Re: win2000 has spyware, can I logon with console repair and delete files to

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/17/05


Date: Sun, 16 Jan 2005 22:58:30 -0600

Well if it had that much malware on it and it was my computer, I would
backup my needed data and do a fresh install to a formatted drive. If your
computer has some backdoor root kits it could be very difficult to detect
and remove them. If you do a reinstall be sure to take steps to prevent
future infections. The main vulnerabilities are not using a properly
configured firewall, not using a strong password for user accounts, not
keeping current with virus definitions and not scanning ALL email
attachments, using too loose security settings for IE, and not keeping
current with critical updates at Windows Updates.

Sounds like you are like me and like to check things out to try and figure
out what is going on. If so, try downloading some free tools from
SysInternals. In particular user Process Explorer, TCPView, and Autoruns. PE
can show the processes and map them to the owner executables and in
properties of a process show what service it is if any. Be very suspicious
of any process [ that has a path to a file] that does not show a publisher
name for the executable. Autoruns will show startup application/services
from various places on your system and TCPView will show what executable is
using a port. --- Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

"Bradley1234" <someone@yahoo.com> wrote in message
news:jRAGd.957$J6.834@trnddc02...
> Hey thanks for that Steven. Im checking those websites now.
>
> The laptop was super duper infected. (is that the right way to say it?)
> I
> would start with dir a*.exe
>
> then let it show the exe names, and since Ive used DOS a lot over the
> years
> rather than spend time in a useful way, like at the beach, the odd named
> ones I typed in and would delete spyware ones.
>
> But then I couldnt get into the registry manually, the regsvr32 /u
> "filename" wouldnt work, in fact regsvr32 shows in the directory but wont
> execute at all
>
> I had downloaded the trendmicro virus scan thing you mentioned the night
> it
> happened. the download took almost an hour and it was so bad that one
> mouse
> click took at least 30 seconds to have any effect.
>
> doing cntrl/alt/del gets the control screen thing (windows2000 pro) after
> 5
> seconds, but click on task manager would cause that box to disappear and
> nothing would happen, well except the disk would be going full speed at
> something.
>
> I was going to start it up and see what happened, but the most bad .exe
> and
> .dll files I found, and the fact I cannot unregister them, or even find
> where the registry is at? (under a limited dos prompt) I put the original
> win2000 CD in there and am fixing it manually.
>
> It would report: hey dude, this isnt the original NTOSKRNL32 that I put in
> here originally, whats up with that? should I like, replace it or what?
> and
> I said do it
>
> then it said this file and that file and.... so I clicked all and it just
> finished updating and is rebooting win2000. lets see what it does now...
>
> its booting very slowly, now there is an arrow against the blue screen,
> now
> its starting up, now an hourglass, applying security policy... I can check
> the football score and get some coffee while Im waiting... okay its asking
> for my old password to logon? okay, lets see, just an arrow against blue,
> super slow
>
> now it drew a box to load personal settings, took 1 second to draw the
> box,
> lines filled now the music, some disk activity, now its drawing the
> desktop,
> but why is it going so slow? its a p3 at 450... now arrow and hourglass,
> disk chugging
>
> clicks take a very long time, ctrl/alt/del and task manager? hmm nothing
> is
> happening, now its running trend micro virus scan...
>
> it only found 1 virus, 00004146.exe
>
> now lets look at add/remove programs
>
> BullsEye Network
> Silicon Motion display driver
> WebRebates (by TopRebates.com)
> Winad Client
> Windows SR 2.0
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:uLBr35$%23EHA.4072@TK2MSFTNGP10.phx.gbl...
>> The best way is to use tools such as AdAware or the beta version of
>> Microsoft's spyware remover AND to scan your computer with your antivirus
>> program being sure to update it's definition files first. The new MS
> product
>> has a "protect" mode to help prevent spyware installation. I have had
> pretty
>> good luck with it and it is available at the link below. Normally you do
> not
>> need to reinstall the operating system unless your antivirus program
>> finds
>> significant problems with malware such as trojans, worms, and viruses
>> indicating a highly compromised system that may also have undetectable
> back
>> doors such as root kits installed on it. --- Steve
>>
>> http://www.microsoft.com/athome/security/spyware/software/default.mspx
>> http://mvps.org/winhelp2002/unwanted.htm --- tips to help reduce
> parasites
>> [spyware, adware, hijacks]
>>
>> "Bradley1234" <someone@yahoo.com> wrote in message
>> news:58yGd.5570$c%6.4380@trnddc03...
>> > delete files to wipe out the spybot stuff?
>> >
>> > its my laptop, the first time I used it at a hotel on business, the
>> > room
>> > thing said to visit this website, click OK and YES to every question,
> then
>> > enjoy the internet.
>> >
>> > Guess what? It was saying yes to upload spyware and trojans into my
>> > computer.
>> >
>> > I contacted the hotel and they played innocent saying we dont know, its
> a
>> > secure and safe service, you must have visited "bad" sites or
>> > something.
>> > It was my first experience with spyware/spybot stuff, going to
> add/remove
>> > programs, it showed 3 or 4 which I tried to remove, it said please
> answer
>> > these questions and forward them to us: why do you want to uninstall?
> 1.
>> > system too slow 2. dont like popups
>> > etc...
>> >
>> > So my question is, now Im going to fix my laptop, used the win2000 CD
>> > to
>> > boot up and have a console prompt. Is there a common way you know
>> > about
>> > to
>> > delete the spyware bugs and fix the install? Do I have to delete all
> and
>> > start over? Use the disk utility to write all zeros?
>> >
>> > thanks in advance
>> >
>> >
>>
>>
>
>



Relevant Pages

  • Re: Has anyone run into executable file tnnfsysguard?
    ... like malware or a virus but it could also be part of your virus scanner. ... Google has a history of installing executable files into ... process and instead dump their executables under %userprofile%. ... etc) does NOT have to be an admin-level user to do the installation. ...
    (microsoft.public.windowsxp.general)
  • Re: Exposing Malnet Strategies and Best Practices for Threat Protection
    ... executables internal structure, the malware is going to get ahead and I ... various apps a company used to study malware. ... Personally I have lots of respect for the abilities of good coders, I came to programming late in life and consider myself to be a total lamer in that discipline. ...
    (alt.2600)
  • Re: Exposing Malnet Strategies and Best Practices for Threat Protection
    ... executables internal structure, the malware is going to get ahead and I ... there are an increasing number of 'experts' who are just button pushing users of third party tools and I couldn't agree more about the use of a good ol' hex editor too! ... Personally I have lots of respect for the abilities of good coders, I came to programming late in life and consider myself to be a total lamer in that discipline. ...
    (alt.2600)
  • Re: [Full-disclosure] A modest proposal
    ... thats all a piece of malware needs to look for. ... (As for waste of a reference, how much do you expect in a quick message? ... apply automated scrambling, and if that introduced errors you’d need to fix ... executables or the like, or possibly larger data, but some of the ...
    (Full-Disclosure)
  • Re: win2000 has spyware, can I logon with console repair and delete files to
    ... its a laptop with a super small 2.1G disk. ... It insists on making 2 drives, ... AV, did the live updates, 24Mb of stuff, and yanked the network cable as ... > can show the processes and map them to the owner executables and in ...
    (microsoft.public.win2000.security)