L
Lyndon Eaton
I have started to install SP4 onto Windows 2000 Server and
half way through the installation it says ipsec.sys can
not be found and asks me to browse for the file. I then
copied the ipsec.sys file from another machine onto a
floppy disk so that I could browse to the floppy and then
the installation would continue. When I inserted the disk
into the server, ipsec.sys is invisible.
I thought this was very strange so I started to
investigate/play. I checked that my system files and
hidden files are visble in explorer, and that I was not
hiding extentions of known file types. With these settings
being correct I created a new file called hello.txt, and
then renamed it to ipsec.sys, the file then disapeared! If
I try to do the same a second time, I get an error saying
a file with this name alread exists. All files seem to
disapear when given a filename mask of ipsec.*
I then mapped a drive to the server, and could see the
ipsec.* files I had been renaming from the remote machine.
So the files are there, they are just invisible.
Having looked on the internet, I found two programs that
can hide and lock files on a system. Both of these
programs run at kernel level. These programs are:
File & Folder Protector http://www.softheap.com/ffp.html
File Protect http://www.mikkotech.com/fp2000.html
I have installed both of these programs onto a
workstation, however their lists of 'files to
hide/protect' are independant. I would hope that both
programs would save their lists in the same location so
that I could install one of these programs onto the
server, see a list that displayed ipsec.* is being hidden
and reverse.
I suspect that our server has been hacked, and a program
similar to the above two have been installed, and set the
kernel to hide all ipsec.* files.
This brings me to my two questions.
1) If my suspition is correct, and something has been set
in the kernel to hide ipsec.* files (and possibly others),
how can I restore the kernel? Or remove
these 'protect/hide' permissions.
2) My server is currently half way through the SP4
install, waiting for ipsec.sys. If I cancel the install at
this stage, will my server stop functioning? How do I roll
back the half install so that things carried on working
how they were?
Many thanks.
Lyndon Eaton.
half way through the installation it says ipsec.sys can
not be found and asks me to browse for the file. I then
copied the ipsec.sys file from another machine onto a
floppy disk so that I could browse to the floppy and then
the installation would continue. When I inserted the disk
into the server, ipsec.sys is invisible.
I thought this was very strange so I started to
investigate/play. I checked that my system files and
hidden files are visble in explorer, and that I was not
hiding extentions of known file types. With these settings
being correct I created a new file called hello.txt, and
then renamed it to ipsec.sys, the file then disapeared! If
I try to do the same a second time, I get an error saying
a file with this name alread exists. All files seem to
disapear when given a filename mask of ipsec.*
I then mapped a drive to the server, and could see the
ipsec.* files I had been renaming from the remote machine.
So the files are there, they are just invisible.
Having looked on the internet, I found two programs that
can hide and lock files on a system. Both of these
programs run at kernel level. These programs are:
File & Folder Protector http://www.softheap.com/ffp.html
File Protect http://www.mikkotech.com/fp2000.html
I have installed both of these programs onto a
workstation, however their lists of 'files to
hide/protect' are independant. I would hope that both
programs would save their lists in the same location so
that I could install one of these programs onto the
server, see a list that displayed ipsec.* is being hidden
and reverse.
I suspect that our server has been hacked, and a program
similar to the above two have been installed, and set the
kernel to hide all ipsec.* files.
This brings me to my two questions.
1) If my suspition is correct, and something has been set
in the kernel to hide ipsec.* files (and possibly others),
how can I restore the kernel? Or remove
these 'protect/hide' permissions.
2) My server is currently half way through the SP4
install, waiting for ipsec.sys. If I cancel the install at
this stage, will my server stop functioning? How do I roll
back the half install so that things carried on working
how they were?
Many thanks.
Lyndon Eaton.