Link to home
Start Free TrialLog in
Avatar of wvbeaner
wvbeaner

asked on

recurring Event Log Errors after removing hacker from system

Hello, any help would be appreciated; I think the question may be quite difficult, but not urgent.

A few months ago my server was hacked, almost right after I took over the job of administering it.  It is a remotely hosted system so only terminal server access, unless I want to bug one of our tech support guys to access the console, the server is locked up somewhere and I have no physical access to it.  

I had to remove the hacks to the server rather forcefully as there were some hidden processes keeping an instance of FTP Serv-U active on the system and hidden; serving a hidden server linked to each of the recycle bins on the system.  It seems that RAS might have been used to keep control of the system as well.  I do not know how the system was compromised; but out ftp server is still being pinged by these guys.  

Anyway, after removing all references to hacks in the registry and deleting the fake recycle bin links, the server has been experiencing consistent errors during startup.  I will list them below.  Any help in clearing up these errors would be a big help.  

Server is running:    Microsoft (R) Windows 2000 (R) 5.0 2195 Service Pack 4 Uniprocessor Free.


w3svc    ID 105

The server was unable to register the administration tool discovery information.  The administration tool may not be able to see this server.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

Words:  0000: 000004c6


msftpsvc    ID  105

The server was unable to register the administration tool discovery information.  The administration tool may not be able to see this server.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

words:  0000: 000004c6



Service Control Manager  ID  7000


The Distributed File System service failed to start due to the following error:
The system cannot find the path specified.  


Service Control Manager   ID   7000

The Distributed Transaction Coordinator service failed to start due to the following error:
The system cannot find the path specified.  



Security Log:  There are a bunch of the 560 errors all seem to be the same.

Security:  Object Access  560


Object Open:
       Object Server:      Security
       Object Type:      Mutant
       Object Name:      \BaseNamedObjects\RasPbFile
       New Handle ID:      -
       Operation ID:      {0,15459507}
       Process ID:      2868
       Primary User Name:      USERNAME$
       Primary Domain:      usernamegroupgrp
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses            DELETE
                  READ_CONTROL
                  WRITE_DAC
                  WRITE_OWNER
                  SYNCHRONIZE
                  Query mutant state
                  
       Privileges            -


Application Log:      

rasctrs              2001

The description for Event ID ( 2001 ) in Source ( rasctrs ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The event log file is corrupt..


MSSQLServer    19011

SuperSocket info: (SpnRegister) : Error 1355.
Avatar of RevelationCS
RevelationCS
Flag of United States of America image

sounds like your installations of IIS components might be corrupted... might want to try the following:

HiJackThis - http://www.spywareinfo.com/~merijn/downloads.html
create the log with HJT and post the log to the HJT LogAnalyzer - http://www.hijackthis.de/en
save the log and post the URL to it here...

also, might want to try reinstalling the IIS components, but that might need to be done by the guys with access to the console...
Avatar of wvbeaner
wvbeaner

ASKER

I will look into the re install of IIS, I am not sure what this would involve.

Here is the link to the log file:

http://www.hijackthis.de/logfiles/058b631d7a63d6200a809dfea3bad932.html

ASKER CERTIFIED SOLUTION
Avatar of RevelationCS
RevelationCS
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial