair Windows Installer.

Grabbing at straws here. Any idea? :tazz:

Thank you.
  • 0

Advertisements


#2
Gargoyle357

Gargoyle357

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Windows 2000 Server Event Log
Source: Userenv
Category: None
Event ID: 1000
User: NT Authority System

Windows cannot unload your registry class file. If you have a roaming profile, your settings are not replicated.

Detail Access is denied, Build number ((2195))

I have seen this entry on more than one of the computers.

Let me add that this is not system wide, many of the computers are not effected at all. I have been unable to identify the common thread.
  • 0

#3
Gargoyle357

Gargoyle357

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Windows XP Workstation

TrojanHunter

Port Scan
Port 30001/TCP is open (matches antipc)
Port 30001/TCP is open (matches error32)
Port 7200/TCP is open (matches massaker)

*Nothing else found

Windows 2000 Server

TrojanHunter

Trojandownloader.webdown.100

*Nothing else found
  • 0

#4
Gargoyle357

Gargoyle357

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Also unable to access the Connections tab in Internet Options.......
  • 0

#5
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
you've got some funky stuff going on there......not a chance that you had backups of any of those systems is there?
  • 0

#6
Gargoyle357

Gargoyle357

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Oh come on now, that would be too easy. :tazz:

Might have backup of the one server.

We don't backup workstations.

It has to be something in common.
It has to be something that changed.

We have identical units at remote locations which login to the same network through the same servers which have shown no effect. They connect to us through VPN. Keep toying with the thought that the firewall is somehow keeping whatever it is contained here.

It acts like a virus, but nothing can find it.
All scans come back clean.

Ran Trojan Hunter on 2 more of the "victims" and both came back clean.

The server that I ran sfc /scannow on still can't install software. Sicks at the Windows Installer/Preparing to Install window. Has been there for almost 10 minutes now.

P.S. "It" disabled both network cards on the first server. Can not get to either.

P.P.S. "It" activates on boot up. One of the XP boxes didn't get hit till yesterday, and that's because it doesn't get rebooted nightly. Unfortunately it was MY workstation and I am so handicapped right now it's not even funny.

Do you suggest giving up, restore the one backup and start over on the rest?
  • 0

#7
Gargoyle357

Gargoyle357

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
This is interesting.

Event log on one of the XP boxes. (The most FUBAR of them)

Source: LSASRV
Category: SPNEGO (Negotiator)
Event ID: 40961

The Security System could not establish a secured connection with the server DNS/prisoner.iana.org. No authentication protocol was available.

Never heard of prisoner.iana.org, but it doesn't sound friendly and I don't why theis computer was looking for it?
  • 0

#8
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
i say start over on the server as it is probably criticall.....but for now how do you manage updates on the machines?
  • 0

#9
Gargoyle357

Gargoyle357

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Windows updates on these were handled by Automatic Update being set to download automatically and prompt to install.

Antivirus definition updates were pushed down to the clients from the Antivirus servers (2 of which are dead the dead ones...)

The more critical of the 2 servers is partially functional. It's not fast, and you can't install anything, and you can't run antivirus, but it is functioning as a DC.
  • 0

#10
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
well my concern is that if it is a virus of some kind...the servers might be the one's pushing it out...which might be why the problem occurs on reboot...every time the contact the sserver they get hosed.......and by the messages you're getting from the trojan thing..and the message about that prisoner .org it sounds like someone or something that you don't want inside got inside.....how's our firewall type system set up?
  • 0

Advertisements


#11
Gargoyle357

Gargoyle357

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I have activity on Port 8193.
Any clue what that might be?

I'm not sure how the server would pick it up with no e-mail or browsing on them.

We use a Watchguard Firebox.
Connect to Watchguard SOHO's at the remote locations with IPSEC VPN.
Have a T1 here for internet access.

Traffic is allowed out, but very little is allowed in.
We do have a mail server and it is in a DMZ.
  • 0

#12
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
man......you seem pretty well protected....and 8193 is in the upper range...so it's from an application running within...i'll see if i can find a referene.
  • 0

#13
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
"According to IANA.org, UDP Ports 8162-8198 are unassigned. If you look further, you will find that some SUN applications utilize this port number. See link for more information.

http://docs.sun.com/...m8a59m1l?a=view "

i found that but.....don't know....how did you find the traffic on that port? is there any more detail than the fact that there is activity?....
  • 0

#14
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
man...i'm not finding anything helpful on that port.....plus since it's not a standard port....it could be anything....try the malware tasks on this forum and see what happens...also close tht port for now
  • 0

#15
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
i'm gonna request some extra manpower on this one
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP