Rootkits are a nightmare

After a week of chasing, removing, restoring, deleting, restoring again, and just generally cursing, I think that my server is now free of the rootkit that wouldn't die.

I'm not sure how it was getting in: the server is Windows 2003, patched with everything available, running Windows Defender and Windows firewall, and something was still getting in under the skin. There must be further unpatched holes out there, so be careful.

I've now got an external firewall running, so I'm not at the mercy of Windows itself. So far, so good!

The things that came in had a network service called H2K3, which didn't seem to be covered on the web anywhere. You can find it by starting a command prompt and typing NET STOP H2K3. If it's there, you will get a message saying that it's stopped. But that's not going to get rid of it.

Good places to look for dodgy stuff:

c:\windows\system32\dhcp
c:\windows\system32\dllcache

Form a command prompt, go into these directories and do a DIR/AH to show hidden files, and examine what you get back.

Also, I recommend grabbing a copy of FileMon from SysInternals, as you will see which files are being accessed, which is how I found the rootkit in the first place.