W2K Hidden Shares gone!

[Rob Compton]

Don't know whether it was a trojan, spyware, or whatever
that caused it, but my W2K box has lost it's hidden shares,
admin$, ipc$, c$ etc...

To that end, it appears on the network but can't be
accessed in the normal way. On a couple of my machines I
have some of the drives on the W2K box listed, and I can go
straight to them, but I cannot access the root of the
machine, and what's more, I can't access the printers that
are hooked up to it (and it's the main printer server too!).

Now here's what I've found... If I re-boot it, but don't
log-in, ie: just leave it sitting there with the login box,
it all works, printer serving, file serving, internet
serving, the whole shabang! Log in, and it packs up. I've
looked at the registry, and there is the line in
lanmanserver/.../parameters (can't remember it exactly),
but DWORD is set to 0. If I delete that parameter, it
"should", re-create the shares, according to other articles
I've seen. It doesn't.

Any ideas.

Except format c: install something that works (I'm so
hacked off with this, that it's getting close to being a
L*n*x box!)

Rob.

 

[Mark Renoden [MSFT]]

Hi Rob

Vanishing hidden shares is a typical symptom of being hacked. I'd suggest
you log a support call to have this investigated further.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[lkinkade]

I discovered lsrv.exe running on computers displaying this problem. A call
to microsoft confirmed that although it was listed as from Microsoft in
the registry, Microsoft had not heard of it. I ended the lsrv.exe
processes and removed references from the registry (4 places in all) and
rebooted and it was better. The admin$ etc. was back.

 

[lkinkade]

I found that on the servers that were missing their administrative shares,
lsrv.exe was running. This claims to be from Microsoft, but Microsoft
service rep said it is not. This appears to be malware. It was listed in
various run and runservice keys in the registry. Any lsrv.exe processes
need to be stopped, and the keys referring to lsrv.exe need to be deleted
from the registry. Also it may set the values AutoShareServer and
AutoShareWks values in the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
key to 0 (zero). If those are set to zero, those keys need to be
deleted. (Microsoft kb article 245117 has more infor on that) Deleting the
AutoShareServer and AutoShareWks values, if they are set to 0, is
necessary for the admin shares to come back on reboot.

Fix Summary
-Stop any lsrv.exe processes.
-Remove all registry keys referring to lsrv.exe
-Remove the AutoShareServer and AutoShareWks values from the registry, if
they are present and set to zero.

 

[Stuart]

Fix Summary

-Stop any lsrv.exe processes.
-Remove all registry keys referring to lsrv.exe
-Remove the AutoShareServer and AutoShareWks values from the registry, if
they are present and set to zero.

I spent most of my day removing this unusual malware from a mix of Win
2K and XP clients. Netstat -a was showing various listening
connections from port 3000 upwards. One of the clients was nearly
fresh out of the box with the latest updates applied to it, too.

All clients had flooded their office DSL router, SYN packets were
being sent to various seemingly random targets on regular intervals.

The exe (which I no longer have but may be able to get a sample this
week) had no basic version or description in it's properties.

There was another process that was attempting a similar thing on one
of the Win2K machines, though I did not have time to investigate, I
could only stop it using a personal FW, I think file was called
msrll.exe, though may be a diff trojan.

Would be interested to hear anyone else's experience with this strange
intrusion.

 

[Potone]

I began to have the same problem last friday and resolved it only iesterday.
I found the same lsrv.exe in my registry, after removing it the shidden
shares came back.
My Norton AV updated with definitions of 7th june found the W32.Spybot.Worm
virus on that file, with the definitions of 2nd june it didn't find the
virus.

 

[Guest]

I had the same problem but in my case the cause of it was a worm called MUMU.
http://vil.nai.com/vil/content/v_100530.htm