Mixed Mode Problem

  • Thread starter Thread starter Rich
  • Start date Start date
R

Rich

Approx 50 user network with three servers, two are NT4.0
(SP6a), the other is W2K. W2K is PDC of mixed mode
domain. Have had recent prob with browsing the network.
Win98 clients can't authenticate, W2K & WXP can. I can
see all the machines in NetHood from the 2 NT servers
except the W2K server! Currently the W2K server is the
only one running DNS, while the 2 NT servers are running
WINS. This was all working fine until about a week ago
when a bot was discovered and eliminated. Help!
 
In
Rich said:
Approx 50 user network with three servers, two are NT4.0
(SP6a), the other is W2K. W2K is PDC of mixed mode
domain. Have had recent prob with browsing the network.
Win98 clients can't authenticate, W2K & WXP can. I can
see all the machines in NetHood from the 2 NT servers
except the W2K server! Currently the W2K server is the
only one running DNS, while the 2 NT servers are running
WINS. This was all working fine until about a week ago
when a bot was discovered and eliminated. Help!
Click to expand...

A "bot"? How did you find it and how was it eliminated? During eradication,
you may have inadvertenly removed key files.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
The Eggdrop IRC bot was loaded nefariously. Because it
would not allow me to stop the service or delete ts
files, I renamed the several .exe files, the .bat files
and the .tcl files in the subdirectory (...\os2\...etc)
where it lived. Then rebooted the machine. All browsing
came back, but within two days the problem returned. I
am also getting the following symptoms:

On reboot the DOS dialog - "net.exe" - "Users have open
files on IPC$. Continuing will force the files closed."

NtlogonWrk Service: WDSVC terminated. Incorrect function.
(This won't service won't start.)
______________
Schannel: No suitable default server credential exists.

Applog: NtlogonWrk started
: Service failed to shutdown correctly due to
subprocess unable to be killed. Error Code 5
: Monitoring failed; subprocess is probably dead.
Error 997
______________
The bracketed section repeats every minute or so in the
Applog.

The bot may be a red herring, but its appearance does
seem to correlate to the problem, and there is reason to
strongly suggest sabotage.

Thank you for your interest in this.

Rich
 
Additional Info:

In opening Network Neighborhood on the NT4 server sitting
next to the W2K server, I cannot open the W2K machine:
\\machinename is not accessible. The server is not
configured for transactions. The two NT boxes are now not
able to see any network clients or the W2k server. All
W98 clients are unable to see the network, all W2K and XP
clients are working fine. It seems that AD is working,
but that WINS is not.
 
Wow, what a mess. Have you tried contacting your antivirus/antitrojan vendor
to see if they have a "fixer" to properly eradicate it?

Pest Patrol (an anti-trojan) will cleanly remove this:
http://www.pestpatrol.com/PestInfo/t/the_eggdrop_irc_bot.asp

BUT, if you already tried it manually and made numerous changes, can't
guarantee the outcome.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top