Bugcheck 0×0000001e Error
Server that is running as Domain Controller and also as a mail server keeps restarting by itself at random. Suspected it to be a RAM related issue.
Replace the RAM but doesn’t seems to help. Try different slots, different combination of new 512MB with existing 512MB, then with existing 256MB then again without both the old memory modules, still not luck.
No difference whatever, whichever way I try. Notice errors showing unable to run .NET Framework or something, so decided to install .NET Framework again but I only realised that I have installed 2.0 instead only after I have started the installation.
Midway through the installation, there was a prompt that says that the previous .NET 1.1 was suspended, click OK to undo suspended installation and continued with installation of the 2.0 version.
At the same time also notice alot of strange looking services in the Services panel. Although they’re not running, their startup type were all set to start automatically.
Did a search on it and realise almost all of it are some sort of rootkit or malware, e.g. GrayPigeonServer which runs G_SERVER.EXE in Windows folder, QQ1 which runs QQMY.EXE in the same location or system32 location can remember exact, Socks5 Slave which runs in Windows folder under a subfolder COM\Services.exe which I am quite sure it is a form of socks server installation for proxying a connection to another location.
All of them are removed from HKLM\SYSTEM\CurrentControlSet\Service but there are also similiar entries under ENUM\ROOT which I am unable to remove. Initial I thought that it was due to it be referenced in a running service.
I restarted the server into Safe Mode and try to delete it from there but was also unable to. Did some research and realised that I need to add my rights to the registry keys before I could delete it. Remembered that to admend rights on registry, I will to run regedt32.exe instead of regedit.exe. Started it, add administrators with full access to the key, apply and then delete all of the references.
Also, stop all vulnerable processes like IIS, IISAdmin, FTP, WebAdmin for Mdaemon then disabled all of them. I also ran some addition tools like DeepMonitor and Killbox but I cannot remember the exact processes that I terminated.
How the server got infected, I have no idea as I am not the only administrator managing it.
Fortunately, it was at an early stage of infection and the server managed to boot up ok after that.
Eliminate viruses and spyware with McAfee VirusScan.