Link to home
Create AccountLog in
Windows Networking

Windows Networking

--

Questions

--

Followers

Top Experts

Avatar of msmaby
msmaby

IPC$ Share disappearing
As of 2 days ago I have lost the IPC$ share off a WIn2k Server that is the main print server. Services shows that 'Remote Procedure Call (RPC)' is running. But net share does not show IPC$ as shared. running a net share IPC$ gives no error message, but IPC$ still does not show as shared and dependant services, like the print spooler, will not start. I have scanned this computer with Symantec, Trendmicro, Stinger and the MS Threat detection patch and the system comes up clean. I don't see any unusual processes running. The system is patched to current - including the zotob patch (MS09-039).

This has me commpletely baffled. I have found other references to this issue on this site and none of the recommended fixes applied. I did discover that the 'parameters, autostartserver and atostartwks had been reset to 0, so I reset them back to 1, but no change. To me this really looks like I got hacked, but I can find no trojans (I use TDS to scan) and no viruses..

Anyone have any idea where to go from here?

Thanks

Marcus

Zero AI Policy

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of jholland79jholland79

Hi msmaby,
What about the AutoShareServer key?
See
HOW TO: Restore Administrative Shares That Have Been Deleted
http://support.microsoft.com/?kbid=318755
John.
Avatar of msmabymsmaby

ASKER

No; that is set to a 1.

Avatar of jholland79jholland79

Have you rebooted since you made the registry changes?
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of gsgigsgi🇺🇸

If you run powerchute, upgrade it to v7.02 or v7.04...  (on the off chance that is it the 7/27/05 APC problem)
Avatar of ckratschckratsch🇺🇸

I've seen this happen with some trojan/virus activity, though I forget now which one.  Check to see if your admin shares on the root of your drives are still there, too.  (C$, D$, etc.)  The virus I cleaned up after had removed those as well.
Avatar of msmabymsmaby

ASKER

I finallly had a trojan defence system identify that I am infected with Hacker Defender Rootkit.  Apparently this hides itself and the registry entries. Anyone kow of the correct removal process for this? The searches I have made disagree on procedure.

Thanks
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of gsgigsgi🇺🇸

Which trojan defence system did you use?  The safest way is to reinstall. You could do an in place upgrade, this will retain your settings, and you can also possibly copy the default hive files over, in which case you'll probably have to reinstall software.  Is this thing only a print server?  - gsgi
Avatar of ckratschckratsch🇺🇸

I would agree - you know this machine has been compromised by something possibly less passive than a virus passing through.  Consider that there may be other charateristics of this compromise that you are not yet aware of.  Best to rebuild, especially if it's just a print server.
Avatar of msmabymsmaby

ASKER

Unfortunately, this is the exchange server for the organization. I had a nightmare once rebuilding an exchange server that I would like to avoid. Granted it was v5.5 and this is exch 2000, but still I am hesitant. Besides, the exchange sevices are unaffected.
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of ckratschckratsch🇺🇸

Fair enough, though I can advise that rebuilding Exchange 2000 is way easier.  Add Exchange to another machine, move the mailboxes.  Rebuild your server.  Move the mailboxes back.

I'll see what I can find on that rootkit for you.
ASKER CERTIFIED SOLUTION
Avatar of ckratschckratsch🇺🇸

Link to home
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Create Account
Avatar of Nirmal SharmaNirmal Sharma🇺🇸

If you restart Server service the IPC$ shares and all administrative shares should re-appear.

Do you see any service called "SMSS" running in services.msc snap-in?
Avatar of ckratschckratsch🇺🇸

So what did you end up doing to resolve this one?
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of msmabymsmaby

ASKER

Found that Hacker Defender was running and used the UnHackMe tool from www.greatis.com - This is a keeper as it has a monitor mode that has detected repeated attempts to install rootkit level trojans.

Windows Networking

Windows Networking

--

Questions

--

Followers

Top Experts

The Windows operating systems have distinct methodologies for designing and implementing networks, and have specific systems to accomplish various networking processes, such as Exchange for email, Sharepoint for shared files and programs, and IIS for delivery of web pages. Microsoft also produces server technologies for networked database use, security and virtualization.