frankfuternick
asked on
ctrl alt delete virus on windows server 2003
I am running a windows 2003 server which is the domain controller for our network. If you press ctrl alt delete to get on to the server the machine restarts. We are unable to gain access to the machine via remote desktop. We have done a complete file recovery from the microsoft system cd with no suceess. When the machine starts users are able to connect and everything seems to work fine but we can't get on the server machine directly. we have been able to make changes o the registry as well as active directory remotely but still we have had no success in getting on the machine to remove what ever virus or worm that has infected the machine. I need someway or 3rd party boot cd to get on the server so we can isolate the virus and get control back of the machine. I need ideas.
Check this:
http://myitforum.com/cs2/blogs/dhite/archive/2008/04/20/disabling-windows-server-2003-ctrl-alt-del-logon-prompt.aspx
It might help.
Shree
http://myitforum.com/cs2/blogs/dhite/archive/2008/04/20/disabling-windows-server-2003-ctrl-alt-del-logon-prompt.aspx
It might help.
Shree
ASKER
Sorry redoing the machine is my last resort. I am asking experts on the exchange for solutions that can solve the problem without starting over.
ASKER
shreedhar - we have tried this by changing the registry but when you reboot the machine hen the server gets to the point of starting where it would normally show a logon screen it then restarts.
Can you boot to safe mode?
Make sure you have backed up or recovered vital data, Bring up a second temp domain controller , tranfers FSMO roles to the new server. Wipe and reload infected server, join domain, promote, transfer roles, demote temp server or keep for AD redundancy.
Make sure you have backed up or recovered vital data, Bring up a second temp domain controller , tranfers FSMO roles to the new server. Wipe and reload infected server, join domain, promote, transfer roles, demote temp server or keep for AD redundancy.
http://support.microsoft.com/kb/325375
Above link gives you some options to troubleshoot, please try as applicable. Event logs may indicate the erros if any.
Press F8 during boot and disable restart on error and logon to safe mode once and do a CHKDSK with fix/ repair option.
Download below scanner and create a CD and boot from it. http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080911125713EN
Above link gives you some options to troubleshoot, please try as applicable. Event logs may indicate the erros if any.
Press F8 during boot and disable restart on error and logon to safe mode once and do a CHKDSK with fix/ repair option.
Download below scanner and create a CD and boot from it. http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080911125713EN
Did you check you WINLOGON in the registry?
HKEY_Local_Machine\Softwar
Check the setting with a working domain controler.
check your places for a virus. (run, runonce, services) all in you registry.
If the server is infected, you will have a registry key somewhere that is starting you virus.
HKEY_Local_Machine\Softwar
Check the setting with a working domain controler.
check your places for a virus. (run, runonce, services) all in you registry.
If the server is infected, you will have a registry key somewhere that is starting you virus.
Connect to the registry remotely.
Look in
HKLM\Software\Microsoft\Wi
You are looking for a value called GINADLL. If this value has been set, then someone has hijacked your GINA. Microsoft DOES support this; it's called GINA chaining. It's used for adding a Netware client, or the Citrix SSO GINA, etc etc. There are many legitimate uses for it. Unfortunately, it sounds like someone did something not so nice to yours.
In a factory clean install, this value is NOT present, and the machine boots with the default GINA.
HTH,
exx
Look in
HKLM\Software\Microsoft\Wi
You are looking for a value called GINADLL. If this value has been set, then someone has hijacked your GINA. Microsoft DOES support this; it's called GINA chaining. It's used for adding a Netware client, or the Citrix SSO GINA, etc etc. There are many legitimate uses for it. Unfortunately, it sounds like someone did something not so nice to yours.
In a factory clean install, this value is NOT present, and the machine boots with the default GINA.
HTH,
exx
ASKER
exx1976 - Unfortunately I have checked the registry and that key is not present.
Then it's not a virus, but something corrupted as part of the OS. The ONLY way to hijack that process is by using that registry key. That very process exists because that key sequence is trapped at SUCH A low level by the OS that it can interrupt anything else that is running, and always produces the same result: The task manager/lock workstation screen. This is done so that a virus writer can't write a "fake" login, then when you press control-alt-delete it would go to the lock workstation/task manager screen.
HTH,
exx
HTH,
exx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
or
- If you have a second domain controller just rebuild the domain controller.
or
- If you are able to setup a temporary domain controller do that - this allows you to rebuild this machine. If it really has a virus that's what you want to do anyways.