LowStealth
asked on
Event ID 9673 when MS Exchange Information Store service terminates unexpectedly
I am running Exchange 2003 Ent. Ed. on Windows 2003 Ent. Ed. The IS service stops randomly but can be restarted. The server works fine until the next random crash. The following is logged in the application log:
Event Type: Error
Event Source: MSExchangeIS
Event Category: General
Event ID: 9673
Date: 10/5/2004
Time: 10:42:12 AM
User: N/A
Computer: BMI-EX01
Description:
An exception with code 0xc00000fd was thrown in module C:\WINNT\system32\ntdll.dl
Any suggestions?
Event Type: Error
Event Source: MSExchangeIS
Event Category: General
Event ID: 9673
Date: 10/5/2004
Time: 10:42:12 AM
User: N/A
Computer: BMI-EX01
Description:
An exception with code 0xc00000fd was thrown in module C:\WINNT\system32\ntdll.dl
Any suggestions?
ASKER
Service Pack 1 for exchange is installed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have verified that adding an attachment in OWA regardless of size or file type will cause the problem. Got a solution?
Unfortunately not. I have found a load of newsgroup postings that point to the same problem, but there are no answers. Again, it might have to be a call to Microsoft. If enough people call then a KB article will be created.
Simon.
Simon.
ASKER
Turns out HackerDefender was on this machine. Similar to the issue here:
https://www.experts-exchange.com/questions/21063900/OWA-crashes-the-store-exe-when-attaching-a-file.html
Although I had a newer version. The IS stopping when a file is attached in OWA is a bug in the rootkit. I will go over the cleanup because information seems scarce.
Download the rootkit detector and run from a command prompt:
http://bagpuss.swan.ac.uk/comms/RKDetectorv0[1].62.zip
If it says you have HackerDefender100 do the following. I am mirroring this information from http://www.buriedtruth.com/spysoftware/spynews/spyware-newgroup-archive/spyware-newgroup-archive-p-3198.html
1) go to the command prompt and type in the following:
net stop HACKERDEFENDERDRV100
2) next open up regedit and do a search on "powerful"
3) You should see a key with a pharse that says "Powerful NT RootKit"
Export this key to your desktop and then delete this key.
4) Then reboot your computer
5) After the reboot go back to the command prompt and make sure the
HACKERDEFENDERDRV100 service is not running ( STEP 1)
6) Next go to start and search for files and folders
7) Type in the "a word or a phrase in the file" hxdefdrv.sys
8) This will then list several files that reference HackerDefender
9) I made a backup of all these files first and renamed the extensions
on them.
10) Find the *.ini file that is referenced in this search. This file
will contain *.dlls and *.exe that will need to be deleted from your
system.
11) Nuke the files that are referenced!
12) Then run regedit and look for "hackerdefenderdrv100". I would
strongly suggest that you make a full backup of your registry first,
then nuke all references to "hackerdefenderdrv100" then reboot.
13) After reboot you will need once more to make sure the
hackerdefenderdrv100 service is not running (Step 1)
14) If this service is still trying to run you will need to get your
Operating System disk and boot up to recovery console mode, then you
will need to login to the winnt system. Once your logged in, you will
need to type "listsvc".
You will see a ton of services, we are looking for
HACKERDEFENDERDRV100. If this one is listed you will then need to type
the following. Disable HACKERDEFENDERDRV100 Service_Disabled
Then type exit, and login into your clean system.
https://www.experts-exchange.com/questions/21063900/OWA-crashes-the-store-exe-when-attaching-a-file.html
Although I had a newer version. The IS stopping when a file is attached in OWA is a bug in the rootkit. I will go over the cleanup because information seems scarce.
Download the rootkit detector and run from a command prompt:
http://bagpuss.swan.ac.uk/comms/RKDetectorv0[1].62.zip
If it says you have HackerDefender100 do the following. I am mirroring this information from http://www.buriedtruth.com/spysoftware/spynews/spyware-newgroup-archive/spyware-newgroup-archive-p-3198.html
1) go to the command prompt and type in the following:
net stop HACKERDEFENDERDRV100
2) next open up regedit and do a search on "powerful"
3) You should see a key with a pharse that says "Powerful NT RootKit"
Export this key to your desktop and then delete this key.
4) Then reboot your computer
5) After the reboot go back to the command prompt and make sure the
HACKERDEFENDERDRV100 service is not running ( STEP 1)
6) Next go to start and search for files and folders
7) Type in the "a word or a phrase in the file" hxdefdrv.sys
8) This will then list several files that reference HackerDefender
9) I made a backup of all these files first and renamed the extensions
on them.
10) Find the *.ini file that is referenced in this search. This file
will contain *.dlls and *.exe that will need to be deleted from your
system.
11) Nuke the files that are referenced!
12) Then run regedit and look for "hackerdefenderdrv100". I would
strongly suggest that you make a full backup of your registry first,
then nuke all references to "hackerdefenderdrv100" then reboot.
13) After reboot you will need once more to make sure the
hackerdefenderdrv100 service is not running (Step 1)
14) If this service is still trying to run you will need to get your
Operating System disk and boot up to recovery console mode, then you
will need to login to the winnt system. Once your logged in, you will
need to type "listsvc".
You will see a ton of services, we are looking for
HACKERDEFENDERDRV100. If this one is listed you will then need to type
the following. Disable HACKERDEFENDERDRV100 Service_Disabled
Then type exit, and login into your clean system.
Do Anyone solve this problem? There is same problem my on Exchange Server.
The other reference I found was it being caused by users trying to attach things in OWA. Again I believe this is fixed by the service pack.
If you have already SP the Exchange install then you need to state that as it does make a difference.
Simon.