HELP! Server 2003 Event Question

[Tona955]

Hi All,

I have an event showing up on my application events that I can't find a fix on.

Source: UserInit
Event ID: 1000
Computer PUMPKIN-2003 ( Our Server)
Description:
Could not execute the following script C:\WINDOWS\$NtUninstallKB945553$\spuninst\1.bat. The system cannot find the file specified.

Some history.

This server was being hacked by someone in China end of last year, I Formated the server and rebuilt it, I formatted all the workstations and reinstalled Windows XP Pro.
We are running Symantec AntiVirus and I usually check for malware and trojans (Malware Bytes)
Few weeks ago I lost some users out of Active Driectory, I recreated these two users, last weekend I lost all users except the administrator and my own login from the active directory, at that time I could see allot of (Events 1202 source SceCli, security policies were propogated with warning0x534. no mapping between account names and security IDs were done.

I think we might still be under attact, a couple of users use RDP to connect remotely, my intension is to install a second network card and configure VPN for remote access.

I would really appreciate some help with this event.

Many thanks in advance.

 

[ShackDaddy]

It looks like someone dropped a command into the HKCU to run a batch file at startup, but the batch file is missing. The batch file had been hidden in the uninstall directories on your server, but it's probably been deleted since then, so the script isn't working. You won't be able to get rid of the error until you find the trigger that's trying to run that script. I'd just search the registry on your server for the "$NtUninstallKB945553$" string and see what you find.

If I were you, I'd configure your firewall to block all outbound traffic to the internet from your server except for DNS queries and connections to Microsoft's update sites and then watch your logs and see if your server is up to something that you aren't aware of.

Dave Shackelford
ThirdTier.net