admin$ ipc$ and c$ shares gone

  • Thread starter Thread starter faadil
  • Start date Start date
F

faadil

Hi all. I have a real problem that's bugging me. First, the server
contracted Vundo virus. After a lot of fighting, I was able to remove
it. It was creating randomly created .dll files of 26kb and it opened
iexplorer windows pointing to ad sites. It also removed all shares
above. After I was able to remove Vundo, I proceeded to change the
registry entry located at HKLM\System\CurrentControlSet\Services
\lanmanserver\parameters\AutoShareServer to 1 and AutoShareWks to 1
also. After a restart, the shares had again disappeared. Even if I
manually enable them through a command box using "NET SHARE ADMIN$"
etc... for all shares, they remain present for a while. After about 5
mins, they are no longer there. Any ideas anyone???

Thanks a lot.
 
Hi all. I have a real problem that's bugging me. First, the server
contracted Vundo virus. After a lot of fighting, I was able to remove
it. It was creating randomly created .dll files of 26kb and it opened
iexplorer windows pointing to ad sites. It also removed all shares
above. After I was able to remove Vundo, I proceeded to change the
registry entry located at HKLM\System\CurrentControlSet\Services
\lanmanserver\parameters\AutoShareServer to 1 and AutoShareWks to 1
also. After a restart, the shares had again disappeared. Even if I
manually enable them through a command box using "NET SHARE ADMIN$"
etc... for all shares, they remain present for a while. After about 5
mins, they are no longer there. Any ideas anyone???

Thanks a lot.
Click to expand...

In my book an infected server is a compromised server
that must be rebuilt. You're seeing some of this already -
who knows what else might be lurking there?
 
In my book an infected server is a compromised server
that must be rebuilt. You're seeing some of this already -
who knows what else might be lurking there?
Click to expand...

Ok, I'll have to use this as a last resort. But nothing else can be
done which involves a quicker fix?
 
Ok, I'll have to use this as a last resort. But nothing else can be
done which involves a quicker fix?
Click to expand...

I have done an upgrade but the problem is still present. I know the
only thing left to do is a clean install but doh...
 
In
Pegasus (MVP) said:
In my book an infected server is a compromised server
that must be rebuilt. You're seeing some of this already -
who knows what else might be lurking there?
Click to expand...

Agreed, even if it was 100% fixed there's still that creeping paranoia that
somehow, somewhere, someone may be able to get access :)
 
Agreed, even if it was 100% fixed there's still that creeping paranoia that
somehow, somewhere, someone may be able to get access :)
Click to expand...

Any idea how this happened though? Both firewall and antivirus are up
to date. It blows me away...

Well, will be doing a clean install tomorrow. In the mean time, I have
scheduled a small batch file to run every 5 mins which restores the
"permanent" shares. Thanks again.
 
quoting:
Any idea how this happened though? Both firewall and antivirus are up
to date. It blows me away...

Well, will be doing a clean install tomorrow. In the mean time, I have
scheduled a small batch file to run every 5 mins which restores the
"permanent" shares. Thanks again.
Click to expand...


It may be a rootkit... I usually AV scan my computers with a boot disk so
that it gets under the OS.
 
Back
Top