Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible Rootkit on Win2k3 server

  • Please log in to reply
No replies to this topic

#1 z28power


  • Members
  • 2 posts
  • Local time:10:13 PM

Posted 14 March 2010 - 02:56 AM

I have a Win2k3 server that it appears a user managed to put some files on the machine that were then executed. The system starts up fine at first, then starts becoming unresponsive to console and remote desktop sessions. Cannot open command prompt, and remote desktop connections hang when logging in. All that can be done is restarting the server.

Additionally, the file server functionality stops working.

I have run MBAM on the system and removed av.exe as a process that was attempting to run. I have since run MBAM and NAV10.2 corporate on the system in both regular and safe modes with no infections found.

I ran GMER on the system earlier today and it found suspicious file activity on the files atapi.sys and ntfs.sys (it actually froze the entire system when scanning atapi.sys). I restarted the system into recovery console and replaced both of these files. Restarted the system and rebooted. I ran GMER afterwards again and it found a bunch of entries under SSDT, and some .text code files. (I can post this if you would like.) I cannot run some of the other more common scanners on Win2k3 so I am a little bit stuck. Any help that you guys can offer I would greatly appreciate. The system seemed to be running ok after the reboot but has become unresponsive again. Initially gmer did not find atapi.sys after replacing the file from the disc, however at the very end of the scan if listed atapi.sys with a suspicious modification again.

Thanks for any help you can provide!

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users