StarDestroyer.Net BBS

Hey guys, I'm over at my friend's house, trying to trouble shoot his comp. He's got an array of shit that I'm pretty sure is haXored. For instance, trying to use CTRL ALT DEL to bring up the task manager gets you no where, it closes in a bout two secs. Same thing with regedit, it stays up, and then is gone. It will disappear even if you're fast enough to click on it and move it about the screen. I think he's got some sever scripting here. I've already used hijackthis to clear out alot of hte spyware and other problems it fixs.

Ideas on where to go from here?

Disconnect it from any internet stuff?

One thing to do is to deliberately put subseven trojan on and access it to see if it picks up any other hax0r stuff is running on it. Be sure to remove it when you're done though.

See if there's stuff like winvnc or netop or that kind of utility running...

Tried disconnecting and then trying to acess the task manager or regedit, it's still fucked. I'm patching his windows, and I'm gonna see where to go from there, if it's still all scripted.

Reformat.

Boot into Safe Mode and start examining his computer, preferably while disconnected.

Reformatting is a bit drastic right now. However, if a rootkit's been installed it may be your only solution. Get all the patches you'll need, burn them on CD and then chain-install them (Microsoft has a tool to properly do that) before hooking it up on the Internet. Then firewall him.

phongn, what were the commands to boot to safe mode? I can't recall of the top of my head.

Lord_Xerxes wrote:phongn, what were the commands to boot to safe mode? I can't recall of the top of my head.

If you restart while it's booting up (around the windows loading screen) you should get a "windows did not load up properly" then the options of:
"safe mode
safe mode with networking,
safe mode with command,
startup normally,
last known good configuration"

Just choose the appropriate safe mode.

EDIT: assuming this is xp

I downloaded and ran AVG to scan for viruses on his computer. This HAS to be a record.

43.

I shit you not.

It fixed all but one, I'm gonna check the symmantec site for info on it, and if there's a way to get rid of it.

(BTW, CTRL ALT DEL, or right clicking the right corner of hte taskbar to get the Task Manager up still doesn't work. Regedit still doesn't either. It must be this last one that was immune to AVG's healing and isolation.)

43 is bad but not the worst I have seen buy a longshot...

The things you see as a "addidas helprunner" called so because we had a pair of addidas and allways in a hurry. Man that work sucked.

Goddamn that computer's fucked. At this point, I would almost recommend nuking it.

Holy shit! How does one get their computer that fucked up without trying? And I thought mine was in trouble last night when a crash fucked up the registry....

Lord_Xerxes wrote:I downloaded and ran AVG to scan for viruses on his computer. This HAS to be a record.

43.

I shit you not.

Some people are too stupid to have computers