They called me when they started losing their connectivity to shares on the server. They also could not log in to their server because it would not accept the password for the Administrator. I initially suspected someone had accidentally reset the password, but after arriving onsite I noticed that all of the local machine passwords had been changed (which is why the shares weren't working) and I couldn't log in at all. I suspected a virus and, after using a third party software to reset the administrator password so I could log in, I ran Malwarebytes Anti-Malware and, sure enough, there were several infections, one of which was detected as a Rootkit component. I cleaned up the infection, rebooted, reran Malwarebytes, cleaned up a couple more components, rebooted and reran and came up clean. I reset the passwords on all accounts and everything was good.
Yesterday, they called with the same problem. Apparently the virus wasn't gone. I redid the whole process and this time ran several other malware and rootkit detection tools including Malwarebytes again, Norton Power Eraser, Sophos AntiRootkit, Windows malicious software removal tool and Root Repealer. Everything came up clean. Additionally, I found that nearly all the computers in the office were infected with spyware and so I ran Malwarebytes on all of them and cleaned up any infections, just in case there was any spread of the virus. I've ordered Symantec Antivirus for the machines. Their previous IT provider had Free AVG on them which, I realize is both insufficient and in violation of the AVG Free EULA. Last night at midnight, I was able to log into the server remotely no problem.
However, this morning I once again got the message that the username/password combination was invalid, so it seems the problem is back. So I'm posting this in the hopes that someone has any suggestions for what else I might run to detect this insidious virus and/or may have run up against something like this. Otherwise, I'm looking at a complete backup and reinstall which is going to add to the already major disruption to my customer's business. Thank in advance for the help.
Edited by hamluis, 26 March 2011 - 07:28 PM.
Moved from Win NT to Am I Infected.