Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

The IIS Admin Service service terminated unexpectedly

913 views
Skip to first unread message

goo...@itpcny.com

unread,
Dec 4, 2006, 9:34:56 PM12/4/06
to
Sorry, if this is consider a double-post. Anyway, I have a Exchange
2003 SP2 server running on Windows 2003 SP1 and IIS keeps crashing
unexpectedly. I installed all the latest windows updates, rebooted,
same thing. Seems to keep occuring every 15-20 mins. I found a KB
Article pointing to Message Tracking, disabled it, same issue. I found
several posts telling people to run IISState. I downloaded & ran
IISState, but I am unclear how to interpret the logs. I will post the
log here with hopes that someone can help or point me in the right
direction. Thanks in advance.

Opened log file 'C:\iisstate\output\IISState-5500.log'

***********************
Starting new log output
IISState version 3.3.1

Mon Dec 04 21:27:16 2006

OS = Windows 2003 Server
Executable: inetinfo.exe
PID = 5500

Note: Thread times are formatted as HH:MM:SS.ms

***********************


IIS has crashed...
Beginning Analysis
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:\Program Files\Symantec\SMSMSE\5.0\Server\bin\libspamhunter.dll -

DLL (!FunctionName) that failed: libspamhunter!bltModGetVersion


Thread ID: 16
System Thread ID: ba4
Kernel Time: 0:0:2.750
User Time: 0:0:25.500
Thread Type: Other
# ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may
be wrong.
00 1d6cd2b9 20202020 libspamhunter!bltModGetVersion+0x16136
01 20202020 00000000 0x20202020
Closing open log file C:\iisstate\output\IISState-5500.log
Opened log file 'C:\iisstate\output\IISState-5500.log'

***********************
Starting new log output
IISState version 3.3.1

Mon Dec 04 21:27:16 2006

OS = Windows 2003 Server
Executable: inetinfo.exe
PID = 5500

Note: Thread times are formatted as HH:MM:SS.ms

***********************


Thread ID: 0
System Thread ID: d2c
Kernel Time: 0:0:0.0
User Time: 0:0:0.15
Thread Type: Other
# ChildEBP RetAddr
00 0006f99c 7c821b84 ntdll!KiFastSystemCallRet
01 0006f9a0 77e4189f ntdll!NtReadFile+0xc
02 0006fa08 77f795ab kernel32!ReadFile+0x16c
03 0006fa34 77f7943c ADVAPI32!ScGetPipeInput+0x2a
04 0006faa8 77fb2ec9 ADVAPI32!ScDispatcherLoop+0x51
05 0006fcec 010027be ADVAPI32!StartServiceCtrlDispatcherA+0x93
06 0006fe1c 01002969 inetinfo!StartDispatchTable+0x277
07 0006ff44 0100339d inetinfo!main+0x117
08 0006ffc0 77e523e5 inetinfo!mainCRTStartup+0x12f
09 0006fff0 00000000 kernel32!BaseProcessStart+0x23


Thread ID: 1
System Thread ID: 3e8
Kernel Time: 0:0:0.15
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0082fe14 7c822124 ntdll!KiFastSystemCallRet
01 0082fe18 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 0082fe88 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 0082fe9c 01002ebf kernel32!WaitForSingleObject+0x12
04 0082ffb8 77e6608b inetinfo!W3SVCThreadEntry+0x3d
05 0082ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 2
System Thread ID: 4e4
Kernel Time: 0:0:0.15
User Time: 0:0:0.125
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0086fcb8 7c822124 ntdll!KiFastSystemCallRet
01 0086fcbc 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 0086fd2c 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 0086fd40 649f26a4 kernel32!WaitForSingleObject+0x12
04 0086fd68 010024b3 iisadmin!ServiceEntry+0x28a
05 0086ffa4 77f79348 inetinfo!InetinfoStartService+0x2cc
06 0086ffb8 77e6608b ADVAPI32!ScSvcctrlThreadA+0x21
07 0086ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 3
System Thread ID: 11e0
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 00c3ff9c 7c821364 ntdll!KiFastSystemCallRet
01 00c3ffa0 7c81fe26 ntdll!NtDelayExecution+0xc
02 00c3ffb8 77e6608b ntdll!RtlpTimerThread+0x47
03 00c3ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 4
System Thread ID: af4
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 00d4feac 7c822114 ntdll!KiFastSystemCallRet
01 00d4feb0 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 00d4ff58 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 00d4ff74 56f951ef kernel32!WaitForMultipleObjects+0x18
04 00d4ffa0 56f96a06 COADMIN!NOTIFY_CONTEXT::GetNextContext+0x67
05 00d4ffb8 77e6608b COADMIN!NOTIFY_CONTEXT::NotifyThreadProc+0x5f
06 00d4ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 5
System Thread ID: 1434
Kernel Time: 0:0:0.15
User Time: 0:0:0.62
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 016dfe18 7c821c54 ntdll!KiFastSystemCallRet
01 016dfe1c 77c7538c ntdll!ZwReplyWaitReceivePortEx+0xc
02 016dff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198
03 016dff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
04 016dffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
05 016dffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
06 016dffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 6
System Thread ID: 1508
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 0171ff10 7c821364 ntdll!KiFastSystemCallRet
01 0171ff14 77e41ea7 ntdll!NtDelayExecution+0xc
02 0171ff7c 77e424c1 kernel32!SleepEx+0x68
03 0171ff8c 776b22a0 kernel32!Sleep+0xf
04 0171ff98 776b2307 ole32!CROIDTable::WorkerThreadLoop+0x14
05 0171ffa8 77670000 ole32!CRpcThread::WorkerLoop+0x1e
06 0171ffb8 77e6608b ole32!_imp__InstallApplication <PERF> (ole32+0x0)
07 0171ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 7
System Thread ID: 9d4
Kernel Time: 0:0:0.62
User Time: 0:0:0.234
Thread Status: Thread is in a WAIT state.
Thread Type: SMTP Service Worker Thread
# ChildEBP RetAddr
00 0179fbb8 7c822114 ntdll!KiFastSystemCallRet
01 0179fbbc 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 0179fc64 7739cd08 kernel32!WaitForMultipleObjectsEx+0x11a
03 0179fcc0 7738e381 USER32!RealMsgWaitForMultipleObjectsEx+0x141
04 0179fcdc 6c7d63d5 USER32!MsgWaitForMultipleObjects+0x1f
05 0179fd28 4f075436 INFOCOMM!IIS_SERVICE::StartServiceOperation+0x231
06 0179fd68 010024b3 SMTPSVC!ServiceEntry+0x12b
07 0179ffa4 77f79348 inetinfo!InetinfoStartService+0x2cc
08 0179ffb8 77e6608b ADVAPI32!ScSvcctrlThreadA+0x21
09 0179ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 8
System Thread ID: 10e4
Kernel Time: 0:0:0.78
User Time: 0:0:0.62
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 017dfbac 7c822114 ntdll!KiFastSystemCallRet
01 017dfbb0 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 017dfc58 7739cd08 kernel32!WaitForMultipleObjectsEx+0x11a
03 017dfcb4 7738e381 USER32!RealMsgWaitForMultipleObjectsEx+0x141
04 017dfcd0 685a366e USER32!MsgWaitForMultipleObjects+0x1f
05 017dfd1c 019a4d10 LNFOCOMM!IIS_SERVICE::StartServiceOperation+0x1d9
06 017dfd68 010024b3 resvc+0x14d10
07 017dffa4 77f79348 inetinfo!InetinfoStartService+0x2cc
08 017dffb8 77e6608b ADVAPI32!ScSvcctrlThreadA+0x21
09 017dffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 9
System Thread ID: 16f8
Kernel Time: 0:0:0.0
User Time: 0:0:0.31
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 06fcfbb0 7c822114 ntdll!KiFastSystemCallRet
01 06fcfbb4 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 06fcfc5c 7739cd08 kernel32!WaitForMultipleObjectsEx+0x11a
03 06fcfcb8 7738e381 USER32!RealMsgWaitForMultipleObjectsEx+0x141
04 06fcfcd4 685a366e USER32!MsgWaitForMultipleObjects+0x1f
05 06fcfd20 619269ad LNFOCOMM!IIS_SERVICE::StartServiceOperation+0x1d9
06 06fcfd68 010024b3 pop3svc+0x69ad
07 06fcffa4 77f79348 inetinfo!InetinfoStartService+0x2cc
08 06fcffb8 77e6608b ADVAPI32!ScSvcctrlThreadA+0x21
09 06fcffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 10
System Thread ID: 1408
Kernel Time: 0:0:0.31
User Time: 0:0:0.15
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0708fbb0 7c822114 ntdll!KiFastSystemCallRet
01 0708fbb4 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 0708fc5c 7739cd08 kernel32!WaitForMultipleObjectsEx+0x11a
03 0708fcb8 7738e381 USER32!RealMsgWaitForMultipleObjectsEx+0x141
04 0708fcd4 685a366e USER32!MsgWaitForMultipleObjects+0x1f
05 0708fd20 61954198 LNFOCOMM!IIS_SERVICE::StartServiceOperation+0x1d9
06 0708fd68 010024b3 imap4svc+0x4198
07 0708ffa4 77f79348 inetinfo!InetinfoStartService+0x2cc
08 0708ffb8 77e6608b ADVAPI32!ScSvcctrlThreadA+0x21
09 0708ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 11
System Thread ID: 208
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 070cfec4 7c822114 ntdll!KiFastSystemCallRet
01 070cfec8 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 070cff70 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 070cff8c 63042b69 kernel32!WaitForMultipleObjects+0x18
04 070cffb8 77e6608b pttrace+0x2b69
05 070cffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 12
System Thread ID: 174c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0710fec8 7c822114 ntdll!KiFastSystemCallRet
01 0710fecc 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 0710ff74 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 0710ff90 6304208b kernel32!WaitForMultipleObjects+0x18
04 0710ffb8 77e6608b pttrace+0x208b
05 0710ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 13
System Thread ID: 15b8
Kernel Time: 0:0:0.656
User Time: 0:0:0.234
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0714fe08 7c822114 ntdll!KiFastSystemCallRet
01 0714fe0c 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 0714feb4 7739cd08 kernel32!WaitForMultipleObjectsEx+0x11a
03 0714ff10 7738e381 USER32!RealMsgWaitForMultipleObjectsEx+0x141
04 0714ff2c 679cbbc6 USER32!MsgWaitForMultipleObjects+0x1f
05 0714ff80 77bbcefb LisRTL!SchedulerWorkerThread+0xa7
06 0714ffb8 77e6608b msvcrt!free+0xc8
07 0714ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 14
System Thread ID: 1680
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0718fe08 7c822114 ntdll!KiFastSystemCallRet
01 0718fe0c 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 0718feb4 7739cd08 kernel32!WaitForMultipleObjectsEx+0x11a
03 0718ff10 7738e381 USER32!RealMsgWaitForMultipleObjectsEx+0x141
04 0718ff2c 679cbbc6 USER32!MsgWaitForMultipleObjects+0x1f
05 0718ff80 77bbcefb LisRTL!SchedulerWorkerThread+0xa7
06 0718ffb8 77e6608b msvcrt!free+0xc8
07 0718ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 15
System Thread ID: 124c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0720fcec 7c822114 ntdll!KiFastSystemCallRet
01 0720fcf0 7c83acfd ntdll!NtWaitForMultipleObjects+0xc
02 0720ffb8 77e6608b ntdll!RtlpWaitThread+0x161
03 0720ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 16
System Thread ID: ba4
Kernel Time: 0:0:2.750
User Time: 0:0:25.500
Thread Type: Other
# ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may
be wrong.
00 1d6cd2b9 20202020 libspamhunter!bltModGetVersion+0x16136
01 20202020 00000000 0x20202020


Thread ID: 17
System Thread ID: e60
Kernel Time: 0:0:0.234
User Time: 0:0:0.46
Thread Type: HTTP Listener
# ChildEBP RetAddr
00 072cff50 7c821bf4 ntdll!KiFastSystemCallRet
01 072cff54 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 072cff80 63ec7235 kernel32!GetQueuedCompletionStatus+0x29
03 072cffb8 77e6608b ISATQ!AtqPoolThread+0x40
04 072cffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 18
System Thread ID: ba0
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 0738ff50 7c821bf4 ntdll!KiFastSystemCallRet
01 0738ff54 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 0738ff80 68628d05 kernel32!GetQueuedCompletionStatus+0x29
03 0738ffb8 77e6608b LSATQ!AtqPoolThread+0x40
04 0738ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 19
System Thread ID: 1324
Kernel Time: 0:0:0.15
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 073cff50 7c821bf4 ntdll!KiFastSystemCallRet
01 073cff54 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 073cff80 68628d05 kernel32!GetQueuedCompletionStatus+0x29
03 073cffb8 77e6608b LSATQ!AtqPoolThread+0x40
04 073cffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 20
System Thread ID: b74
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 075cff70 7c821bf4 ntdll!KiFastSystemCallRet
01 075cff74 7c83ad75 ntdll!NtRemoveIoCompletion+0xc
02 075cffb8 77e6608b ntdll!RtlpWorkerThread+0x3d
03 075cffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 21
System Thread ID: 544
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 0765fe18 7c821c54 ntdll!KiFastSystemCallRet
01 0765fe1c 77c7538c ntdll!ZwReplyWaitReceivePortEx+0xc
02 0765ff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198
03 0765ff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
04 0765ffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
05 0765ffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
06 0765ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 22
System Thread ID: 1694
Kernel Time: 0:0:0.15
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 0769ff70 7c821364 ntdll!KiFastSystemCallRet
01 0769ff74 77c5fa28 ntdll!NtDelayExecution+0xc
02 0769ff8c 77c5f824 RPCRT4!TIMER::Wait+0x2b
03 0769ffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0xe8
04 0769ffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
05 0769ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 23
System Thread ID: 1258
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0730fec4 7c822114 ntdll!KiFastSystemCallRet
01 0730fec8 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 0730ff70 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 0730ff8c 695324f7 kernel32!WaitForMultipleObjects+0x18
04 0730ffb8 77e6608b exstrace!RegNotifyThread+0x6a
05 0730ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 24
System Thread ID: 358
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 076dfec8 7c822114 ntdll!KiFastSystemCallRet
01 076dfecc 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 076dff74 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 076dff90 69531a1d kernel32!WaitForMultipleObjects+0x18
04 076dffb8 77e6608b exstrace!WriteTraceThread+0x31
05 076dffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 25
System Thread ID: 464
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0785ff18 7c822124 ntdll!KiFastSystemCallRet
01 0785ff1c 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 0785ff8c 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 0785ffa0 4ba58f8c kernel32!WaitForSingleObject+0x12
04 0785ffb8 77e6608b FCACHDLL!CScheduleThread::ScheduleThread+0x61
05 0785ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 26
System Thread ID: f00
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: SMTP Service Worker Thread
# ChildEBP RetAddr
00 0799febc 7c822114 ntdll!KiFastSystemCallRet
01 0799fec0 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 0799ff68 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 0799ff84 4f08f0a4 kernel32!WaitForMultipleObjects+0x18
04 0799ffb8 77e6608b SMTPSVC!TcpRegNotifyThread+0xde
05 0799ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 27
System Thread ID: cf4
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: SMTP Service Worker Thread
# ChildEBP RetAddr
00 079dff1c 7c822124 ntdll!KiFastSystemCallRet
01 079dff20 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 079dff90 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 079dffa4 4f08ef41 kernel32!WaitForSingleObject+0x12
04 079dffb8 77e6608b SMTPSVC!FreeLibThread+0x2e
05 079dffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 28
System Thread ID: e3c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 07a9fe18 7c821c54 ntdll!KiFastSystemCallRet
01 07a9fe1c 77c7538c ntdll!ZwReplyWaitReceivePortEx+0xc
02 07a9ff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198
03 07a9ff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
04 07a9ffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
05 07a9ffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
06 07a9ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 29
System Thread ID: 13ec
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 07b6fecc 7c822114 ntdll!KiFastSystemCallRet
01 07b6fed0 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 07b6ff78 01a01f3b kernel32!WaitForMultipleObjectsEx+0x11a
03 07b6ffb0 01a02060 tranmsg+0x1f3b
04 07b6ffb8 77e6608b tranmsg+0x2060
05 07b6ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 30
System Thread ID: 87c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 07beff0c 7c822124 ntdll!KiFastSystemCallRet
01 07beff10 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 07beff80 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 07beff94 62ec49e5 kernel32!WaitForSingleObject+0x12
04 07beffb8 77e6608b dsaccess+0x349e5
05 07beffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 31
System Thread ID: 3c4
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 07c3fe18 7c821c54 ntdll!KiFastSystemCallRet
01 07c3fe1c 77c7538c ntdll!ZwReplyWaitReceivePortEx+0xc
02 07c3ff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198
03 07c3ff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
04 07c3ffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
05 07c3ffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
06 07c3ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 32
System Thread ID: 1220
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 07cefecc 7c822114 ntdll!KiFastSystemCallRet
01 07cefed0 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 07ceff78 62efa634 kernel32!WaitForMultipleObjectsEx+0x11a
03 07ceffb0 62efa759 dsaccess+0x6a634
04 07ceffb8 77e6608b dsaccess+0x6a759
05 07ceffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 33
System Thread ID: 1070
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 07d2f680 7c822114 ntdll!KiFastSystemCallRet
01 07d2f684 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 07d2f72c 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 07d2f748 62ec5815 kernel32!WaitForMultipleObjects+0x18
04 07d2ffb0 62eebd00 dsaccess+0x35815
05 07d2ffb8 77e6608b dsaccess+0x5bd00
06 07d2ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 34
System Thread ID: 9b0
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 07d6fe98 7c822114 ntdll!KiFastSystemCallRet
01 07d6fe9c 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 07d6ff44 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 07d6ff60 62f35006 kernel32!WaitForMultipleObjects+0x18
04 07d6ffb0 62f354ed Epoxy+0x5006
05 07d6ffb8 77e6608b Epoxy+0x54ed
06 07d6ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 35
System Thread ID: adc
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 081efe0c 7c822124 ntdll!KiFastSystemCallRet
01 081efe10 71b23a09 ntdll!NtWaitForSingleObject+0xc
02 081efe4c 71b23a52 mswsock!SockWaitForSingleObject+0x19d
03 081eff3c 71c0470c mswsock!WSPSelect+0x380
04 081eff8c 686264b5 WS2_32!select+0xb9
05 081effb4 68626806 LSATQ!ATQ_BMON_SET::BmonThreadFunc+0x22
06 081effb8 77e6608b LSATQ!BmonThreadFunc+0x9
07 081effec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 36
System Thread ID: 738
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0832ff00 7c822124 ntdll!KiFastSystemCallRet
01 0832ff04 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 0832ff74 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 0832ff88 62ec578b kernel32!WaitForSingleObject+0x12
04 0832ffb8 77e6608b dsaccess+0x3578b
05 0832ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 37
System Thread ID: 1730
Kernel Time: 0:0:0.15
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 083aff7c 7c821bf4 ntdll!KiFastSystemCallRet
01 083aff80 71b23eb4 ntdll!NtRemoveIoCompletion+0xc
02 083affb8 77e6608b mswsock!SockAsyncThread+0x69
03 083affec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 38
System Thread ID: 145c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:\Program Files\Exchsrvr\bin\ifsproxy.dll -
Thread Type: Other
# ChildEBP RetAddr
00 084eff34 7c821bf4 ntdll!KiFastSystemCallRet
01 084eff38 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 084eff64 62292084 kernel32!GetQueuedCompletionStatus+0x29
WARNING: Stack unwind information not available. Following frames may
be wrong.
03 084effb8 77e6608b ifsproxy!CIfsGlobals::operator=+0x7e
04 084effec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 39
System Thread ID: 1058
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0856ff10 7c822124 ntdll!KiFastSystemCallRet
01 0856ff14 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 0856ff84 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 0856ff98 618d3c78 kernel32!WaitForSingleObject+0x12
04 0856ffb8 77e6608b iisif+0x3c78
05 0856ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 40
System Thread ID: 12c0
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 085afe90 7c822114 ntdll!KiFastSystemCallRet
01 085afe94 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 085aff3c 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 085aff58 62f33a01 kernel32!WaitForMultipleObjects+0x18
04 085affb0 62f33cbb Epoxy+0x3a01
05 085affb8 77e6608b Epoxy+0x3cbb
06 085affec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 41
System Thread ID: 116c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 085efe90 7c822114 ntdll!KiFastSystemCallRet
01 085efe94 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 085eff3c 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 085eff58 62f33a01 kernel32!WaitForMultipleObjects+0x18
04 085effb0 62f33cbb Epoxy+0x3a01
05 085effb8 77e6608b Epoxy+0x3cbb
06 085effec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 42
System Thread ID: 116c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 085efe90 7c822114 ntdll!KiFastSystemCallRet
01 085efe94 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 085eff3c 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 085eff58 62f33a01 kernel32!WaitForMultipleObjects+0x18
04 085effb0 62f33cbb Epoxy+0x3a01
05 085effb8 77e6608b Epoxy+0x3cbb
06 085effec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 43
System Thread ID: e90
Kernel Time: 0:0:0.15
User Time: 0:0:0.31
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 0864fe18 7c821c54 ntdll!KiFastSystemCallRet
01 0864fe1c 77c7538c ntdll!ZwReplyWaitReceivePortEx+0xc
02 0864ff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198
03 0864ff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
04 0864ffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
05 0864ffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
06 0864ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 44
System Thread ID: 718
Kernel Time: 0:0:0.0
User Time: 0:0:0.15
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 0868feac 7c821bf4 ntdll!KiFastSystemCallRet
01 0868feb0 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 0868fedc 77c604c3 kernel32!GetQueuedCompletionStatus+0x29
03 0868ff18 77c60655 RPCRT4!COMMON_ProcessCalls+0xa1
04 0868ff84 77c5f9f1 RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0x117
05 0868ff8c 77c5f7dd RPCRT4!ProcessIOEventsWrapper+0xd
06 0868ffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
07 0868ffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
08 0868ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 45
System Thread ID: 14c4
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 086cff0c 7c822124 ntdll!KiFastSystemCallRet
01 086cff10 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 086cff80 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 086cff94 61fa5ea8 kernel32!WaitForSingleObject+0x12
04 086cffb8 77e6608b phatq+0x15ea8
05 086cffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 46
System Thread ID: 16bc
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0875fe70 7c822114 ntdll!KiFastSystemCallRet
01 0875fe74 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 0875ff1c 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 0875ff38 6215ff0b kernel32!WaitForMultipleObjects+0x18
04 0875ffb0 62196fd7 reapi+0xff0b
05 0875ffb8 77e6608b reapi+0x46fd7
06 0875ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 47
System Thread ID: 14a0
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: SMTP Service Worker Thread
# ChildEBP RetAddr
00 087dfe7c 7c822114 ntdll!KiFastSystemCallRet
01 087dfe80 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 087dff28 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 087dff44 61fa5d38 kernel32!WaitForMultipleObjects+0x18
04 087dffa4 4f081cd6 phatq+0x15d38
05 087dffb8 77e6608b SMTPSVC!PERSIST_QUEUE::QueueThreadRoutine+0x23
06 087dffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 48
System Thread ID: 1684
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 0882ff54 7c821bf4 ntdll!KiFastSystemCallRet
01 0882ff58 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 0882ff84 08765b87 kernel32!GetQueuedCompletionStatus+0x29
03 0882ffb8 77e6608b drviis+0x5b87
04 0882ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 49
System Thread ID: bd0
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 0886ff54 7c821bf4 ntdll!KiFastSystemCallRet
01 0886ff58 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 0886ff84 08765b87 kernel32!GetQueuedCompletionStatus+0x29
03 0886ffb8 77e6608b drviis+0x5b87
04 0886ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 50
System Thread ID: 1478
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 088aff54 7c821bf4 ntdll!KiFastSystemCallRet
01 088aff58 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 088aff84 08765b87 kernel32!GetQueuedCompletionStatus+0x29
03 088affb8 77e6608b drviis+0x5b87
04 088affec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 51
System Thread ID: 11c0
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 088eff54 7c821bf4 ntdll!KiFastSystemCallRet
01 088eff58 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 088eff84 08765b87 kernel32!GetQueuedCompletionStatus+0x29
03 088effb8 77e6608b drviis+0x5b87
04 088effec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 52
System Thread ID: f24
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0894fe90 7c822114 ntdll!KiFastSystemCallRet
01 0894fe94 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 0894ff3c 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 0894ff58 62f33a01 kernel32!WaitForMultipleObjects+0x18
04 0894ffb0 62f33cbb Epoxy+0x3a01
05 0894ffb8 77e6608b Epoxy+0x3cbb
06 0894ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 53
System Thread ID: 81c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0898ab2c 7c822124 ntdll!KiFastSystemCallRet
01 0898ab30 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 0898aba0 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 0898abb4 62ec548a kernel32!WaitForSingleObject+0x12
04 0899ff84 77bcb530 dsaccess+0x3548a
05 0899ffb8 77e6608b msvcrt!_endthreadex+0xa3
06 0899ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 54
System Thread ID: 1768
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 089dff04 7c822124 ntdll!KiFastSystemCallRet
01 089dff08 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 089dff78 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 089dff8c 621ad58a kernel32!WaitForSingleObject+0x12
04 089dffb0 621ad714 reapi+0x5d58a
05 089dffb8 77e6608b reapi+0x5d714
06 089dffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 55
System Thread ID: 114c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 08a3feb4 7c822114 ntdll!KiFastSystemCallRet
01 08a3feb8 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 08a3ff60 62156563 kernel32!WaitForMultipleObjectsEx+0x11a
03 08a3ff98 62156300 reapi+0x6563
04 08a3ffb0 6218bfc6 reapi+0x6300
05 08a3ffb8 77e6608b reapi+0x3bfc6
06 08a3ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 56
System Thread ID: 140
Kernel Time: 0:0:0.78
User Time: 0:0:0.140
Thread Type: Other
# ChildEBP RetAddr
00 0871ff50 7c821bf4 ntdll!KiFastSystemCallRet
01 0871ff54 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 0871ff80 68628d05 kernel32!GetQueuedCompletionStatus+0x29
03 0871ffb8 77e6608b LSATQ!AtqPoolThread+0x40
04 0871ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 57
System Thread ID: 11fc
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 08a7fe98 7c822114 ntdll!KiFastSystemCallRet
01 08a7fe9c 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 08a7ff44 77e6109d kernel32!WaitForMultipleObjectsEx+0x11a
03 08a7ff60 019b817d kernel32!WaitForMultipleObjects+0x18
04 08a7ffb0 019b0053 resvc+0x2817d
05 08a7ffb8 77e6608b resvc+0x20053
06 08a7ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 58
System Thread ID: a5c
Kernel Time: 0:0:0.15
User Time: 0:0:0.15
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 08abfc90 7c822124 ntdll!KiFastSystemCallRet
01 08abfc94 71b23a09 ntdll!NtWaitForSingleObject+0xc
02 08abfcd0 71b23a52 mswsock!SockWaitForSingleObject+0x19d
03 08abfdc0 71c0470c mswsock!WSPSelect+0x380
04 08abfe10 76f14a0f WS2_32!select+0xb9
05 08abfe64 76f1e6da WLDAP32!DrainWinsock+0x2fc
06 08abfeb0 76f165ed WLDAP32!LdapWaitForResponseFromServer+0x325
07 08abfeec 76f2a264 WLDAP32!ldap_result_with_error+0x109
08 08abff1c 62e92f9f WLDAP32!ldap_result+0x4b
09 08abff5c 62e92d34 dsaccess+0x2f9f
0a 08abff8c 62ec4a50 dsaccess+0x2d34
0b 08abffb8 77e6608b dsaccess+0x34a50
0c 08abffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 59
System Thread ID: 1658
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: HTTP Listener
# ChildEBP RetAddr
00 08b9fe0c 7c822124 ntdll!KiFastSystemCallRet
01 08b9fe10 71b23a09 ntdll!NtWaitForSingleObject+0xc
02 08b9fe4c 71b23a52 mswsock!SockWaitForSingleObject+0x19d
03 08b9ff3c 71c0470c mswsock!WSPSelect+0x380
04 08b9ff8c 63ec4696 WS2_32!select+0xb9
05 08b9ffb4 63ec4700 ISATQ!ATQ_BMON_SET::BmonThreadFunc+0x22
06 08b9ffb8 77e6608b ISATQ!BmonThreadFunc+0x9
07 63ec4700 8b575600 kernel32!BaseThreadStart+0x34
WARNING: Frame IP not in any known module. Following frames may be
wrong.
08 04c2c033 00000000 0x8b575600


Thread ID: 60
System Thread ID: c64
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 09a6fecc 7c822114 ntdll!KiFastSystemCallRet
01 09a6fed0 77e67143 ntdll!NtWaitForMultipleObjects+0xc
02 09a6ff78 01a01f3b kernel32!WaitForMultipleObjectsEx+0x11a
03 09a6ffb0 01a02060 tranmsg+0x1f3b
04 09a6ffb8 77e6608b tranmsg+0x2060
05 09a6ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 61
System Thread ID: 990
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: HTTP Listener
# ChildEBP RetAddr
00 09aaff50 7c821bf4 ntdll!KiFastSystemCallRet
01 09aaff54 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 09aaff80 63ec7235 kernel32!GetQueuedCompletionStatus+0x29
03 09aaffb8 77e6608b ISATQ!AtqPoolThread+0x40
04 09aaffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 62
System Thread ID: 169c
Kernel Time: 0:0:0.0
User Time: 0:0:0.15
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 09afff18 7c822124 ntdll!KiFastSystemCallRet
01 09afff1c 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 09afff8c 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 09afffa0 09a1d460 kernel32!WaitForSingleObject+0x12
04 09afffb8 77e6608b miscat+0xd460
05 09afffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 63
System Thread ID: 10c0
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 09b3fde8 7c822124 ntdll!KiFastSystemCallRet
01 09b3fdec 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 09b3fe5c 76f29e92 kernel32!WaitForSingleObjectEx+0xac
03 09b3feb0 76f165ed WLDAP32!LdapWaitForResponseFromServer+0x409
04 09b3feec 76f2a264 WLDAP32!ldap_result_with_error+0x109
05 09b3ff1c 62e92f9f WLDAP32!ldap_result+0x4b
06 09b3ff5c 62e92d34 dsaccess+0x2f9f
07 09b3ff8c 62ec4a50 dsaccess+0x2d34
08 09b3ffb8 77e6608b dsaccess+0x34a50
09 09b3ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 64
System Thread ID: 224
Kernel Time: 0:0:0.0
User Time: 0:0:0.31
Thread Type: Other
# ChildEBP RetAddr
00 09b7ff70 7c821bf4 ntdll!KiFastSystemCallRet
01 09b7ff74 7c83ad75 ntdll!NtRemoveIoCompletion+0xc
02 09b7ffb8 77e6608b ntdll!RtlpWorkerThread+0x3d
03 09b7ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 65
System Thread ID: 11e8
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 09befeac 7c821bf4 ntdll!KiFastSystemCallRet
01 09befeb0 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 09befedc 77c604c3 kernel32!GetQueuedCompletionStatus+0x29
03 09beff18 77c60655 RPCRT4!COMMON_ProcessCalls+0xa1
04 09beff84 77c5f9f1 RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0x117
05 09beff8c 77c5f7dd RPCRT4!ProcessIOEventsWrapper+0xd
06 09beffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
07 09beffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
08 09beffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 66
System Thread ID: 11e8
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 09befeac 7c821bf4 ntdll!KiFastSystemCallRet
01 09befeb0 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 09befedc 77c604c3 kernel32!GetQueuedCompletionStatus+0x29
03 09beff18 77c60655 RPCRT4!COMMON_ProcessCalls+0xa1
04 09beff84 77c5f9f1 RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0x117
05 09beff8c 77c5f7dd RPCRT4!ProcessIOEventsWrapper+0xd
06 09beffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
07 09beffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
08 09beffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 67
System Thread ID: 1524
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 09cdab2c 7c822124 ntdll!KiFastSystemCallRet
01 09cdab30 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 09cdaba0 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 09cdabb4 62ec548a kernel32!WaitForSingleObject+0x12
04 09ceff84 77bcb530 dsaccess+0x3548a
05 09ceffb8 77e6608b msvcrt!_endthreadex+0xa3
06 09ceffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 68
System Thread ID: 1148
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 09d2ff04 7c822124 ntdll!KiFastSystemCallRet
01 09d2ff08 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 09d2ff78 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 09d2ff8c 09c75b0e kernel32!WaitForSingleObject+0x12
04 09d2ffb0 09c75c98 phatcat+0x45b0e
05 09d2ffb8 77e6608b phatcat+0x45c98
06 09d2ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 69
System Thread ID: 1648
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 09d5ab2c 7c822124 ntdll!KiFastSystemCallRet
01 09d5ab30 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 09d5aba0 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 09d5abb4 62ec548a kernel32!WaitForSingleObject+0x12
04 09d6ff84 77bcb530 dsaccess+0x3548a
05 09d6ffb8 77e6608b msvcrt!_endthreadex+0xa3
06 09d6ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 70
System Thread ID: 13b4
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 09daff04 7c822124 ntdll!KiFastSystemCallRet
01 09daff08 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 09daff78 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 09daff8c 09c75b0e kernel32!WaitForSingleObject+0x12
04 09daffb0 09c75c98 phatcat+0x45b0e
05 09daffb8 77e6608b phatcat+0x45c98
06 09daffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 71
System Thread ID: 834
Kernel Time: 0:0:0.78
User Time: 0:0:0.125
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 09deff0c 7c822124 ntdll!KiFastSystemCallRet
01 09deff10 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 09deff80 77e6ba42 kernel32!WaitForSingleObjectEx+0xac
03 09deff94 61fa5db5 kernel32!WaitForSingleObject+0x12
04 09deffb8 77e6608b phatq+0x15db5
05 09deffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 72
System Thread ID: e6c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 09e8ff14 7739c78d ntdll!KiFastSystemCallRet
01 09e8ff34 77694ff1 USER32!NtUserGetMessage+0xc
02 09e8ff74 776cf35b ole32!CDllHost::STAWorkerLoop+0x72
03 09e8ff90 776cf2a3 ole32!CDllHost::WorkerThread+0xc8
04 09e8ff98 776b2307 ole32!DLLHostThreadEntry+0xd
05 09e8ffac 776b2374 ole32!CRpcThread::WorkerLoop+0x1e
06 09e8ffb8 77e6608b ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x20
07 09e8ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 73
System Thread ID: 14d8
Kernel Time: 0:0:0.15
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0a3bfde8 7c822124 ntdll!KiFastSystemCallRet
01 0a3bfdec 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 0a3bfe5c 76f29e92 kernel32!WaitForSingleObjectEx+0xac
03 0a3bfeb0 76f165ed WLDAP32!LdapWaitForResponseFromServer+0x409
04 0a3bfeec 76f2a264 WLDAP32!ldap_result_with_error+0x109
05 0a3bff1c 62e92f9f WLDAP32!ldap_result+0x4b
06 0a3bff5c 62e92d34 dsaccess+0x2f9f
07 0a3bff8c 62ec4a50 dsaccess+0x2d34
08 0a3bffb8 77e6608b dsaccess+0x34a50
09 0a3bffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 74
System Thread ID: 1398
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0aaffde8 7c822124 ntdll!KiFastSystemCallRet
01 0aaffdec 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 0aaffe5c 76f29e92 kernel32!WaitForSingleObjectEx+0xac
03 0aaffeb0 76f165ed WLDAP32!LdapWaitForResponseFromServer+0x409
04 0aaffeec 76f2a264 WLDAP32!ldap_result_with_error+0x109
05 0aafff1c 62e92f9f WLDAP32!ldap_result+0x4b
06 0aafff5c 62e92d34 dsaccess+0x2f9f
07 0aafff8c 62ec4a50 dsaccess+0x2d34
08 0aafffb8 77e6608b dsaccess+0x34a50
09 0aafffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 75
System Thread ID: 1798
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0ab3fde8 7c822124 ntdll!KiFastSystemCallRet
01 0ab3fdec 77e6bad8 ntdll!NtWaitForSingleObject+0xc
02 0ab3fe5c 76f29e92 kernel32!WaitForSingleObjectEx+0xac
03 0ab3feb0 76f165ed WLDAP32!LdapWaitForResponseFromServer+0x409
04 0ab3feec 76f2a264 WLDAP32!ldap_result_with_error+0x109
05 0ab3ff1c 62e92f9f WLDAP32!ldap_result+0x4b
06 0ab3ff5c 62e92d34 dsaccess+0x2f9f
07 0ab3ff8c 62ec4a50 dsaccess+0x2d34
08 0ab3ffb8 77e6608b dsaccess+0x34a50
09 0ab3ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 76
System Thread ID: 810
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 2048fe18 7c821c54 ntdll!KiFastSystemCallRet
01 2048fe1c 77c7538c ntdll!ZwReplyWaitReceivePortEx+0xc
02 2048ff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198
03 2048ff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
04 2048ffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
05 2048ffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
06 2048ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 77
System Thread ID: 810
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 2048fe18 7c821c54 ntdll!KiFastSystemCallRet
01 2048fe1c 77c7538c ntdll!ZwReplyWaitReceivePortEx+0xc
02 2048ff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198
03 2048ff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
04 2048ffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
05 2048ffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
06 2048ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 78
System Thread ID: 10e0
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 2050fe18 7c821c54 ntdll!KiFastSystemCallRet
01 2050fe1c 77c7538c ntdll!ZwReplyWaitReceivePortEx+0xc
02 2050ff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198
03 2050ff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
04 2050ffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
05 2050ffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
06 2050ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 79
System Thread ID: 1330
Kernel Time: 0:0:0.0
User Time: 0:0:0.15
Thread Type: Other
# ChildEBP RetAddr
00 2054ff50 7c821bf4 ntdll!KiFastSystemCallRet
01 2054ff54 77e66142 ntdll!NtRemoveIoCompletion+0xc
02 2054ff80 68628d05 kernel32!GetQueuedCompletionStatus+0x29
03 2054ffb8 77e6608b LSATQ!AtqPoolThread+0x40
04 2054ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 80
System Thread ID: d9c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 2062fe18 7c821c54 ntdll!KiFastSystemCallRet
01 2062fe1c 77c7538c ntdll!ZwReplyWaitReceivePortEx+0xc
02 2062ff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198
03 2062ff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
04 2062ffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
05 2062ffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
06 2062ffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 81
System Thread ID: 16e0
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 00bffe18 7c821c54 ntdll!KiFastSystemCallRet
01 00bffe1c 77c7538c ntdll!ZwReplyWaitReceivePortEx+0xc
02 00bfff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198
03 00bfff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
04 00bfffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
05 00bfffb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
06 00bfffec 00000000 kernel32!BaseThreadStart+0x34


Thread ID: 82
System Thread ID: 1560
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 205afe18 7c821c54 ntdll!KiFastSystemCallRet
01 205afe1c 77c7538c ntdll!ZwReplyWaitReceivePortEx+0xc
02 205aff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198
03 205aff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
04 205affac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0x9d
05 205affb8 77e6608b RPCRT4!ThreadStartRoutine+0x1b
06 205affec 00000000 kernel32!BaseThreadStart+0x34

Closing open log file C:\iisstate\output\IISState-5500.log

Kirill Palagin

unread,
Dec 5, 2006, 6:38:50 AM12/5/06
to
goo...@itpcny.com wrote:
> Sorry, if this is consider a double-post. Anyway, I have a Exchange
> 2003 SP2 server running on Windows 2003 SP1 and IIS keeps crashing
> unexpectedly. I installed all the latest windows updates, rebooted,
> same thing. Seems to keep occuring every 15-20 mins. I found a KB

Please see
http://groups.google.com/group/microsoft.public.exchange.admin/browse_frm/thread/c3139cc2d05f77c7/b641639e4256fa04?lnk=st&q=&rnum=2#b641639e4256fa04

--
If my message is helpful, please help me by registering at
http://www.openoffice.org/servlets/Join and voting for the following issues:
http://www.openoffice.org/issues/show_bug.cgi?id=70753
http://www.openoffice.org/issues/show_bug.cgi?id=15220
http://www.openoffice.org/issues/show_bug.cgi?id=10931
http://www.openoffice.org/issues/show_bug.cgi?id=35579
http://www.openoffice.org/issues/show_bug.cgi?id=32785
http://www.openoffice.org/issues/show_bug.cgi?id=29807
http://www.openoffice.org/issues/show_bug.cgi?id=67838
http://www.openoffice.org/issues/show_bug.cgi?id=39527
http://www.openoffice.org/issues/show_bug.cgi?id=64785

Thank you very much!

Oliver Moazzezi

unread,
Dec 5, 2006, 10:15:16 AM12/5/06
to
'libspamhunter!bltModGetVersion' is Symantec.

Raise a call with them regarding the product you have installed and are
using on the server, in the interim to keep the Exchange Server up and
running consider disabling it

Oliver


Michael Edward Kohlman

unread,
Dec 5, 2006, 11:05:26 AM12/5/06
to
We are seeing the exact same issue with nearly the exact same setup
(Exchange 2003 SP2 on Windows 2003 SP1 with SMSMSE 5.0.4.363) every 15
minutes on the average the thing blows with events 7031 and 7034.

Just started in the last few days.

- MEK

"Oliver Moazzezi" <o.moaz...@SPAMfreenet.co.uk> wrote in message
news:evYPtAIG...@TK2MSFTNGP06.phx.gbl...

Chris

unread,
Dec 5, 2006, 1:37:00 PM12/5/06
to
Same thing - this is getting to be quite the epidemic. We are seeing this on
3 separate customers now. The first one started last Wednesday, the other
two yesterday. All 3 servers are running Exchange 2003 and Symantec AV/Mail
Security with premium antispam. The only difference is that the 1st server
affected is runing version 4.5 of Mail Sec, while the other two are running
the latest version. Disabling the Symantec premium antispam stops the
problem.

It's clear that there's either a coding error in the latest spam update, or
someone has figured out an exploit in the antispam software. Either way
Symantec has nothing posted on their site concerning this - typical, huh?
I'm going to call them, but I feel completely confident that they will never
admit their software is screwed up, so we're probably on our own. I'll post
again if I come up with anything, please do the same if any of you do.

-Chris

Chris

unread,
Dec 5, 2006, 2:31:00 PM12/5/06
to
Ok, guys. Just got off the phone with Symantec. As I suspected, there was a
bad ruleset included with a recent update. And surprising me was the fact
that they actually admitted this and told me how to work around it. They are
working on a new rule set that will be posted as an update hopefully today or
tomorrow, but in the meantime here is the workaround from the email they sent
me. Be sure to make a backup of the .xml file before proceeding. Apparently
there is no further action required - the update will fix the ruleset in the
.xml automatically:

Greetings,Chris
To modify bmiconfig.xml to work around the issue:
Open the services menu by going to Start -> Run and typing services.msc
Stop the Symantec Mail security for Microsoft exchange service, and the
Symantec Mail security spam statistics service, if they are started
Open <system drive>:\Program
iles\Symantec\SMSMSE\5.0\Server\SpamPrevention\bmiconfig.xml in a text editor
such as notepad
Go to the File menu, choose save as, and save the file as bmiconfig.old
Delete the following strings:

<ruleType>header_regex</ruleType>

<ruleType>body_regex</ruleType>

<ruleType>lang_header_regex</ruleType>

<ruleType>lang_body_regex</ruleType>

<ruleType>bodysig</ruleType>

· Once those entries are deleted, go to the File menu, and choose
save as, save the file as bmiconfig.xml

· Restart the Symantec mail security for Microsoft exchange service;
it is not necessary to restart the Spam statistics service.


Sincerely,Rudy

--------------------------------------------------------------------------------


Symantec Technical Support

I don't usually cross-post, but I'm going to throw this out on the few other
threads for this topic, so don't kill me. Good luck!

-Chris

Michael Edward Kohlman

unread,
Dec 5, 2006, 2:40:22 PM12/5/06
to
I've handed off what you have posted here to my Exchange Team and will let
you know how the workaround goes.

Thanks much for the heads-up.

- MEK

"Chris" <Ch...@discussions.microsoft.com> wrote in message
news:DB090753-9CCD-4527...@microsoft.com...

DavidH

unread,
Dec 6, 2006, 12:21:47 PM12/6/06
to
Just an FYI - same setup, exact same thing happening to me - last couple
days can't seem to keep things running - getting through to symantec is near
impossible.... anybody else have any luck?


"Michael Edward Kohlman" <NoS...@NoSpam.com> wrote in message
news:15000438-C4E9-4568...@microsoft.com...

goo...@itpcny.com

unread,
Dec 6, 2006, 12:35:11 PM12/6/06
to
Thanks Chris & everybody else, I didn't get to follow up on this
yesterday but it seems the issue resolved itself sometime yesterday
morning. The server was rebooted about 9:30a, then the services
terminated a couple of minutes thereafter. After it reset itself,
everything has been stable. Not sure if Symantec released an update
that resolved the issue. I do have one of the users complaining that
all spam seems to be going to there Inbox instead of the Spam folder.

DavidH

unread,
Dec 6, 2006, 1:10:03 PM12/6/06
to
I just got off the phone with symantec - the issue hasn't been fixed yet -
I'm going to test which line out of the 5 might be causing the issue - after
our server was rebooted this morning the log shows the services restarting
quickly after it was closed so it did stay up after reboot but the issue
remained until I fixed the xml file.


<goo...@itpcny.com> wrote in message
news:1165426511.6...@73g2000cwn.googlegroups.com...

Michael Edward Kohlman

unread,
Dec 6, 2006, 2:42:25 PM12/6/06
to
The workaround changes recommended by Symantec did resolve the crashing
issue but the amount of SPAM getting through to our end-users is up as a
result.

This is getting fairly annoying....

- MEK

"DavidH" <david_...@NOSPAMpleasekyzen.com> wrote in message
news:OgvBCHWG...@TK2MSFTNGP06.phx.gbl...

dcgal...@gmail.com

unread,
Dec 6, 2006, 2:52:24 PM12/6/06
to
All,

I just finished an hour long wait on tech support with Symantec for
Symantec Mail Security for Exchange v 5.0.4.363. They have a
workaround that disables the "suspected" spam filtering until they have
a final fix. I am posting their fix here.


IIS buffer overrun issues with libspamhunter.dll:

Situation:

Situation: IIS crashes every 5-25 minutes, with errors in the event log
similar to:

The description for Event ID ( 1 ) in Source ( IISCTLS ) cannot be
found. The local computer may not have the necessary registry
information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following
information is part of the event: NT AUTHORITY\SYSTEM.

Solution:

At this time, the recommended workaround is to modify brightmail to no
longer use the rulesets that are causing the issue.

To modify bmiconfig.xml to work around the issue:
Open the services menu by going to Start -> Run and typing services.msc

Stop the Symantec Mail security for Microsoft exchange service, and the
Symantec Mail security spam statistics service, if they are started
Open <system drive>:\Program
iles\Symantec\SMSMSE\5.0\Server\SpamPrevention\bmiconfig.xml in a text
editor such as notepad
Go to the File menu, choose save as, and save the file as bmiconfig.old

Delete the following strings:

<ruleType>header_regex</ruleType>
<ruleType>body_regex</ruleType>
<ruleType>lang_header_regex</ruleType>
<ruleType>lang_body_regex</ruleType>
<ruleType>bodysig</ruleType>

Once those entries are deleted, go to the File menu, and choose save
as, save the file as bmiconfig.xml
Restart the Symantec mail security for Microsoft exchange service; it
is not necessary to restart the Spam statistics service.

This workaround should temporarily resolve the issue until the root
cause can be addressed.


I have performed these steps as it should at least keep us from having
to revive OWA every half an hour. I didn't see any gotchas or errors
with this procedure. Albeit we run in a clustered environment, the
bmiconfig.xml is stored on a local node HDD, so you have to perform the
same procedure on each node, in case you have a failover event before
they get it really fixed.

D

DavidH

unread,
Dec 6, 2006, 4:45:38 PM12/6/06
to
Thought I'd let the group know what I sent symantec to help troubleshoot in
the hopes they get a fix soon:

since you can't see the colors: timestamps without anything after are when
the services crashed, I'm not sure how safe it is to just take out that one
line in the bmiconfig.xml file -(i'm going to cross post to the other
posting on the subject)

Red = time services failed and restarted
Blue = time xml file modified


09:52 (am today)
10:22
11:03
11:05
11:08
11:08
11:09
11:09
11:12
11:29
12:19
12:20
12:21
12:21
12:22
12:23
12:50 - removed 5 lines from xml file and restarted symantec mail security
service
01:46 - added "<ruleType>header_regex</ruleType>" line back to xml file and
restarted symantec mail security service
02:21 - added "<ruleType>body_regex</ruleType>" line back to xml file and
restarted symantec mail security service
02:49
03:00 - removed "<ruleType>body_regex</ruleType>" and added
"<ruleType>lang_header_regex</ruleType>" and restarted symantec mail
security service
03:37 - added "<ruleType>lang_body_regex</ruleType>" line back to xml file
and restarted symantec mail security service
04:08 - added "<ruleType>bodysig</ruleType>" line back to xml file and
restarted symantec mail security service
04:38 - no services stopping


catsarecool

unread,
Dec 7, 2006, 12:23:55 AM12/7/06
to
Seems that Symantec finally updated the definitions to fix this. My
server loaded up the new definitions around 8:00 pm tonight. So far my
event viewer has been clean as a whistle. No service crashes in over 3
hours. Thank God--I've been pulling my hair out for days trying to
solve this.

lordre...@gmail.com

unread,
Dec 7, 2006, 3:54:34 PM12/7/06
to
I've got my Symantec updated to the 12/7 Rev. 20 definitions and after
an uneventful morning this issue popped up again. Is anyone else
experiencing this problem even after the update?

I've only been running Symantec for about 2 weeks now and I'm about
ready to dump it after this fiasco.

zco...@gmail.com

unread,
Dec 7, 2006, 11:50:01 PM12/7/06
to
I've been chashing this same problem for days now. I applied the quick
fix listed above. I only removed the one line
<ruleType>body_regex</ruleType>, and my server is a lot happier.

Darrell Berry

unread,
Dec 8, 2006, 7:00:42 AM12/8/06
to
i've been wrestling with what seems like this since 2 dec. also seeing
the messages which seem to trigger it reappearing in the smtp queues,
which led me down the blind alley of looking at a temptable# corruption
in the store. anyone else seen duplicate delivery of the messages which
crash the service? have just patched the xml file, and so far clean.
will report back.

catsarecool

unread,
Dec 8, 2006, 10:30:36 AM12/8/06
to
My problem came back too!!! This is annoying. I'm about ready to dump
Symantec for good.

ala...@gmail.com

unread,
Dec 8, 2006, 2:09:46 PM12/8/06
to
Same problems with our Exchange SP2/SMS with Premium. I haven't tried
any of the workarounds posted but Symantec obviously hasn't sent any
updates to fix this. I'll be keeping an eye on this thread.

zco...@gmail.com

unread,
Dec 8, 2006, 7:58:27 PM12/8/06
to
It's been almost 24 hours since I made the change in the xml file and
the problem has not come back.

smarta...@gmail.com

unread,
Dec 13, 2006, 8:13:30 AM12/13/06
to

zco...@gmail.com wrote:
> It's been almost 24 hours since I made the change in the xml file and
> the problem has not come back.

New definitions or changing the xml file is only a work around. The
Brightmail Service is actually partially disabled. Symantec still does
not have a fix as of Dec 13. Symantec finally posted the work around in
KB article. I was instructed to check on the article for a permanent
fix once it was discovered.
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2006120116344254

tot...@gmail.com

unread,
Dec 14, 2006, 1:38:37 AM12/14/06
to

The same Problem > The same solution!!!

Symantec where are you?

lordre...@gmail.com

unread,
Jan 26, 2007, 5:08:58 PM1/26/07
to
Symantec has recently resolved this issue (after nearly two months)
according to the page posted before:
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2006120116344254

However, that page says that a software update fixes the problem,
rather than just the updated ruleset. A software update is all well
and good, but you have to call technical support to get it? They
screwed up their software and brought my exchange server to its knees
and they won't even provide the download without more hassles?

mike....@gmail.com

unread,
Feb 26, 2007, 10:33:58 PM2/26/07
to
> > Symantecwhere are you?- Hide quoted text -
>
> - Show quoted text -

I upgraded our FE Exchange Server to their new version 5.0.5.366 and
the server is still having IIS buffer overrun issues with
libspamhunter.dll. Unfortunately Symantec Gold Tech Support closes at
5PM PST and I will have to call them in the morning.

clif.g...@mindspring.com

unread,
Feb 27, 2007, 6:27:19 PM2/27/07
to
> 5PM PST and I will have to call them in the morning.- Hide quoted text -

>
> - Show quoted text -

I will have to concur. I applied the new build as well and still have
an issue. Although the issue has changed somewhat.. the message no
longer gets stuck on the upstream server anymore. You re-start the
SMTP gateway and the message delivers (or at least goes somewhere) on
the 2nd attempt.

DavidH

unread,
Feb 28, 2007, 8:50:23 AM2/28/07
to
Does anyone know of a compareable/better alternative to symantec for the
exchange server?

<clif.g...@mindspring.com> wrote in message
news:1172618839.5...@q2g2000cwa.googlegroups.com...

Ron Boetger

unread,
Mar 17, 2007, 12:14:12 PM3/17/07
to
I am having the same problem BUT we are using TREND MICRO product.
Anyone know it Trend has the same effect?

Thanks
Ron

jacqueli...@gmail.com

unread,
Apr 9, 2007, 1:21:59 PM4/9/07
to
We just installed a 30 day trial of Symantec Premium Anti-Spam less
than a week ago and started seeing these same issues, IIS going up and
down.

Was there any resolution, or are you all just living with it.

Our users love the spam catching of the product but we are concerned
about the behind-the-scenes issues and are reluctant to pull something
our users have been asking for.

Thanks, Jackie

jacqueli...@gmail.com

unread,
Apr 20, 2007, 5:50:08 PM4/20/07
to
There is a known issue with Symantec Mail Security for Exchange
version 5.0.366 running premium antispam.

Not only were our IIS and SMTP services stopping frequently, our
server rebooted itself the other day, culpret being premium anti-spam.

Symantec just released version 5.0.6.368 (available on their FTP site)
but we have been having issues trying to install it. I think they
still have a lot of work to do to correct the problems.

0 new messages