Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Missing admin$ and ipc$

Status
Not open for further replies.
wuger

wuger

Technical User
Mar 1, 2003
2
0
0
US
I have a workstation running nt 4.0 service pack 6a. When I try to access the workstation through the network I get an error message "The server is not configured for transactions". From command prompt on the workstation I type net share and notice that admin$ and ipc$ shares are missing. I type net share admin$ and then net share ipc$ and the shares are created but after an hour or so they disappear. Any suggestions?
Thanks in advance.
 
Sort by date Sort by votes
Strange - virus checked?

There is a registry tweak (can't find it at the minute) which enables user to permanently remove these shares (because by default they are recreated when you restart if you delete them) - but your problem is other way round! Any other odd behaviour on machine? Do other 'normal' shares stay? What about c$?
 
Upvote 0 Downvote
I have not noticed any other anomalies on this machine and yes the normal shares stay including C$.
 
Upvote 0 Downvote
I have the same problem with Windows 2000 domain controller. I found a winlogon.bat script sitting in the start up folder of the administrator and all users profiles.

The script was doing this

@echo off
net share /delete C$ /y
net share /delete ADMIN$ /y
net share /delete IPC$ /y
net share /delete lwc$ /y
net share /delete print$ /y
net stop messenger
net stop netbios

I think this was part of a trojan call Trojan.VirtualRoot

Hope this helps
 
Upvote 0 Downvote
The batch file you described is a common problem on NT machines.

@echo off
net share /delete C$ /y
net share /delete ADMIN$ /y
net share /delete IPC$ /y
net share /delete lwc$ /y
net share /delete print$ /y
net stop messenger
net stop netbios

These commands disable the shares of the drives so other peoople cannot access your machine. The trouble is, a hacker already has, and is probably using your machine as a drone, or if you have a fast connection maybe an FTP server or an "xdcc bot" to serve illegal software at will. The hacker would have scanned your IP range, i.e. 127.0.*.*-127.0.255.255 for vunerable machines, yours being one of them if you find a similar batch file. the batch file is run to stop another hacker doing what the current hacker already has done, and stopping the other hacker from "re-hacking" his hacked server (your machine.) Some common programs used are: iroffer, servuftp, so do a seach on your drives for files such as servu* and/or servudaemon.ini which is the serv-u configuration file. Other files could be iroffer.exe, xscan.exe, firedaemon.exe, cygwin*.dll. these files may not neccessarily be suspicious but it is worth finding the folder if one of these files is found, as you will usually find the whole hacking kit, AKA "root kit". The illegal software is usually stored as RAR files, ( so a search of *.rar could show some interesting results. I also recommend you check C:\RECYCLER and C:\RECYCLED folders, these are hidden but if you type into explorer it shall navigate there, Hackers often store files here as it is unlikley for anyone to check here. I also recommend checking your system services for anything suspicious, you can do this from Control Panel > Administration Tools > Services.


To stop the shares disappearing, as posted before you should find the batch file which is erasing them, do a search IN files for "net share" string, should show some interesting results.

Hope this helps you understand a little more.

Thanks

Steve
 
Upvote 0 Downvote
Hi. I recently installed a wireless lan between my laptop and PC. Both are running W2K. I have this exact same problem, which is driving me craszy. The laptop is fine. The PC, however, is missing the IPC$ share. I can "net share ipc$" but it only stays for a short time before it disappears.

I've gone thru all the suggestions above, but can find no trace of any trojan, or the filenames mentioned. Also cant find any .bat file that removes the share.

AARRGGHH!! What do I do?

 
Upvote 0 Downvote
I'm having the same problem as ozmatey, though not with laptops. There is no virus and not .bat file, but I cannot keep IPC$ past a reboot. Any suggestions?
 
Upvote 0 Downvote
We have found that there is a backdoor trojan causing this issue. Ours was called Backdoor.SDBOT.** We found it using AVG found here Our corporate Panda did not find it. Hope this helps. It was masking an invalid realplayer.exe.

Cliff, CCNA/MCSE/MCSA 2000
Network Administrator
 
Upvote 0 Downvote
Thanks for the tip. We just created our own .bat file that would share the IPC$ at logon. Worked good. Then, thank God, our department broke down and upgraded.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Flinx
  • Locked
  • Question
the SAGA of trying to get a computer to sleep and wake up on a schedule
Replies
1
Views
252
Flinx
Flinx
hikermann
  • Locked
  • Question
WordPerfect 12 and Windows 10 Fighting
Replies
1
Views
87
Mike Lewis
Mike Lewis
RonL2
  • Locked
  • Question
win 7 Chrome and Opera
Replies
4
Views
95
Mike Lewis
Mike Lewis
voisey
  • Locked
  • Question
Missing 'Stereo Mix' in Win 10 Sounds 1
Replies
6
Views
74
voisey
voisey
theConjurian
  • Locked
  • Question
No administrator rights after upgrading to Windows 11
Replies
19
Views
350
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top