hello,


problem:

2003 server infected with Gaobot.gen has been disinfected, now everyone on the network cannot see that pc on the network in network neighbourhood UNLESS logged in as administrator.

i am thinking its ethier changed the lanman settings in the registry or maybe deleted the ipc$, something along those lines?

anyone else seen this?


cheers in advance.

i think it deleted the ipc$ .. There's a function on some bots that secure the system and delete the ipc$ so it cannot easily get rehacked. Seems to be a Phatbot or Agobot ..hehe and all mods on top of them .

Just chek if your ipc$ is deleted. think that's the prob

a delete IPC$ is recreated after reboot...

nope! it is possible to disable the automatic recreation of ipc$ (admin$, C$ what ever) with a registry tweak.

aargh, i always hate it when ppl correct me but u were right indeed..

FOR SERVERS:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters]
"AutoShareServer"=dword:00000000


FOR WORKSTATIONS:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"AutoShareWks"=dword:00000000

this is untested but i have the same dir on my XPmachine.

And then again the bot runs as service so if it's started it would disable it could again

It works and stops creation of Admin$ , C$ , D$ on winnt,2k,xp,2003 also (not tried) .
I dont think this is for ipc$

just Use sophos and after delete ipc$

to find the bots service look in the reg here (there are other places to start a bot, but this is the service location):

[HKEY_LOCAL_MACHINE] SYSTEM\ControleSet001\Services\

dont use tools like DMware because they make use of a service-list which can be patched quite easy, go straight to the registry. Hooking the registery is also possible but much tougher and it would slow down the pc way to much.