HI,
I have issue on server, winlogon.exe crashes within every 24 hour. Nothing as per the Event logs, but when I check it from Task manager handles are in lacs currently its 6000000+ in just 24 hrs. One after another everything gets jammed, and if i run any page with IIS or open any application it gives this error.
Insufficient resources exist on the machine to complete this operation.
And soon I have to reboot he server or it becoms unresponsive. Any help for this issue?
Thank you.
Full Version: winlogon.exe crash
You were likely compromised.
I had a similar problem on my server. I could not logon with remote desktop, it would just close the window after I entered my password.
I opened a ticket with support but they were not very helpful. After 3 techs had a look, one of them acknowledged that there was something wrong with the server. He did a virus scan, didn't find anything and then suggested that I reload the OS. Actually, the one good thing he did was to disable all of the non-microsoft services.
I kept trying to login and got in after a while. After looking around I found a rootkit had been installed and someone was sharing files via IRC using my bandwidth. I'm going to try and remember what I did as it might be useful for someone.
I ran the kaspersky free online virus scanner
http://www.kaspersky.com/virusscanner
It will scan but not remove anything. To remove, you need the installable version (which does not work on Windows 2003 just yet).
Trend-micro online scanner is pretty good and it will remove some problems also. Might be better to run this first.
http://housecall.trendmicro.com
I had a problem where I couldnt install anything that needed MSI so otherwise I might install Counterspy first and run that.
Check service list
I went through all of the services and tried to spot the fake ones. There were at least 3. They look like legit services or are similar names. Search for the file names on the internet. e.g. isass.exe instead of lsass.exe. Any that are suspicious set them to DISABLED. Use the SC command to get rid of them later if you are sure they are malware.
Run Sophos Anti-rootkit
http://www.sophos.com/products/free-tools/...ti-rootkit.html
It identified the rootkit and lots of warez files stored in the recycle bin and windows update folders.
I went through the list and ticked the box to delete all of the suspicious ones. There were a couple that were legitimate files. It will reboot the server afterwards.
Sysinternals RootkitRevealer is supposed to be good also but it must be run from the recovery console
http://www.microsoft.com/technet/sysintern...itRevealer.mspx
Counterspy
http://www.sunbelt-software.com
I ran this once I could install new programs. It found a few extra registry entries etc.
Spybot
http://www.safer-networking.org
Also ran this. Nothing left to find now.
The server is pretty clean now but I think I will upgrade the box and dump this one as I cannot be sure that it is totally clean.
Regarding support from Theplanet, this rootkit was one of the most common ones. Just running the sophos tool would have shown it up in 20 minutes. Even a decent AV scanner should have shown something (don't know which one was used).
Hope this helps
I opened a ticket with support but they were not very helpful. After 3 techs had a look, one of them acknowledged that there was something wrong with the server. He did a virus scan, didn't find anything and then suggested that I reload the OS. Actually, the one good thing he did was to disable all of the non-microsoft services.
I kept trying to login and got in after a while. After looking around I found a rootkit had been installed and someone was sharing files via IRC using my bandwidth. I'm going to try and remember what I did as it might be useful for someone.
I ran the kaspersky free online virus scanner
http://www.kaspersky.com/virusscanner
It will scan but not remove anything. To remove, you need the installable version (which does not work on Windows 2003 just yet).
Trend-micro online scanner is pretty good and it will remove some problems also. Might be better to run this first.
http://housecall.trendmicro.com
I had a problem where I couldnt install anything that needed MSI so otherwise I might install Counterspy first and run that.
Check service list
I went through all of the services and tried to spot the fake ones. There were at least 3. They look like legit services or are similar names. Search for the file names on the internet. e.g. isass.exe instead of lsass.exe. Any that are suspicious set them to DISABLED. Use the SC command to get rid of them later if you are sure they are malware.
Run Sophos Anti-rootkit
http://www.sophos.com/products/free-tools/...ti-rootkit.html
It identified the rootkit and lots of warez files stored in the recycle bin and windows update folders.
I went through the list and ticked the box to delete all of the suspicious ones. There were a couple that were legitimate files. It will reboot the server afterwards.
Sysinternals RootkitRevealer is supposed to be good also but it must be run from the recovery console
http://www.microsoft.com/technet/sysintern...itRevealer.mspx
Counterspy
http://www.sunbelt-software.com
I ran this once I could install new programs. It found a few extra registry entries etc.
Spybot
http://www.safer-networking.org
Also ran this. Nothing left to find now.
The server is pretty clean now but I think I will upgrade the box and dump this one as I cannot be sure that it is totally clean.
Regarding support from Theplanet, this rootkit was one of the most common ones. Just running the sophos tool would have shown it up in 20 minutes. Even a decent AV scanner should have shown something (don't know which one was used).
Hope this helps
QUOTE (CSupport @ Feb 8 2007, 11:50 AM) 
HI,
I have issue on server, winlogon.exe crashes within every 24 hour. Nothing as per the Event logs, but when I check it from Task manager handles are in lacs currently its 6000000+ in just 24 hrs. One after another everything gets jammed, and if i run any page with IIS or open any application it gives this error.
Insufficient resources exist on the machine to complete this operation.
And soon I have to reboot he server or it becoms unresponsive. Any help for this issue?
Thank you.
I have issue on server, winlogon.exe crashes within every 24 hour. Nothing as per the Event logs, but when I check it from Task manager handles are in lacs currently its 6000000+ in just 24 hrs. One after another everything gets jammed, and if i run any page with IIS or open any application it gives this error.
Insufficient resources exist on the machine to complete this operation.
And soon I have to reboot he server or it becoms unresponsive. Any help for this issue?
Thank you.
Hi, is there any error in windows events
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.