ctrl alt delete virus on windows server 2003

I am running a windows 2003 server which is the domain controller for our network.  If you press ctrl alt delete to get on to the server the machine restarts.  We are unable to gain access to the machine via remote desktop.  We have done a complete file recovery from the microsoft system cd with no suceess.  When the machine starts users are able to connect and everything seems to work fine but we can't get on the server machine directly.  we have been able to make changes o the registry as well as active directory remotely but still we have had no success in getting on the machine to remove what ever virus or worm that has infected the machine.  I need someway or 3rd party boot cd to get on the server so we can isolate the virus and get control back of the machine.  I need ideas.
frankfuternickAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wonko_the_SaneCommented:
-Restore from backup
 
or

- If you have a second domain controller just rebuild the domain controller.

or

- If you are able to setup a temporary domain controller do that - this allows you to rebuild this machine. If it really has a virus that's what you want to do anyways.
0
frankfuternickAuthor Commented:
Sorry redoing the machine is my last resort.  I am asking experts on the exchange for solutions that can solve the problem without starting over.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

frankfuternickAuthor Commented:
shreedhar - we have tried this by changing the registry but when you reboot the machine hen the server gets to the point of starting where it would normally show a logon screen it then restarts.
0
seaweed27Commented:
Can you boot to safe mode?

Make sure you have backed up or recovered vital data, Bring up a second temp domain controller , tranfers FSMO roles to the new server. Wipe and reload infected server, join domain, promote, transfer roles, demote temp server or keep for AD redundancy.
0
FayazCommented:
http://support.microsoft.com/kb/325375
Above link gives you some options to troubleshoot, please try as applicable.  Event logs may indicate the erros if any.
Press F8 during boot and disable restart on error and logon to safe mode once and do a CHKDSK with fix/ repair option.
Download below scanner and create a CD and boot from it. http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080911125713EN 
0
hmtwinsCommented:
Did you check you WINLOGON in the registry?
HKEY_Local_Machine\Software\microsoft\windows NT\Currentversion\Winlogon.
Check the setting with a working domain controler.

check your places for a virus. (run, runonce, services) all in you registry.
If the server is infected, you will have a registry key somewhere that is starting you virus.
0
exx1976Commented:
Connect to the registry remotely.

Look in

HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon

You are looking for a value called GINADLL.  If this value has been set, then someone has hijacked your GINA.  Microsoft DOES support this; it's called GINA chaining.  It's used for adding a Netware client, or the Citrix SSO GINA, etc etc.  There are many legitimate uses for it.  Unfortunately, it sounds like someone did something not so nice to yours.

In a factory clean install, this value is NOT present, and the machine boots with the default GINA.


HTH,
exx
0
frankfuternickAuthor Commented:
exx1976 - Unfortunately I have checked the registry and that key is not present.
0
exx1976Commented:
Then it's not a virus, but something corrupted as part of the OS.  The ONLY way to hijack that process is by using that registry key.  That very process exists because that key sequence is trapped at SUCH A low level by the OS that it can interrupt anything else that is running, and always produces the same result:  The task manager/lock workstation screen.  This is done so that a virus writer can't write a "fake" login, then when you press control-alt-delete it would go to the lock workstation/task manager screen.


HTH,
exx
0
frankfuternickAuthor Commented:
We were able to boot the machine from AVG rescue cd.  The rescue CD was able to do a virus scan and successfully removed the virus.  Once back on the machine we were able to repair all the things that were damaged.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.