ctrl alt delete virus on windows server 2003

I am running a windows 2003 server which is the domain controller for our network.  If you press ctrl alt delete to get on to the server the machine restarts.  We are unable to gain access to the machine via remote desktop.  We have done a complete file recovery from the microsoft system cd with no suceess.  When the machine starts users are able to connect and everything seems to work fine but we can't get on the server machine directly.  we have been able to make changes o the registry as well as active directory remotely but still we have had no success in getting on the machine to remove what ever virus or worm that has infected the machine.  I need someway or 3rd party boot cd to get on the server so we can isolate the virus and get control back of the machine.  I need ideas.
frankfuternickAsked:
Who is Participating?
 
frankfuternickConnect With a Mentor Author Commented:
We were able to boot the machine from AVG rescue cd.  The rescue CD was able to do a virus scan and successfully removed the virus.  Once back on the machine we were able to repair all the things that were damaged.
0
 
Wonko_the_SaneCommented:
-Restore from backup
 
or

- If you have a second domain controller just rebuild the domain controller.

or

- If you are able to setup a temporary domain controller do that - this allows you to rebuild this machine. If it really has a virus that's what you want to do anyways.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
frankfuternickAuthor Commented:
Sorry redoing the machine is my last resort.  I am asking experts on the exchange for solutions that can solve the problem without starting over.
0
 
frankfuternickAuthor Commented:
shreedhar - we have tried this by changing the registry but when you reboot the machine hen the server gets to the point of starting where it would normally show a logon screen it then restarts.
0
 
seaweed27Commented:
Can you boot to safe mode?

Make sure you have backed up or recovered vital data, Bring up a second temp domain controller , tranfers FSMO roles to the new server. Wipe and reload infected server, join domain, promote, transfer roles, demote temp server or keep for AD redundancy.
0
 
FayazCommented:
http://support.microsoft.com/kb/325375
Above link gives you some options to troubleshoot, please try as applicable.  Event logs may indicate the erros if any.
Press F8 during boot and disable restart on error and logon to safe mode once and do a CHKDSK with fix/ repair option.
Download below scanner and create a CD and boot from it. http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080911125713EN 
0
 
hmtwinsCommented:
Did you check you WINLOGON in the registry?
HKEY_Local_Machine\Software\microsoft\windows NT\Currentversion\Winlogon.
Check the setting with a working domain controler.

check your places for a virus. (run, runonce, services) all in you registry.
If the server is infected, you will have a registry key somewhere that is starting you virus.
0
 
exx1976Commented:
Connect to the registry remotely.

Look in

HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon

You are looking for a value called GINADLL.  If this value has been set, then someone has hijacked your GINA.  Microsoft DOES support this; it's called GINA chaining.  It's used for adding a Netware client, or the Citrix SSO GINA, etc etc.  There are many legitimate uses for it.  Unfortunately, it sounds like someone did something not so nice to yours.

In a factory clean install, this value is NOT present, and the machine boots with the default GINA.


HTH,
exx
0
 
frankfuternickAuthor Commented:
exx1976 - Unfortunately I have checked the registry and that key is not present.
0
 
exx1976Commented:
Then it's not a virus, but something corrupted as part of the OS.  The ONLY way to hijack that process is by using that registry key.  That very process exists because that key sequence is trapped at SUCH A low level by the OS that it can interrupt anything else that is running, and always produces the same result:  The task manager/lock workstation screen.  This is done so that a virus writer can't write a "fake" login, then when you press control-alt-delete it would go to the lock workstation/task manager screen.


HTH,
exx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.