StarDestroyer.Net BBS

Okay, I've got a friend with a laptop running Windows 2000. I spent a few hours on the computer tonight. Internet Explorer won't view websites and acts as if it's offline, so I network-transfered the FireFox installer and used that. Worked fine.

Popups keep coming in Internet Explorer however.

I installed AVG and wiped out over 20 viruses. However, there's this one worm that keeps coming back. I was getting in a habit of deleting it so I kept hitting delete every time it popped up and ended up deleting some useful exe's including Easy CD Creator 5.0 Basic, a DVD player app, Windows Media Player, and QuickTime. I don't know if AVG is going haywire and randomly deleting stuff or if the virus is infecting all their programs.

I tried to kill internet explorer and delete the exe but it reappears immediately.

I tracked down a Windows 2000 Internet Explorer installer, but it doesn't seem to work, it can't get the files off Microsoft's server during installation.


Any help would be vastly appreciated.

Technically, the machine is really compromised; if you can't root out that worm, it's entirely possible there's something buried even deeper within the system that could potentially give an attacker access to the system at some later date, or perhaps just screw everything over at a given date. Really, at this point, the most secure approach would be to reinstall Windows.

Failing that... have you tried running this stuff in Safe Mode?

Nope, I'll try that. She'll drop the computer off again tomorrow and I'll give it another shot.

Here's the problem. She doesn't have the original restore disks, she lost them when she moved. I wouldn't feel guilty about getting and putting a cracked copy on her PC since she just lost the disks, except that I'm too afraid that she'll download a service pack and that'll kill the PC. So reinstalling Windows is out for now unless we can find restore disks for that system somewhere.

So if AVG keeps finding viruses in executables, it's wise to delete them, even if they are major programs?

Hey, man, at some point you have to destroy the village in order to save it, know what I mean?

I'm not sure about a service pack killing a cracked version of Windows. I know it'll kill some activation cracks, but I've heard that volume license versions, even with keys marked as "leaked", will still update and work fine (although you have to use the auto updater, as the Windows Update website cries about the copy of Windows not being legit). Alternatively, other versions of Windows do not have that problem at all.

Once any computer has been infected with a worm or virus with administrator/root powers it is format & rebuild time.

ggs wrote:Once any computer has been infected with a worm or virus with administrator/root powers it is format & rebuild time.

Quite true, a rooted system cannot be trusted. Format and reinstall, but try to get all the patches on a cd and apply them before connecting to the network.

I can make only one suggestion short of just dump the entire computer and forget about it. Try using more than one virus scanner, and expecially try one that can still scan in MS-DOS. Windows 2000 had a serious error, where a user couldn't access MS-DOS easy, but a hacker still could. It caused problems. Try using Avast! (www.avast.com). From my experience, although it's a free one, it's a good virus scanner none-the less. Try running them both at the same time. Doing so will allow for cross examination(At the expence of some serious CPU power) and might root out that worm.

If it's a laptop it's possible there is a little sticker somewhere on the case with the serial, in which case you wouln't need to use either the volume key or the crack. If you don't have a non-cracked media or the wrong kind (pro while the key is for home) it's pretty easy to find an cd-image on any p2p network.

Oooops, just noticed this is concerning win2000, the point still stands tho.

Naquitis wrote:I can make only one suggestion short of just dump the entire computer and forget about it. Try using more than one virus scanner, and expecially try one that can still scan in MS-DOS. Windows 2000 had a serious error, where a user couldn't access MS-DOS easy, but a hacker still could. It caused problems.

No NT-based operating system contained MS-DOS, by design. There is the rescue console but it isn't designed to do very much.

Try using Avast! (www.avast.com). From my experience, although it's a free one, it's a good virus scanner none-the less. Try running them both at the same time. Doing so will allow for cross examination(At the expence of some serious CPU power) and might root out that worm.

Multiple virus scanners running simultaneously is not a good idea.

Once any computer has been infected with a worm or virus with administrator/root powers it is format & rebuild time.

They can still be salvaged. Just when you run all the cleaning programs make sure you turn off system restore first, this is a critical step. A lot of malware can restart itself from sys restore. And if you have a self replicating virus, then the best way to attack it is in safe mode obviously, and again make sure sys restore is off. Depending on how much you know about computers, you can identify the viral process and cut it from the registry first, then get rid of it from the rest of the computer.

You could get some help/advice from HijackThis! thread.

Tokaji Kyoden wrote:They can still be salvaged. Just when you run all the cleaning programs make sure you turn off system restore first, this is a critical step. A lot of malware can restart itself from sys restore. And if you have a self replicating virus, then the best way to attack it is in safe mode obviously, and again make sure sys restore is off. Depending on how much you know about computers, you can identify the viral process and cut it from the registry first, then get rid of it from the rest of the computer.

nope sorry.

When a rootkit is installed on a computer it is beyond redemption. You cannot trus any information provided from any tool, perhaps with a slight exeption for Rootkit revealer.

But as a rule any computer found compimised buy a virus, trojan or rootkit, pick your poison is a untrusted system and it should be reinstalled.

I'll take a look when she brings the laptop back over, but I clearly recall a "Made for Windows XP" sticker and a serial key underneath. I have Windows XP Pro and a friend with XP Home- IF there is indeed a Windows XP CD key underneath the laptop, I should have no problem installing any copy of Windows XP and using that key, correct?

Do I just burn the WINNT folder and reinstall Windows, or will it be necessary to completely format (which will kill the software that shipped with her PC for CD creation and other stuff)? Or, after I toast every single file the virus is in through Safe Mode in Windows 2000 and run every remover utility I can find, is it safe to Upgrade so she doesn't lose her registry settings (possibly messing up some programs like TurboTax or Easy CD Creator)?

Praxis wrote:I'll take a look when she brings the laptop back over, but I clearly recall a "Made for Windows XP" sticker and a serial key underneath. I have Windows XP Pro and a friend with XP Home- IF there is indeed a Windows XP CD key underneath the laptop, I should have no problem installing any copy of Windows XP and using that key, correct?

Do I just burn the WINNT folder and reinstall Windows, or will it be necessary to completely format (which will kill the software that shipped with her PC for CD creation and other stuff)?

You want to be sure? Nuke it from orbit. Do a low-level format on the drive before re-installing Windows. CD burning software is easy to find.

Also: my experience with XP is minimal, but won't there be a problem getting it initialized if you're using an already-used key? I mean, it'll be fine for 30 days and all, but if you want to use it beyond that....

SCRawl wrote:

Praxis wrote:I'll take a look when she brings the laptop back over, but I clearly recall a "Made for Windows XP" sticker and a serial key underneath. I have Windows XP Pro and a friend with XP Home- IF there is indeed a Windows XP CD key underneath the laptop, I should have no problem installing any copy of Windows XP and using that key, correct?

Do I just burn the WINNT folder and reinstall Windows, or will it be necessary to completely format (which will kill the software that shipped with her PC for CD creation and other stuff)?

You want to be sure? Nuke it from orbit. Do a low-level format on the drive before re-installing Windows. CD burning software is easy to find.

Also: my experience with XP is minimal, but won't there be a problem getting it initialized if you're using an already-used key? I mean, it'll be fine for 30 days and all, but if you want to use it beyond that....

It would be the key for the copy of XP that shipped with the computer, I doubt anyone else would be using it.

If your copy of XP is an OEM CD, it should install fine.
If its a retail copy, they use different serials and it'll bail during install.
I have an XP Home OEM CD for my Dell and an XP Pro OEM for my HP/Compaq machine.
Since she lost the recovery disk, if it's one of those brands it should be legal for me to send you a copy if that'd help.

phongn wrote:

Naquitis wrote:I can make only one suggestion short of just dump the entire computer and forget about it. Try using more than one virus scanner, and expecially try one that can still scan in MS-DOS. Windows 2000 had a serious error, where a user couldn't access MS-DOS easy, but a hacker still could. It caused problems.

No NT-based operating system contained MS-DOS, by design. There is the rescue console but it isn't designed to do very much.

Hmmm well seeing as how I'm running 2k right now and I have a DOS window up, I beg to differ.

phongn wrote:

Try using Avast! (www.avast.com). From my experience, although it's a free one, it's a good virus scanner none-the less. Try running them both at the same time. Doing so will allow for cross examination(At the expence of some serious CPU power) and might root out that worm.

Multiple virus scanners running simultaneously is not a good idea.

It's risky, but it has helped me before, you just have to be careful to make sure that they both function correctly together. Some do some don't. I know that Norton and Macaffie don't.

Naquitis wrote:

phongn wrote:

Naquitis wrote:I can make only one suggestion short of just dump the entire computer and forget about it. Try using more than one virus scanner, and expecially try one that can still scan in MS-DOS. Windows 2000 had a serious error, where a user couldn't access MS-DOS easy, but a hacker still could. It caused problems.

No NT-based operating system contained MS-DOS, by design. There is the rescue console but it isn't designed to do very much.

Hmmm well seeing as how I'm running 2k right now and I have a DOS window up, I beg to differ.

Hmm, well after rereading my statement, I think I need to rephrase what I said earlier. Every Windows opperating system has DOS in it, although it might not use it, they all have it. Now with some serious skill, there are hackers out there who can push DOS to the top of the BIOS boot, and cause the system to run off of DOS for long enough for a worm to be placed into the system. Basicly saying that, a normal every day user may not be able to get to DOS, but a well weathered hacker can. There are virus scanners that can scan the lower levels of DOS for those exact viruses(Or should I say Virui?). That was what I was refering to.

Faram wrote:

ggs wrote:Once any computer has been infected with a worm or virus with administrator/root powers it is format & rebuild time.

Quite true, a rooted system cannot be trusted. Format and reinstall, but try to get all the patches on a cd and apply them before connecting to the network.

I know how to create an SP2 intergrated disc, but how do I add the fixs?

Destructionator XIII wrote:

SCRawl wrote: Do a low-level format on the drive before re-installing Windows.

This is a nitpick, but it is not a low level format, it is simply a regular format you want to do. You should never low level format a modern harddrive at all.

Yeah, mea culpa. I figured that that was the best way to make sure that nothing would survive, but when I researched it a bit and found that even the manufacturers say "don't do it", well, that's enough for me. A high-level format it is, then.

Running AVG in Safe mode, 194 viruses so far. Almost every single one is Worm/Bobax.AD in various places, except a couple Downloader.Generic.QVR trojans.

It's in dozens of programs, including Office, Encarta, etc.

Tokaji Kyoden wrote:They can still be salvaged. Just when you run all the cleaning programs make sure you turn off system restore first, this is a critical step. A lot of malware can restart itself from sys restore. And if you have a self replicating virus, then the best way to attack it is in safe mode obviously, and again make sure sys restore is off. Depending on how much you know about computers, you can identify the viral process and cut it from the registry first, then get rid of it from the rest of the computer.

Once a system has been rooted, the only way to insure a complete recovery is a format & reinstall.

There is no other choice at all. Once a box is rooted, the only way to clean the box is from outside it. You can not clean a box form inside and be garrientied to actually clean it.

Naquitis wrote:Hmmm well seeing as how I'm running 2k right now and I have a DOS window up, I beg to differ.

This "DOS window" is either a 16 bit application which is shares a lot of code with DOS's command.com but it is not the same.

It is an application, not a part of the OS. It can not do anything the user can not do.

Or it is a 32bit application called cmd.exe, but the same concepts still apply.

It is vastly easier to back up any required files (no exes) and just format the damn thing.

Destructionator XIII wrote:

Naquitis wrote:Hmmm well seeing as how I'm running 2k right now and I have a DOS window up, I beg to differ.

That isn't a DOS window, that is the NT command shell. A similar user interface, but entirely different under the hood.

No, I'm talking DOS. It's on every system, but I know that on XP, you can't access it unless from the outside, but the issue doens't matter anymore.

Naquitis wrote:No, I'm talking DOS. It's on every system, but I know that on XP, you can't access it unless from the outside, but the issue doens't matter anymore.

No, DOS does not and has not existed on NT-based operating systems at any time. You are either confusing it with something else or are running a FAT32 boot partition with DOS installed alongside (perhaps from Windows 98)

phongn wrote:

Naquitis wrote:No, I'm talking DOS. It's on every system, but I know that on XP, you can't access it unless from the outside, but the issue doens't matter anymore.

No, DOS does not and has not existed on NT-based operating systems at any time. You are either confusing it with something else or are running a FAT32 boot partition with DOS installed alongside (perhaps from Windows 98)

Yes it does, but as I said, drop it. I've accessed DOS from a remote computer many times before. It's burried in the crosshairs of Windows, because Mircosoft never makes a new OS, they just stack onto the previous one. 2000 is a stack from 98 and NT4. It's disabled access for the simple user, but with some hacking skills you can find it.