Looking for some help here so we can get the server running long enough for our migration to the new one we ordered. We have an ongoing issue where the server blue screens every 60-90 minutes all day long. I pull the server on overnights and now two weekends and not one reboot or BSOD (currently up time is 2 days and 18 hours). But from history when I return it to the site it will again start like clockwork. So far:
• I have moved to another power outlet (but power doesn’t seem likely because once I disabled auto restart it always stays on just with a BSOD).
• Scanned drives both at boot and with external tools
• Run Windows Memory Diagnostics Tool many times (No problems Detected)
• Unplugged any device attached (even changed USB keyboard and mouse)
I couldn’t see it being hardware, driver, or a service since it runs clean at my site. I even ran all day today since our office is closed just in case it was some “work hours” thing. No issues. I spent the last 48 hours going entry by entry in the event viewer and found some disturbing items. It looks like we were attacked based on a share we did not create in
Path=D:\Virus Files\User Folders\Tom H\Tom H\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
Also I found in the log TermDD Event 56 several entries that say “The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: xxx.xxx.xxx.xxx”
These IP’s are all coming back to ISP in Russia and Ukraine.
Here are a few of the BSOD messages.
stop 0x000000D1 (0X0000000000000000, 0x0000000000000002,0x0000000000000000, 0xFFFFF88002FEE006)
termdd.sys – Address FFFFF88002FEE006 base at FFFFF88002FEB000 Date Stamp 4ce7ab0c
stop 0x0000000A (0X0000000000000000, 0x0000000000000002,0x0000000000000001, 0xFFFFF8000405A48E)
No other info
stop 0x0000000A (0X0000000000000000, 0x0000000000000002,0x0000000000000001, 0xFFFFF800040A748E)
No other info
So I will delete that share, turn off RDP since we don’t need it (And block 3389 at the Sonicwall) but what else can be or should be done? I ran scans with pro versions of both Malwarebytes and AVG Server Business and they come up clean. Plus have been on with daily scans the whole time. Thoughts?