R & R TCP/IP in Win2K Server?

Roger Wright

Our server took a dump today. A virus or trojan got installed around 12/30/2005 - no, I don't have a firewall, as I didn't have any say in it - and has been merrily emailing who knows how many people. I found mIRC along with a hidden SMTP server/relay installed. When it finally crashed the system some time last night, it took out the TCP/IP stack, as well, so that now there is no way to connect to it at all. Ordinarily I'd just remove TCP/IP, then reboot and reinstall it, but that's not possible. In fact, that's exactly what TechNet recommends, and provides a step by step procedure for doing it. Unfortunately, the instructions are someone's hallucination, as they don't work. You can't 'Uninstall' TCP/IP, as the button is greyed out. I spent the entire day following article after article in TechNet, none of which removed TCP/IP. I tried doing a repair installation, but the Win2K CD doesn't offer that option - it's Upgrade or Clean only. I'd just restore from a backup, but the tape drive relies on - you guessed it - TCP/IP to connect. Grrrr.... Does anyone know of a sure fire way to accomplish this? "...a photo album is like Life, but flat and stuck to pages." - Shog9

Sebastian Schneider

Sorry. Seems like reinstalling Windows without formatting the HDD would be your best guess. Given the source of your problem, I would do a complete reinstall. Otherwise, rootkits might still be active and return the control of your server to the attacker. You just would be repairing it for them to abuse again.

AndyM103

It's not currently connected to the network. Right. Have you removed the trojan? If not: get a free anti-virus from free-av.com and then remove the trojan. If you still cannot regain network access - delete the connection and start from scratch with it (does Wn2k3 have a "Create Network" wizard???). This should enable access. ps: If this doesn't work try just unplugging the network lead!!!

Roger Wright

The Trojan was easy - it even showed its ugly face in the Add/Remove Programs menu!:laugh: There was something else that kept reinstalling it, though, and that took some time to track down. All gone. The mIRC component was harder to get rid of, but I finally nailed it. I believe what happenned to the server to cause the damage was that the Trojan replaced a critical file in the set of services that enable networking, so I located a procedure at TechNet for removing and replacing them all. After spending all day painstakingly following instructions, which were wrong as usual, after the final reboot the same symptoms reappeared - no network connectivity. Arrrrggggg!:mad: At this point I'm really stuck - in the Registry section HKLM\System\Current Control Set\Services there should be a long list of installed services, but this one's blank - nothing there at all. Dell support was great, btw - the chat desk has different staff from the phone support department. But they're trained for hardware diagnosis and don't really know much about Windows. My next step, I guess, is to reinstall Win2K Server, but I really wish it had a Repair option like other versions have. "...a photo album is like Life, but flat and stuck to pages." - Shog9

Lost User

How about using this command: sfc /scannow