[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Bootwin.exe causing the 2k3 server to stop users accessing network drives. Any ideas???

Posted on 2008-11-06
Medium Priority
Last Modified: 2012-05-05
bootwin.exe causing server to stop access to Network drive, Unable to access network drive from server also. Any ideas on how to stop the occuring?
Question by:techsupport111
  • 2

Expert Comment

ID: 22909746
I have the same problem. It appears the file is a virus, or part of one although none of the scanners at virustotal can detect it. On the server I found it on, It turned off several of the services at once, leving clients without network access like you described.
It looks as if it has some code to hide from detection as well.
The bootwin.exe file can be deleted in safe mode, but I don't know if that's enough to get rid of the entire virus. It might be part of a rootkit.
LVL 11

Accepted Solution

knoxzoo earned 1000 total points
ID: 22924636
Look for a WnUtils folder on the hard drive, most likely C:\WinUtils .  If it's there, go into the registry, find all references to that folder and delete the key(s).  

Download and install GiPo File Utilities.  (http://www.gibinsoft.net/gipoutils/fileutil/index.htm)  Use GiPo (right click on malware folder) to "Delete on next startup".

Check the registry again, just in case the program loaded code back in there before it was deleted.

Make sure the folder is gone and has not been recreated.

Use a registry cleanup utility to remove any lingering pieces.  Norton's works pretty good.  

Assisted Solution

punar earned 1000 total points
ID: 22926476
techsupport111, you should check the size of bootwin.exe.

If it's about 9KB and in the system32-folder, it's a virus. As far as I can find, there are no other files in connection to the virus, so
* Delete it in safe mode
* Disable the service (The service name is Windows Boot Loader)
* Install all Microsoft updates
and you should be OK. I have run for more than two days without any sign of the virus still being active.
Do a full scan of your system with your antivirus application as well just to be sure there are no known threats on the server.

If it's about 94KB, it's the bootwin.exe from the shareware collection of utilities from Aylott Computing called WinUtils that knoxzoo talks about. According to Aylotts website, "reboots the PC with an optional delay". But I think tha tutility would only reboot your system, and not do any harm to your network services.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question