Missing admin$ and ipc$

Strange - virus checked?

There is a registry tweak (can't find it at the minute) which enables user to permanently remove these shares (because by default they are recreated when you restart if you delete them) - but your problem is other way round! Any other odd behaviour on machine? Do other 'normal' shares stay? What about c$?

I have not noticed any other anomalies on this machine and yes the normal shares stay including C$.

I have the same problem with Windows 2000 domain controller. I found a winlogon.bat script sitting in the start up folder of the administrator and all users profiles.

The script was doing this

@echo off
net share /delete C$ /y
net share /delete ADMIN$ /y
net share /delete IPC$ /y
net share /delete lwc$ /y
net share /delete print$ /y
net stop messenger
net stop netbios

I think this was part of a trojan call Trojan.VirtualRoot

Hope this helps

The batch file you described is a common problem on NT machines.

@echo off
net share /delete C$ /y
net share /delete ADMIN$ /y
net share /delete IPC$ /y
net share /delete lwc$ /y
net share /delete print$ /y
net stop messenger
net stop netbios

These commands disable the shares of the drives so other peoople cannot access your machine. The trouble is, a hacker already has, and is probably using your machine as a drone, or if you have a fast connection maybe an FTP server or an "xdcc bot" to serve illegal software at will. The hacker would have scanned your IP range, i.e. 127.0.*.*-127.0.255.255 for vunerable machines, yours being one of them if you find a similar batch file. the batch file is run to stop another hacker doing what the current hacker already has done, and stopping the other hacker from "re-hacking" his hacked server (your machine.) Some common programs used are: iroffer, servuftp, so do a seach on your drives for files such as servu* and/or servudaemon.ini which is the serv-u configuration file. Other files could be iroffer.exe, xscan.exe, firedaemon.exe, cygwin*.dll. these files may not neccessarily be suspicious but it is worth finding the folder if one of these files is found, as you will usually find the whole hacking kit, AKA "root kit". The illegal software is usually stored as RAR files, ( so a search of *.rar could show some interesting results. I also recommend you check C:\RECYCLER and C:\RECYCLED folders, these are hidden but if you type into explorer it shall navigate there, Hackers often store files here as it is unlikley for anyone to check here. I also recommend checking your system services for anything suspicious, you can do this from Control Panel > Administration Tools > Services.


To stop the shares disappearing, as posted before you should find the batch file which is erasing them, do a search IN files for "net share" string, should show some interesting results.

Hope this helps you understand a little more.

Thanks

Steve

Hi. I recently installed a wireless lan between my laptop and PC. Both are running W2K. I have this exact same problem, which is driving me craszy. The laptop is fine. The PC, however, is missing the IPC$ share. I can "net share ipc$" but it only stays for a short time before it disappears.

I've gone thru all the suggestions above, but can find no trace of any trojan, or the filenames mentioned. Also cant find any .bat file that removes the share.

AARRGGHH!! What do I do?

I'm having the same problem as ozmatey, though not with laptops. There is no virus and not .bat file, but I cannot keep IPC$ past a reboot. Any suggestions?

We have found that there is a backdoor trojan causing this issue. Ours was called Backdoor.SDBOT.** We found it using AVG found here Our corporate Panda did not find it. Hope this helps. It was masking an invalid realplayer.exe.

Cliff, CCNA/MCSE/MCSA 2000
Network Administrator

Thanks for the tip. We just created our own .bat file that would share the IPC$ at logon. Worked good. Then, thank God, our department broke down and upgraded.