Missing Network Shares - Compromised Network?

Posted on 2006-05-01
Last Modified: 2012-05-05
Saturday I installed a NetGear router.  It's attached between my main computer and my cable modem.

The setup program told me to turn off all programs, including firewalls and AV, before installing.  I did.  And then I got sidetracked by a neighbor.  I was open to the Internet for several hours without AV or firewall.

Sunday, all four of my computers on the network started behaving strangely.  I first notiiced them being sluggish, taking a long time to load things.  Then my main computer started just hourglassing forever at bootup.  I'd start a Windows Explorer window, and it would just churn without evre opening it.

I lost connectivity to my router's web interface.

The administrative shares on the two XP machines are gone.  If I re-enable them in the registry, they are gone again next time I reboot.

I pulled the plug on the Internet last night after reading a Microsoft help page that indicated that these symtoms--especially the missing admin shares--were likely a sign of a compromised system.

My plan is to wipe the machines and start from scratch.  But I sooooo don't want to do that if I'm missing another cause/solution.
Question by:StuartGriffen
    LVL 9

    Accepted Solution

    I would disconnect all computers from the network and one by one boot using a AV bootable CD. Make sure it is up to date DAT files and scan each device. You will find that you will have a worm virus somewhere and this is overriding your shares etc. This shoudl clean each one up. However, if not, then you may need to reinstall the lot. Of course, you have the night befores backup, right????

    As you clean each computer, rebuild the network slowly. Only add in computers that you know to be clean.
    Then, you can add in your firewall once you are sure you have turned on the security.
    Finally, connect the modem and get internet access.

    Hope this helps

    Author Comment

    Thanks Barny

    It's a home network, and I have everything backed up.  Been down that road too many times.

    I'm a little fuzzy on the virus situation.  I've run multiple virus and malware scans on the machines already; none of them from a boot CD, though.  If this is just some hacker's home-grown trojan with the aim of turning me into a zero-day site or spam server, will an AV program catch it?

    I like your suggestion.  My favorite part about it is not reinstalling all four machines. :)
    LVL 77

    Assisted Solution

    by:Rob Williams
    I really don't have any thing positive to add as for troubleshooting, but assuming the Netgear was installed between the computers and the Internet the risks would have been very minimal. The Netgear should have provided sufficient firewall protection against attacks, and if the systems were not in use the chances of obtaining a virus on all 4 systems or on 1 and it spreading to the others is not impossible, but very slim. I would continue to look for a solution. Other than the lost admin shares I would question connectivity of the router.
    LVL 77

    Expert Comment

    by:Rob Williams
    Forgot in your previous post you mentioned you had a server. If this is a domain and the workstations cannot find the DNS server, possibly due to a bad router, they would hang for up to 10 minutes on boot up. Can you test with another router or switch, even without an Internet connection?

    Author Comment

    Thanks guys.
    LVL 77

    Expert Comment

    by:Rob Williams
    Thanks Stuart,

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now