Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware on new win2000 installation


  • Please log in to reply

#1
billingsgate

billingsgate

    Member

  • Member
  • PipPip
  • 13 posts
Hi. I have an odd situation here. Yesterday I installed a friend's obsolete copy of Windows 2000 (in order to run a program that doesn't support my old (preferred) win98se). I also installed the SP4 update (downloaded from microsoft's webpage prior to installation of win2000). Remarkably I had no dramas installing win2000, all drivers in place for a change! But when I logged on to the internet (dial-up, 56k, external modem) I was innundated with pop-ups before I'd even had the chance to enter my first URL (even the microsoft page hadn't fully loaded yet). These pop-ups are all of the "Your registry is corrupted!!! Download www.RegistryScanGold.com" variety. I doubt they were there before the installation as I formatted the unpartioned c:. I've undertaken the steps recommended prior to posting a Hijack This logfile (to the best of my ability anyway, I think I've done it correctly) to no avail. Sorry I haven't put the program with which I'm having difficulty in the title but I'm not sure which it is. Anyway, here it is:

Logfile of HijackThis v1.99.1
Scan saved at 3:40:22 PM, on 26/11/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{00C0E5CF-F080-4749-83B1-D73E92A278C3}: NameServer = 203.194.56.150 203.194.27.57
O17 - HKLM\System\CS1\Services\Tcpip\..\{00C0E5CF-F080-4749-83B1-D73E92A278C3}: NameServer = 203.194.56.150 203.194.27.57
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe



Any help given will be greatly appreciated.

Ben.

EDIT: After playing around I've been able to narrow down the source of infection down to the following two items: my Windows 2000 Professional installation disc or the SP4 upgrade (downloaded from microsoft directly). Neither of these options really make any sense to me but I've installed these on another system and the problem persists and they are the only things the two systems have in common.

Edited by billingsgate, 26 November 2005 - 11:26 PM.

  • 0

Advertisements


#2
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

These popups are probably from Windows Messenger.

To disable it:

Click "Start --> Run" and type services.msc.

Look for a service with the name Messenger and double-click it.

Then click "Stop" and make the startup type as "Disabled"

See if that helps.

Danny :tazz:
  • 0

#3
billingsgate

billingsgate

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi, Danny.

Thanks for your help. Followed your directions a few hours ago - not a single pop-up. Thanks a lot!

Now, can you do anything about how stupid I feel for having done several re-installations on two machines (not to mention 4 downloads of the entire SP4 upgrade)? lol

Just out of interest, how does something like this occur when a system has not even been online yet?

Thanks again.

Ben
  • 0

#4
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi billingsgate,

There are just regular spambots, just scanning random IPs to see if Messenger service is enabled. Microsoft says its a "feature"!

Danny :tazz:
  • 0

#5
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hey billingsgate,

You have just experienced what happens when a user accesses the Internet with a Windows Operating System that is Unpatched and has No AV or Firewall installed! :tazz:


My suggestion is to never install a OS unless you bought it.

Never access the Internet with an Unprotected System,a simple Security Suite would have prevented what you experienced.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP