Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware on new win2000 installation

Started by billingsgate , Nov 25 2005 10:57 PM

  • Please log in to reply

#1
billingsgate
Posted 25 November 2005 - 10:57 PM

billingsgate

    Member

  • Member
  • PipPip
  • 13 posts
Hi. I have an odd situation here. Yesterday I installed a friend's obsolete copy of Windows 2000 (in order to run a program that doesn't support my old (preferred) win98se). I also installed the SP4 update (downloaded from microsoft's webpage prior to installation of win2000). Remarkably I had no dramas installing win2000, all drivers in place for a change! But when I logged on to the internet (dial-up, 56k, external modem) I was innundated with pop-ups before I'd even had the chance to enter my first URL (even the microsoft page hadn't fully loaded yet). These pop-ups are all of the "Your registry is corrupted!!! Download www.RegistryScanGold.com" variety. I doubt they were there before the installation as I formatted the unpartioned c:. I've undertaken the steps recommended prior to posting a Hijack This logfile (to the best of my ability anyway, I think I've done it correctly) to no avail. Sorry I haven't put the program with which I'm having difficulty in the title but I'm not sure which it is. Anyway, here it is:

Logfile of HijackThis v1.99.1
Scan saved at 3:40:22 PM, on 26/11/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{00C0E5CF-F080-4749-83B1-D73E92A278C3}: NameServer = 203.194.56.150 203.194.27.57
O17 - HKLM\System\CS1\Services\Tcpip\..\{00C0E5CF-F080-4749-83B1-D73E92A278C3}: NameServer = 203.194.56.150 203.194.27.57
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe



Any help given will be greatly appreciated.

Ben.

EDIT: After playing around I've been able to narrow down the source of infection down to the following two items: my Windows 2000 Professional installation disc or the SP4 upgrade (downloaded from microsoft directly). Neither of these options really make any sense to me but I've installed these on another system and the problem persists and they are the only things the two systems have in common.

Edited by billingsgate, 26 November 2005 - 11:26 PM.

  • 0

Advertisements

#2
Danny
Posted 27 November 2005 - 05:10 PM

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

These popups are probably from Windows Messenger.

To disable it:

Click "Start --> Run" and type services.msc.

Look for a service with the name Messenger and double-click it.

Then click "Stop" and make the startup type as "Disabled"

See if that helps.

Danny :tazz:
  • 0

#3
billingsgate
Posted 28 November 2005 - 05:17 AM

billingsgate

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi, Danny.

Thanks for your help. Followed your directions a few hours ago - not a single pop-up. Thanks a lot!

Now, can you do anything about how stupid I feel for having done several re-installations on two machines (not to mention 4 downloads of the entire SP4 upgrade)? lol

Just out of interest, how does something like this occur when a system has not even been online yet?

Thanks again.

Ben
  • 0

#4
Danny
Posted 28 November 2005 - 05:36 AM

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi billingsgate,

There are just regular spambots, just scanning random IPs to see if Messenger service is enabled. Microsoft says its a "feature"!

Danny :tazz:
  • 0

#5
Wizard
Posted 28 November 2005 - 07:41 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hey billingsgate,

You have just experienced what happens when a user accesses the Internet with a Windows Operating System that is Unpatched and has No AV or Firewall installed! :tazz:


My suggestion is to never install a OS unless you bought it.

Never access the Internet with an Unprotected System,a simple Security Suite would have prevented what you experienced.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP