Hacker has accessed server, unable to find resolution

Posted on 2005-04-19
Last Modified: 2013-12-04
Recently we have discovered a hacker has gained access to one of our Windows 2000 servers (SP4).  The server is our Exchange server and our web hosting server (limited funds, do what we can).

By running SysInternals RootkitRevealer we are able to see that several hidden registry entries have been made.  A couple of hidden files were also discovered.

The hidden entries:


We are receiving numerous Event ID 7011 for all Exchange related services and IIS service, eventually effectively stalling the services.

We have since closed off the server from the outside world (still allowing SMTP traffic in/out), but the internal damage is done.

Is there any tool/utility that will allow us to access the hidden registry keys and hidden files so that we can delete them?
Question by:jhinson
    LVL 16

    Expert Comment

    Hidden files? Turn off 'hide protected operating system files' and turn on 'show hidden files' in folder option. There's not much more to that one...
    As for the registry, run regedt32, and use the security menu to give yourself at least read (or Full control) to the whole registry.

    Ps. I would NOT try to salvage this machine. Take yourself offline, backup all mail, and reinstall a brand new box. Your chances of completely cleaning this system are slim-to-none.

    Author Comment

    Have already done all you suggested, no luck.

    Will be installing new machine this weekend but am trying to survive until then.
    LVL 20

    Accepted Solution

    You might like to try this tool whith wich you can delete ( rename or move) files that are used by operating system
    and cannot be easily deleted :
    You can  also manually remove hidden Windows registry entries with pointers to executable files ( msdfm.exe, msdsa.exe and msgate.exe )
    W32/Sdbot-OK is a worm which attempts to spread to remote network shares.
    "Troj/Multidr-Y drops and executes W32/Sdbot-BK as runme.exe and Troj/HacDef-I
    as msdsa.exe in the Windows system folder.
    The Trojan also drops the following file in the Windows system folder:
    admdll.dll - a non-malicious DLL plugin for a remote administration tool
    go.bat - an innocuous BAT file
    hexec.exe - a legitimate utility called HideWindow
    msdfm.exe - a non-malicious remote administration tool
    raddrv.dll - a non-malicious DLL plugin for a remote administration tool
    msdsa.ini - a configuration file for msdsa.exe  "
    __________________________________________  ( general purpose hard-disk cleaner)
    good luck
    LVL 12

    Expert Comment


    Try running "Supershell" (free):

    LVL 15

    Expert Comment

    If this trojan has launched itself as a process which cannot be killed normally through task manager, preventing you from deleting the associated .exe and .dll files, you may want to try downloading taskman+ from

    to see if it can kill the trojan process.  Once killed, you should be able to delete the .exe and.dll files, then delete the associated regkeys.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Suggested Solutions

    Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now