BleepingComputer.com: Local Machine Account Passwords Reset on Windows Server 2003

Jump to content

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Local Machine Account Passwords Reset on Windows Server 2003 I suspect a rootkit causing the problem

#1 User is offline   kbartley 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 26-March 11

Posted 26 March 2011 - 12:12 PM

I have a new customer with a Windows 2003 server that I inherited from their previous IT provider. The server is *not* set up as a domain controller and just handles basic file and application sharing via a workgroup security model.

They called me when they started losing their connectivity to shares on the server. They also could not log in to their server because it would not accept the password for the Administrator. I initially suspected someone had accidentally reset the password, but after arriving onsite I noticed that all of the local machine passwords had been changed (which is why the shares weren't working) and I couldn't log in at all. I suspected a virus and, after using a third party software to reset the administrator password so I could log in, I ran Malwarebytes Anti-Malware and, sure enough, there were several infections, one of which was detected as a Rootkit component. I cleaned up the infection, rebooted, reran Malwarebytes, cleaned up a couple more components, rebooted and reran and came up clean. I reset the passwords on all accounts and everything was good.

Yesterday, they called with the same problem. Apparently the virus wasn't gone. I redid the whole process and this time ran several other malware and rootkit detection tools including Malwarebytes again, Norton Power Eraser, Sophos AntiRootkit, Windows malicious software removal tool and Root Repealer. Everything came up clean. Additionally, I found that nearly all the computers in the office were infected with spyware and so I ran Malwarebytes on all of them and cleaned up any infections, just in case there was any spread of the virus. I've ordered Symantec Antivirus for the machines. Their previous IT provider had Free AVG on them which, I realize is both insufficient and in violation of the AVG Free EULA. Last night at midnight, I was able to log into the server remotely no problem.

However, this morning I once again got the message that the username/password combination was invalid, so it seems the problem is back. So I'm posting this in the hopes that someone has any suggestions for what else I might run to detect this insidious virus and/or may have run up against something like this. Otherwise, I'm looking at a complete backup and reinstall which is going to add to the already major disruption to my customer's business. Thank in advance for the help.

This post has been edited by hamluis: 26 March 2011 - 07:28 PM
Reason for edit: Moved from Win NT to Am I Infected.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users