W3SVC System warning messages - am I being hacked?

[jaclaz]

No.

Your "normal" Outlook Express will likely need the SMTP protocol which has nothing to do with IIS or SMTP virtual servers.

https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol

Check the SMTP server in the Outlook Express account(s) you are using, likely it is a server provided by your e-mail account provider (i.e. your ISP or some other third party server).

You are running (without knowing actually "why", thus I presume by mistake) an Internet Server, and this is evidently mis-configured.

Those SMTP virtual servers are (clearly) not working since they cannot be even logged into, so *whatever* they are supposed to be doing, they are currently NOT doing it, since you didn't provide reports of any other issues (like mail not being received or delivered) it is clear enough that they have no use on your system.

You have IMNSHO two alternatives:

1) stop running senselessly that IIS instance.

2) learn how to configure it properly, and then run it without any need or use for it.

 

jaclaz
 

[Dibya]

12 hours ago, glnz said:

Well, gents, first I found World Wide Web Publishing in services.msc, stopped and restarted it.

Then, I found the IIS snap-in and the restart control and ran the restart. 

There's nothing new in the Event Viewer System messages from the two restarts other than that the services were stopped and restarted.  jaclaz - you wrote above that if the IIS was badly configured, the error messages would repeat on the restart.  But they didn't.

After the restart, other things seem to run as before, including my browser (on which I'm typing now) and my Outlook Express 6 for emails (which I assume depends on SMTP, which I saw depends on IIS).

Also, I don't have any scheduled tasks near the 5:30 pm ± Eastern time start point of the Event Viewer messages.

I guess we'll wait until tomorrow 5:30pm ± Eastern Time.

Meantime, while in the IIS snap-in, I saw that the two IPs that appear in the W3SVC logs have something to do with Default SMTP Virtual Server, whatever that is.  See the screenshot I've uploaded here (as a Word .doc).  I have no idea what this is. 

And another clue:  If I use my browser to try to go to 192.168.56.1 or 192.168.1.6 (the two IPs in the W3SVC logs), I am prompted for a username and password, which I don't have.  If I guess, I get

However, 192.168.1.6 is this computer - my XP Dell Optiplex 755.  I have no idea what is 192.168.56.1.

Any thoughts?

Screenshot IIS - Default SMTP Virtual Server.doc

1 hour ago, jaclaz said:

No.

Your "normal" Outlook Express will likely need the SMTP protocol which has nothing to do with IIS or SMTP virtual servers.

https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol

Check the SMTP server in the Outlook Express account(s) you are using, likely it is a server provided by your e-mail account provider (i.e. your ISP or some other third party server).

You are running (without knowing actually "why", thus I presume by mistake) an Internet Server, and this is evidently mis-configured.

Those SMTP virtual servers are (clearly) not working since they cannot be even logged into, so *whatever* they are supposed to be doing, they are currently NOT doing it, since you didn't provide reports of any other issues (like mail not being received or delivered) it is clear enough that they have no use on your system.

You have IMNSHO two alternatives:

1) stop running senselessly that IIS instance.

2) learn how to configure it properly, and then run it without any need or use for it.

 

jaclaz
 

Unless you host site , You never need IIS.

if you host site then try using Saya"S IIS 6 Config utility ( I wonder whether you can find it out)

[glnz]

jaclaz and dibya - before I turn off IIS, I am concerned that my Outlook Express 6 will stop working correctly, because various screens indicate that SMTP depends on IIS, and I assume that Outlook Express depends on that SMTP.

See the new Word doc attached here - 5 pages with screenshots of "Properties" tabs from IIS and SMTP in services.msc.  They indicate that SMTP depends on IIS (and that SMTP is a dependency of IIS).

But is the SMTP in my attached screenshots different from the SMTP used by my Outlook Express?   In my Outlook Express account settings, it says, "Server Information: Outgoing Mail (SMTP): smtp.verizon.net".  It also says, "Server Port Numbers: Outgoing Mail (SMTP): 465".

If there's only one SMTP, how can I turn off IIS?

Thanks for working with me on this.

About SMTP and IIS.doc

Edited July 3, 2016 by glnz

[dencorso]

<OffTopic>BTW, glnz, what happened to your avatar? You really should set one again... it does help identify who's posting at a glance, you know. Just my 2 ¢, of course!</OffTopic>

[glnz]

Ok - more stuff and I don't know if it's related to this issue.

Yesterday 8:21pm - turned off and then on the IIS, as I described above.  No immediate Warning notices.

Yesterday 10:55pm - One of these warning notices by itself without a TCP-IP overflow message.  "The server was unable to logon the Windows NT account 'admin' due to the following error: Logon failure: unknown user name or bad password."

Yesterday 11:21pm - After some more fussing, I did a reboot.  Got a BSOD noting ipnat.sys as the culprit.  "The computer has rebooted from a bugcheck.  The bugcheck was: 0x100000d1 (0x04c08a29, 0x00000002, 0x00000000, 0xa0328787)."

Yesterday 11:25pm - Have now rebooted again, OK, but later notice this error message:

Spoiler

Event Type:    Error
Event Source:    System Error
Event Category:    (102)
Event ID:    1003
Date:        7/2/2016
Time:        11:25:08 PM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
Error code 100000d1, parameter1 04c08a29, parameter2 00000002, parameter3 00000000, parameter4 a0328787.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 31 30 30 30 30 30 64    100000d
0020: 31 20 20 50 61 72 61 6d   1  Param
0028: 65 74 65 72 73 20 30 34   eters 04
0030: 63 30 38 61 32 39 2c 20   c08a29,
0038: 30 30 30 30 30 30 30 32   00000002
0040: 2c 20 30 30 30 30 30 30   , 000000
0048: 30 30 2c 20 61 30 33 32   00, a032
0050: 38 37 38 37               8787    

This morning 8:23am - Did a sfc / scanonce on a reboot.

Tonight, starting 6:13pm, get the following messages.  Only the first is a warning.  The others are a bit new - haven't seen them recently.  Could it be that whatever is acting is now succeeding instead of getting blocked for bad password?

Spoiler

Event Type:    Warning
Event Source:    Tcpip
Event Category:    None
Event ID:    4226
Date:        7/3/2016
Time:        6:13:53 PM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00   ......T.
0008: 00 00 00 00 82 10 00 80   ......
0010: 01 00 00 00 00 00 00 00   ........
0018: 00 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........

___________________________

Event Type:    Information
Event Source:    Service Control Manager
Event Category:    None
Event ID:    7035
Date:        7/3/2016
Time:        6:14:23 PM
User:        NT AUTHORITY\SYSTEM
Computer:    DELLOPTIPLEX755
Description:
The COM+ System Application service was successfully sent a start control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

_______________________

Event Type:    Information
Event Source:    Service Control Manager
Event Category:    None
Event ID:    7036
Date:        7/3/2016
Time:        6:14:23 PM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
The COM+ System Application service entered the running state.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

__________________________

Event Type:    Information
Event Source:    Service Control Manager
Event Category:    None
Event ID:    7035
Date:        7/3/2016
Time:        6:14:23 PM
User:        NT AUTHORITY\SYSTEM
Computer:    DELLOPTIPLEX755
Description:
The Distributed Transaction Coordinator service was successfully sent a start control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

_________________________

Event Type:    Information
Event Source:    Service Control Manager
Event Category:    None
Event ID:    7036
Date:        7/3/2016
Time:        6:14:23 PM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
The Distributed Transaction Coordinator service entered the running state.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

___________________________

[This last message is in Applications.  All the others have been in System.]

Event Type:    Information
Event Source:    MSDTC
Event Category:    Disk
Event ID:    2444
Date:        7/3/2016
Time:        6:14:23 PM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
MS DTC started with the following settings:

  Security Configuration (OFF = 0 and ON = 1):
      Network Administration of Transactions = 0,
      Network Clients = 0,
      Inbound Distributed Transactions using Native MSDTC Protocol = 0,
      Outbound Distributed Transactions using Native MSDTC Protocol = 0,
      Transaction Internet Protocol (TIP) = 0,
      XA Transactions = 0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Thoughts?  Thanks.

Edited July 3, 2016 by glnz

[jaclaz]

A protocol is not a server/service.

Hint #1:

1) Disable/stop IIS

2) try sending and receiving an e-mail through Outlook Express.

3) Does it work?

Hint #2 (historical note):

Millions, maybe billions devices have been running XP WITHOUT IIS for years and still they managed and still manage to have SMTP mail (through Outlook Express or other mail program) working nicely.

Final hint:

You open the mail account(s) on Outlook Express and check what is in the SMTP server field.

If it is a local IP, then you have a configured local SMTP server (which might or might not be based on that IIS instance), if you have a non-local IP address (rare) or more likely a web server address such as (example) mail.authsmtp.com you are NOT using IIS SMTP (virtual) servers and you don't §@ç#ing need them (in any case they are not working anyway).

You have smtp.verizon.net (on port 465).

Do you believe it to be local or belonging to Mr.Verizon ?

Do you believe that shutting down a (non working) local virtual server that your Outlook Express does NOT use will affect e-mail sending or receiving capabilities?

jaclaz
 

Edited July 4, 2016 by jaclaz

[glnz]

jaclaz - done.  Email is still working.  I can still link in from another computer using Teamviewer or LogMeIn. 

Wonder what program had me start IIS in the first place.

Many thanks.

[glnz]

Well ... there is ONE issue.

On reboots since I turned off IIS on July 4, I now get warning message:

Quote

Event Type:    Warning
Event Source:    Ci
Event Category:    CI Service
Event ID:    4147
Date:        7/17/2016
Time:        7:51:44 AM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
The IISADMIN service is not available, so virtual roots cannot be indexed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

However, ever since I replaced my hard drive last November, Ci has been throwing other error messages and indicating it is not working.  So I'm not sure whether this new warning about "IISADMIN service is not available" actually makes a difference.  But I'd prefer to straighten this out.

Thoughts?  Thanks.

EDIT - HEY - I just noticed the reference to "virtual roots".  Is it possible IIS started originally because I once tried to play with virtual on this machine (but gave up because I don't understand it)?

Edited July 17, 2016 by glnz

[jaclaz]

Naaah, "virtual roots" should be part of the indexing service (again connected to IIS):
https://technet.microsoft.com/en-us/library/cc938023.aspx

You can remove it alright:
https://secure.corradoroberto.it/doc/winsvr/lwinsvr20032-CHP-13-SECT-1.html

Or delete the unneeded catalogs, the following is for Win2K, but I don't think that XP is different in any way:
http://www.evagoras.com/2011/02/01/the-windows-2000-indexing-service/

jaclaz
 

[glnz]

jaclaz - Actually, I'd like to get the Indexing Service working better on my XP machine. 

Indexing Service seemed to work well UNTIL I replaced my hard drive last November.  The old drive was a normal hard drive that was starting to go bad.  I had a very lightly used leftover Maxtor Momentus XT from my wife's dead XP laptop, and so I set up that Maxtor Momentus XT to become my replacement hard drive.  It's one of the early HD-SSD hybrids.  I used Aomei Backupper to Backup everything out to a separate external drive and then to Restore everything to the Maxtor Momentus XT.  I had boot problems, so I used my Macrium disk to fix the MBR and other boot files.

Since then, the Maxtor Momentus XT seems to be working quite well generally in my Dell Optiplex 755 desktop (Win XP SP3 with the POS hack for continued updates) with one exception:  Since the hard drive swap last November, the native Indexing Service in my XP has thrown error messages regarding Ci in every reboot and seems not to have been updating new or changed files after the hard drive swap last November.  This has been an issue even before I turned off IIS earlier this month.

These are the error messages:

Spoiler

Event Type:    Information
Event Source:    Ci
Event Category:    CI Service
Event ID:    4137
Date:        7/17/2016
Time:        7:51:44 AM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
CI has started for catalog c:\system volume information\catalog.wci.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
___________________

THIS IS THE NEW ONE SINCE I TURNED OFF IIS ON JULY 4, 2016:

Event Type:    Warning
Event Source:    Ci
Event Category:    CI Service
Event ID:    4147
Date:        7/17/2016
Time:        7:51:44 AM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
The IISADMIN service is not available, so virtual roots cannot be indexed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

______________

Event Type:    Information
Event Source:    Ci
Event Category:    CI Service
Event ID:    4137
Date:        7/17/2016
Time:        7:51:45 AM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
CI has started for catalog c:\inetpub\catalog.wci.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

_______________

Event Type:    Error
Event Source:    Ci
Event Category:    CI Service
Event ID:    4118
Date:        7/17/2016
Time:        7:51:46 AM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
A content scan could not be completed on c:\program files\.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

________________________

Event Type:    Error
Event Source:    Ci
Event Category:    CI Service
Event ID:    4118
Date:        7/17/2016
Time:        7:51:46 AM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
A content scan could not be completed on c:\palm\.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

________________

Event Type:    Error
Event Source:    Ci
Event Category:    CI Service
Event ID:    4118
Date:        7/17/2016
Time:        7:51:46 AM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
A content scan could not be completed on c:\documents and settings\[Second User Name]\.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

_______________

Event Type:    Error
Event Source:    Ci
Event Category:    CI Service
Event ID:    4118
Date:        7/17/2016
Time:        7:51:46 AM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
A content scan could not be completed on c:\documents and settings\[My User Name]\.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

___________

Event Type:    Error
Event Source:    Ci
Event Category:    CI Service
Event ID:    4118
Date:        7/17/2016
Time:        7:51:46 AM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
A content scan could not be completed on c:\documents and settings\administrator\.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

_______________

Event Type:    Error
Event Source:    Ci
Event Category:    CI Service
Event ID:    4118
Date:        7/17/2016
Time:        7:51:46 AM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
A content scan could not be completed on c:\documents and settings\default user\.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

_____________

Event Type:    Error
Event Source:    Ci
Event Category:    CI Service
Event ID:    4118
Date:        7/17/2016
Time:        7:51:46 AM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
A content scan could not be completed on c:\documents and settings\all users\.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

________________

Event Type:    Error
Event Source:    Ci
Event Category:    CI Service
Event ID:    4118
Date:        7/17/2016
Time:        7:51:46 AM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
A content scan could not be completed on c:\sharedoc nov 30 09\.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

_________________

Event Type:    Error
Event Source:    Ci
Event Category:    CI Service
Event ID:    4118
Date:        7/17/2016
Time:        7:51:46 AM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
A content scan could not be completed on c:\work may 2008 update sept 24 09\.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I'm afraid that, if I now "remove" anything related to the Indexing Service, then I'll forever lose what's already been indexed through last November and be unable to Query Search anything.

ALSO - In Add or Remove Windows Components, the Indexing Service is NOT checked.  (So why can I still do queries?)  (And, as you know from above, IIS is now also NOT checked.)

What do you think about getting the Indexing Service working again?  Thanks.

[bphlpt]

42 minutes ago, glnz said:

I'm afraid that, if I now "remove" anything related to the Indexing Service, then I'll forever lose what's already been indexed through last November and be unable to Query Search anything.

I'm not that familiar with the inner workings of the Indexing Service, so I could be completely wrong, but I don't see this as an issue, especially since you're having problems with the Indexing Service anyway.  If you really feel that using the MS Indexing Service is necessary for you, I'd be tempted to completely remove the Indexing Service, then be sure you have cleaned out any remnants of IIS, then reinstall the Indexing Service and let it re-Index everything.  But I'd probably look at 3rd party alternatives to the MS Indexing Service instead of reinstalling the MS service.  What aspects of the Indexing Service do you actually use?  Many people look at the MS Indexing Service as something that takes up both space and CPU cycles that could be better used elsewhere and do not use it at all.  Something to consider, but I would definitely get advice from someone who knows more about this than I do, such as jaclaz.

Cheers and Regards

Edited July 17, 2016 by bphlpt

[jaclaz]

It is likely that something in the backup/restore procedure (possibly on a badly configured system) has led to some corruption of the stupid indexing service catalog(s).

Remove the "\inetpub\" catalog, that one is the IIS one, you don't need it.

The one in use for local files and directories is the "\System Volume Information\" one.

The EVENT ID 4118's are (probably) caused by some permission (or by some other mismatch/whatever) caused by the backup/restore (or because of some other misconfiguration), try with a manual full rescan of those folders:
https://support.microsoft.com/en-us/kb/273768

You can also check/increase USN Journal size:
http://www.tomshardware.co.uk/forum/115481-45-error-event-4118-resolve

but it is IMHO less likely to be the cause of the issue.

jaclaz

 

[glnz]

bphltp and jaclaz - what do you make of the fact that, right now, in "Add or Remove Windows Components," the Indexing Service is NOT checked.   (I don't know how long that's been the case.)

Should I just check it and see?

I'd prefer to keep the existing, deep database and not have the OS try to re-do it from scratch.  I have emails going back to 2005.  Prefer that Indexing turn back on, respect the existing database and start catching up from last November.

By the way, I do have an alternate system -- Google Desktop -- which I've kept all these years after Google discontinued it.  It's actually where I go first.  But it isn't foolproof, and I like to have the MS Indexing Service as well.

All of this helps me a lot when I'm looking for a document or spreadsheet that's a needle in a haystack, especially when I'm doing tax returns (like next month).

Thanks.

[jaclaz]

Well, this should mean that you also have installed appropriate iFilters for the Indexing Service, if I recall correctly "standard" ones won't do spreadsheets and mails .

Just in case:
http://www.ifilter.org/default.htm

http://www.softpedia.com/get/PORTABLE-SOFTWARE/System/System-Enhancements/Windows-Portable-Applications-Portable-IFilter-Explorer.shtml

IF the database has issues you will want to fix it, otherwise, keep it "as is" and accept those errors in the event log.

Layman example, you are very fond of your car an particularly love its pistons and rods  BUT the engine is dead and you either decide to repair it (replacing the beloved pistons) or you keep it in your garden as a decorative item and start walking.

jaclaz
 

[glnz]

jaclaz - I tried to do first an incremental rescan and then a full rescan of one of the indexed folders but got the same 4118 error messages in Event Viewer - "A content scan could not be completed on [that folder]".

So I'm looking at your second suggestion re the size of the USN Journal.

First, this is what I see in cmd:

Quote

C:\>fsutil usn queryjournal C:
Usn Journal ID   : 0x01c90592944bbb48
First Usn        : 0x0000000a09800000
Next Usn         : 0x0000000a0b89e290
Lowest Valid Usn : 0x0000000000000000
Max Usn          : 0x00000fffffff0000
Maximum Size     : 0x0000000002000000
Allocation Delta : 0x0000000000400000

What would you recommend I change, and how much?

Thanks.