Like that is news. :) I hope someone will take some pity on me and reply as I"m really a server administrator, but I've been asked to look after a small 2000 web server. When i checked it this week, someone got in and scheduled an event. It was made created by netsched. What it did at reboot is try and delete C and D shares, and then the event was deleted. The server isn't running on C: drive, it's letter assignment is much higher, so I don't think anything was affected, all still seems to 'serve' ok. But, when i try and run task manager, it loads, but i can't access it. When i move my mouse to the system tray, it disappears. Can anyone comment, or point me to a faq for better securing this box? tia. Bit.

(Not a Windows Admin) However after any break in you want to clean install and restore from know good clean backups

Rus

With microsoft servers wouldn't that be a daily chore unless i figure out how to stop the same thing from happening first?

windows updates ur friend

Bit,

Head on over to sysinternals.com and pick up a process explorer, TCPView, Regmon, CPUmon, Handle, fport, listdlls and DiskMon. These tools will help you find out exactly whats going on with your box. I'm not sure exactly whats going on but there have been a number of worms and bots released lately, it may well be one of those.

More than likely you are infected with the Blaster virus. It shuts down your task manager, regedit, and your anti virus software. Does the machine reboot when you attempt to connect to the internet?

Some good reading:

http://www.microsoft.com/security/incident/blast.asp

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html