Wow. I'd keep a *very* close eye on things. (I'd also consider nuking and re-paving, or whatever the doomsday scenario is called these days...)
On Mon, Jun 7, 2010 at 8:58 PM, Mike Gill <[email protected]>wrote: > Aw man! So the problem was the cmd executable. I booted to my BartPE CD > and immediately did Win+R to run a command line. Well apparently when you do > that in Bart, it defaults to running it off the C drive. I saw some odd > errors pop up and cmd.exe would not run. Running cmd.exe from the Bart CD > worked fine however. So I replaced the cmd.exe on the server with the one > from the CD. I had no strange problems renaming or deleting files while > running Bart, and the psutils that didn’t work before ran fine. Here’s the > “Aw Man!” part. This server uses a HostRAID. When in Bart, I see all the > hard drives independently, non-RAID’d. I renamed the original cmd.exe on the > C drive to I could upload it to an online virus scanning site after > rebooting. I should have backed it up. When I rebooted the server the RAID > must have corrected the discrepancy by deleting the cmd2.exe file that only > existed on one of the two drives housing the OS. Doh… > > > > Otherwise all the trouble I had before is now gone. It could have simply > been corrupted, but I will be keeping a close eye on this server and doing > some follow up tomorrow. > > > > -- > Mike Gill > > > > *From:* Richard Stovall [mailto:[email protected]] > *Sent:* Monday, June 07, 2010 5:23 PM > > *To:* NT System Admin Issues > *Subject:* Re: Strange CMD, and permissions troubles, Can-o-worms > > > > This sounds awfully suspicious. Do you have a good backup of the volume in > question? > > > > Without knowing any more, and assuming I had a good backup, I'd try a > simple reboot first. If that failed to correct the problem(s) I'd look to > begin some serious malware / rootkit detection from multiple vendors. > > > > Just for giggles, what happens if you download the newest versions of the > pstools to a brand new location? Can you run them from there? > > On Mon, Jun 7, 2010 at 7:56 PM, Mike Gill <[email protected]> > wrote: > > Wow, I opened a can of worms. In looking into an issue on my Win2K3 file > server, I found that I can’t run a certain application from the command line > that I can from Explorer. It exists in the Program Files folder and I’m > logged in as Administrator. The error message on the command line simply > says Access Denied. Procmon shows the event, and declares the following > results on the exe: Name Invalid, Invalid Parameter, Fast IO Disallowed, > Buffer Overflow. This runs from the GUI just fine, so I don’t think the > problem is with the exe. > > > > The next part (no idea if it’s related), is I tried running some other > commands in diagnosing the above dilemma that also don’t work. A few, but > not all of the Sysinternal PS utils don’t work. What’s more, is when I right > click and choose properties of one of the psutils that doesn’t work, the > security tab it non-existant. I can’t delete/move/rename the file either. > I’ve tried takeown, icacls, nothing let’s me do anything with it. One thing > that’s different fro the first issue is I can’t run them from the gui. Says > I don’t have permission either way. > > > > Chkdsk shows no errors. AV scans who no problems. The security tab is > visible on other items, just not the ones I’ve discovered so far with this > problem. The PS utils that don’t work, do work when run from another folder. > CMD.exe appears identical to same file on another server. In a few minutes I > will be able to take the server down as people go home. Then I can try an > offline delete. Any thoughts? Never seen this before. > > > > -- > Mike Gill > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
