win2000 has spyware, can I logon with console repair and delete files to

[Bradley1234]

delete files to wipe out the spybot stuff?

its my laptop, the first time I used it at a hotel on business, the room
thing said to visit this website, click OK and YES to every question, then
enjoy the internet.

Guess what? It was saying yes to upload spyware and trojans into my
computer.

I contacted the hotel and they played innocent saying we dont know, its a
secure and safe service, you must have visited "bad" sites or something.
It was my first experience with spyware/spybot stuff, going to add/remove
programs, it showed 3 or 4 which I tried to remove, it said please answer
these questions and forward them to us: why do you want to uninstall? 1.
system too slow 2. dont like popups
etc...

So my question is, now Im going to fix my laptop, used the win2000 CD to
boot up and have a console prompt. Is there a common way you know about to
delete the spyware bugs and fix the install? Do I have to delete all and
start over? Use the disk utility to write all zeros?

thanks in advance

 

[Bradley1234]

What Im trying now is to delete bad .exe files in the system32 directory.
ONes I didnt recognize, just type into a google search and it will say if
its a virus or not, cool.

But one file is named:


?hkntfs.exe

and the dos prompt refuses to let me change attributes or delete it. Anyone
know of how to zap a file that starts with the question mark symbol? from
dos?

 

[Steven L Umbach]

The best way is to use tools such as AdAware or the beta version of
Microsoft's spyware remover AND to scan your computer with your antivirus
program being sure to update it's definition files first. The new MS product
has a "protect" mode to help prevent spyware installation. I have had pretty
good luck with it and it is available at the link below. Normally you do not
need to reinstall the operating system unless your antivirus program finds
significant problems with malware such as trojans, worms, and viruses
indicating a highly compromised system that may also have undetectable back
doors such as root kits installed on it. --- Steve

http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://mvps.org/winhelp2002/unwanted.htm --- tips to help reduce parasites
[spyware, adware, hijacks]

 

[Steven L Umbach]

If you antivirus program identified a malware but can not remove it, search
your vendor's website or Google for possible special instructions or removal
tools. The free Sysclean tool and matching pattern file from Trend Micro is
able to identify and remove many common malwares. Also it often helps to
boot into safe mode to remove files that are being used by a current running
process. The link below explains how to remove difficult to delete files
using the command line such as trying del \\?\c:\winnt\system32\?hkntfs.exe
.. --- Steve

http://support.microsoft.com/?kbid=320081
http://www.trendmicro.com/download/dcs.asp
http://www.trendmicro.com/download/pattern.asp

 

[Bradley1234]

Hey thanks for that Steven. Im checking those websites now.

The laptop was super duper infected. (is that the right way to say it?) I
would start with dir a*.exe

then let it show the exe names, and since Ive used DOS a lot over the years
rather than spend time in a useful way, like at the beach, the odd named
ones I typed in and would delete spyware ones.

But then I couldnt get into the registry manually, the regsvr32 /u
"filename" wouldnt work, in fact regsvr32 shows in the directory but wont
execute at all

I had downloaded the trendmicro virus scan thing you mentioned the night it
happened. the download took almost an hour and it was so bad that one mouse
click took at least 30 seconds to have any effect.

doing cntrl/alt/del gets the control screen thing (windows2000 pro) after 5
seconds, but click on task manager would cause that box to disappear and
nothing would happen, well except the disk would be going full speed at
something.

I was going to start it up and see what happened, but the most bad .exe and
..dll files I found, and the fact I cannot unregister them, or even find
where the registry is at? (under a limited dos prompt) I put the original
win2000 CD in there and am fixing it manually.

It would report: hey dude, this isnt the original NTOSKRNL32 that I put in
here originally, whats up with that? should I like, replace it or what? and
I said do it

then it said this file and that file and.... so I clicked all and it just
finished updating and is rebooting win2000. lets see what it does now...

its booting very slowly, now there is an arrow against the blue screen, now
its starting up, now an hourglass, applying security policy... I can check
the football score and get some coffee while Im waiting... okay its asking
for my old password to logon? okay, lets see, just an arrow against blue,
super slow

now it drew a box to load personal settings, took 1 second to draw the box,
lines filled now the music, some disk activity, now its drawing the desktop,
but why is it going so slow? its a p3 at 450... now arrow and hourglass,
disk chugging

clicks take a very long time, ctrl/alt/del and task manager? hmm nothing is
happening, now its running trend micro virus scan...

it only found 1 virus, 00004146.exe

now lets look at add/remove programs

BullsEye Network
Silicon Motion display driver
WebRebates (by TopRebates.com)
Winad Client
Windows SR 2.0

The best way is to use tools such as AdAware or the beta version of
Microsoft's spyware remover AND to scan your computer with your antivirus
program being sure to update it's definition files first. The new MS product
has a "protect" mode to help prevent spyware installation. I have had pretty
good luck with it and it is available at the link below. Normally you do not
need to reinstall the operating system unless your antivirus program finds
significant problems with malware such as trojans, worms, and viruses
indicating a highly compromised system that may also have undetectable back
doors such as root kits installed on it. --- Steve

http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://mvps.org/winhelp2002/unwanted.htm --- tips to help reduce parasites
[spyware, adware, hijacks]

delete files to wipe out the spybot stuff?

its my laptop, the first time I used it at a hotel on business, the room
thing said to visit this website, click OK and YES to every question, then
enjoy the internet.

Guess what? It was saying yes to upload spyware and trojans into my
computer.

I contacted the hotel and they played innocent saying we dont know, its a
secure and safe service, you must have visited "bad" sites or something.
It was my first experience with spyware/spybot stuff, going to add/remove
programs, it showed 3 or 4 which I tried to remove, it said please answer
these questions and forward them to us: why do you want to uninstall? 1.
system too slow 2. dont like popups
etc...

So my question is, now Im going to fix my laptop, used the win2000 CD to
boot up and have a console prompt. Is there a common way you know about
to
delete the spyware bugs and fix the install? Do I have to delete all and
start over? Use the disk utility to write all zeros?

thanks in advance

 

[Steven L Umbach]

Well if it had that much malware on it and it was my computer, I would
backup my needed data and do a fresh install to a formatted drive. If your
computer has some backdoor root kits it could be very difficult to detect
and remove them. If you do a reinstall be sure to take steps to prevent
future infections. The main vulnerabilities are not using a properly
configured firewall, not using a strong password for user accounts, not
keeping current with virus definitions and not scanning ALL email
attachments, using too loose security settings for IE, and not keeping
current with critical updates at Windows Updates.

Sounds like you are like me and like to check things out to try and figure
out what is going on. If so, try downloading some free tools from
SysInternals. In particular user Process Explorer, TCPView, and Autoruns. PE
can show the processes and map them to the owner executables and in
properties of a process show what service it is if any. Be very suspicious
of any process [ that has a path to a file] that does not show a publisher
name for the executable. Autoruns will show startup application/services
from various places on your system and TCPView will show what executable is
using a port. --- Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Hey thanks for that Steven. Im checking those websites now.

The laptop was super duper infected. (is that the right way to say it?)
I
would start with dir a*.exe

then let it show the exe names, and since Ive used DOS a lot over the
years
rather than spend time in a useful way, like at the beach, the odd named
ones I typed in and would delete spyware ones.

But then I couldnt get into the registry manually, the regsvr32 /u
"filename" wouldnt work, in fact regsvr32 shows in the directory but wont
execute at all

I had downloaded the trendmicro virus scan thing you mentioned the night
it
happened. the download took almost an hour and it was so bad that one
mouse
click took at least 30 seconds to have any effect.

doing cntrl/alt/del gets the control screen thing (windows2000 pro) after
5
seconds, but click on task manager would cause that box to disappear and
nothing would happen, well except the disk would be going full speed at
something.

I was going to start it up and see what happened, but the most bad .exe
and
.dll files I found, and the fact I cannot unregister them, or even find
where the registry is at? (under a limited dos prompt) I put the original
win2000 CD in there and am fixing it manually.

It would report: hey dude, this isnt the original NTOSKRNL32 that I put in
here originally, whats up with that? should I like, replace it or what?
and
I said do it

then it said this file and that file and.... so I clicked all and it just
finished updating and is rebooting win2000. lets see what it does now...

its booting very slowly, now there is an arrow against the blue screen,
now
its starting up, now an hourglass, applying security policy... I can check
the football score and get some coffee while Im waiting... okay its asking
for my old password to logon? okay, lets see, just an arrow against blue,
super slow

now it drew a box to load personal settings, took 1 second to draw the
box,
lines filled now the music, some disk activity, now its drawing the
desktop,
but why is it going so slow? its a p3 at 450... now arrow and hourglass,
disk chugging

clicks take a very long time, ctrl/alt/del and task manager? hmm nothing
is
happening, now its running trend micro virus scan...

it only found 1 virus, 00004146.exe

now lets look at add/remove programs

BullsEye Network
Silicon Motion display driver
WebRebates (by TopRebates.com)
Winad Client
Windows SR 2.0

The best way is to use tools such as AdAware or the beta version of
Microsoft's spyware remover AND to scan your computer with your antivirus
program being sure to update it's definition files first. The new MS product
has a "protect" mode to help prevent spyware installation. I have had pretty
good luck with it and it is available at the link below. Normally you do not
need to reinstall the operating system unless your antivirus program
finds
significant problems with malware such as trojans, worms, and viruses
indicating a highly compromised system that may also have undetectable back
doors such as root kits installed on it. --- Steve

http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://mvps.org/winhelp2002/unwanted.htm --- tips to help reduce parasites
[spyware, adware, hijacks]

delete files to wipe out the spybot stuff?

its my laptop, the first time I used it at a hotel on business, the
room
thing said to visit this website, click OK and YES to every question, then
enjoy the internet.

Guess what? It was saying yes to upload spyware and trojans into my
computer.

I contacted the hotel and they played innocent saying we dont know, its a
secure and safe service, you must have visited "bad" sites or
something.
It was my first experience with spyware/spybot stuff, going to add/remove
programs, it showed 3 or 4 which I tried to remove, it said please answer
these questions and forward them to us: why do you want to uninstall? 1.
system too slow 2. dont like popups
etc...

So my question is, now Im going to fix my laptop, used the win2000 CD
to
boot up and have a console prompt. Is there a common way you know
about
to
delete the spyware bugs and fix the install? Do I have to delete all and
start over? Use the disk utility to write all zeros?

thanks in advance

 

[Bradley1234]

Aha, thanks Steven that helps. I ended up reformatting the drive yesterday,
its a laptop with a super small 2.1G disk. It insists on making 2 drives,
so I changed the fdisk setup, first by deleting all partitions, then loading
msdos, tried to load win2000 but it wouldnt boot from the cd, (some cpu
glitch) deleted the partitions again well anyway I changed them by 1, hoping
that would throw off the file indexing mechanism

loaded SP4 which I thought enough to buy from Microsoft; then loaded Norton
AV, did the live updates, 24Mb of stuff, and yanked the network cable as
soon as that loaded

I had changed all security settings so that nobody can logon from the
network, created guest account with long username and long pwd, must use
ctrl/alt/del to logon, and whatever seemed right

never got the sasser worm this time.

But fell asleep doing the norton update as it took an hour, then it was
beeping, found backdoor ? worm and ? beagle or ? worm blah blah

today did full scan, found 4 viruses and it says it cleaned them. it had a
popup saying Windows updatez.exe was infected and kept generating it
faster than I could click okay

so its sitting here behaving for a while, but its not on the network.
Firewall? yes no doubt. I dont have one but they are very important. Im
so out of the loop on how to manage win2000, I dont know if there is a free
one, my dsl CD claimed to have one by MSN8 or ? but there is no setup
window.

Well one thing for sure, viruses didnt just go away like a fad, they seem to
be more prevalent than ever

Well if it had that much malware on it and it was my computer, I would
backup my needed data and do a fresh install to a formatted drive. If your
computer has some backdoor root kits it could be very difficult to detect
and remove them. If you do a reinstall be sure to take steps to prevent
future infections. The main vulnerabilities are not using a properly
configured firewall, not using a strong password for user accounts, not
keeping current with virus definitions and not scanning ALL email
attachments, using too loose security settings for IE, and not keeping
current with critical updates at Windows Updates.

Sounds like you are like me and like to check things out to try and figure
out what is going on. If so, try downloading some free tools from
SysInternals. In particular user Process Explorer, TCPView, and Autoruns. PE
can show the processes and map them to the owner executables and in
properties of a process show what service it is if any. Be very suspicious
of any process [ that has a path to a file] that does not show a publisher
name for the executable. Autoruns will show startup application/services
from various places on your system and TCPView will show what executable is
using a port. --- Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Hey thanks for that Steven. Im checking those websites now.

The laptop was super duper infected. (is that the right way to say it?)
I
would start with dir a*.exe

then let it show the exe names, and since Ive used DOS a lot over the
years
rather than spend time in a useful way, like at the beach, the odd named
ones I typed in and would delete spyware ones.

But then I couldnt get into the registry manually, the regsvr32 /u
"filename" wouldnt work, in fact regsvr32 shows in the directory but wont
execute at all

I had downloaded the trendmicro virus scan thing you mentioned the night
it
happened. the download took almost an hour and it was so bad that one
mouse
click took at least 30 seconds to have any effect.

doing cntrl/alt/del gets the control screen thing (windows2000 pro) after
5
seconds, but click on task manager would cause that box to disappear and
nothing would happen, well except the disk would be going full speed at
something.

I was going to start it up and see what happened, but the most bad .exe
and
.dll files I found, and the fact I cannot unregister them, or even find
where the registry is at? (under a limited dos prompt) I put the original
win2000 CD in there and am fixing it manually.

It would report: hey dude, this isnt the original NTOSKRNL32 that I put in
here originally, whats up with that? should I like, replace it or what?
and
I said do it

then it said this file and that file and.... so I clicked all and it just
finished updating and is rebooting win2000. lets see what it does now...

its booting very slowly, now there is an arrow against the blue screen,
now
its starting up, now an hourglass, applying security policy... I can check
the football score and get some coffee while Im waiting... okay its asking
for my old password to logon? okay, lets see, just an arrow against blue,
super slow

now it drew a box to load personal settings, took 1 second to draw the
box,
lines filled now the music, some disk activity, now its drawing the
desktop,
but why is it going so slow? its a p3 at 450... now arrow and hourglass,
disk chugging

clicks take a very long time, ctrl/alt/del and task manager? hmm nothing
is
happening, now its running trend micro virus scan...

it only found 1 virus, 00004146.exe

now lets look at add/remove programs

BullsEye Network
Silicon Motion display driver
WebRebates (by TopRebates.com)
Winad Client
Windows SR 2.0

The best way is to use tools such as AdAware or the beta version of
Microsoft's spyware remover AND to scan your computer with your antivirus
program being sure to update it's definition files first. The new MS product
has a "protect" mode to help prevent spyware installation. I have had pretty
good luck with it and it is available at the link below. Normally you

do
not

need to reinstall the operating system unless your antivirus program
finds
significant problems with malware such as trojans, worms, and viruses
indicating a highly compromised system that may also have undetectable back
doors such as root kits installed on it. --- Steve

http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://mvps.org/winhelp2002/unwanted.htm --- tips to help reduce parasites
[spyware, adware, hijacks]

delete files to wipe out the spybot stuff?

its my laptop, the first time I used it at a hotel on business, the
room
thing said to visit this website, click OK and YES to every question, then
enjoy the internet.

Guess what? It was saying yes to upload spyware and trojans into my
computer.

I contacted the hotel and they played innocent saying we dont know,

its
a

secure and safe service, you must have visited "bad" sites or
something.
It was my first experience with spyware/spybot stuff, going to add/remove
programs, it showed 3 or 4 which I tried to remove, it said please answer
these questions and forward them to us: why do you want to uninstall? 1.
system too slow 2. dont like popups
etc...

So my question is, now Im going to fix my laptop, used the win2000 CD
to
boot up and have a console prompt. Is there a common way you know
about
to
delete the spyware bugs and fix the install? Do I have to delete all and
start over? Use the disk utility to write all zeros?

thanks in advance

 

[Steven L Umbach]

I forgot how bad a dialup connection sucks! Anyhow Zone Alarm makes a decent
free for personal use firewall and it is fairly easy to configure. I would
also check to see if you have file and print sharing enabled on your laptop.
If you do and you do not need to share files with anyone be sure to disable
it. It also sometimes helps to boot into safe mode to do malware/parasite
detection and removal. In a pinch you can enable tcp/ip filtering for tcp
ONLY as a rudimentary firewall. To do that open network connection
properties, go to tcp/ip properties/advanced/options and then properties for
tcp/ip filtering. Select enable tcp/ip filtering and in the first section
for tcp ports select permit only and leave the list blank. That will act as
a crude stateful firewall for TCP [without any download!] . Do not do the
same for UDP as you will lose your dns name resolution for the internet.
Just keep in mind that you have it enabled and disable it after you install
a firewall. --- Steve

http://www.snapfiles.com/Freeware/security/fwfirewall.html -- Zone Alarm
available here.
http://www.microsoft.com/athome/security/protect/default.aspx -- Protect
your PC tips from MS.

Aha, thanks Steven that helps. I ended up reformatting the drive
yesterday,
its a laptop with a super small 2.1G disk. It insists on making 2 drives,
so I changed the fdisk setup, first by deleting all partitions, then
loading
msdos, tried to load win2000 but it wouldnt boot from the cd, (some cpu
glitch) deleted the partitions again well anyway I changed them by 1,
hoping
that would throw off the file indexing mechanism

loaded SP4 which I thought enough to buy from Microsoft; then loaded
Norton
AV, did the live updates, 24Mb of stuff, and yanked the network cable as
soon as that loaded

I had changed all security settings so that nobody can logon from the
network, created guest account with long username and long pwd, must use
ctrl/alt/del to logon, and whatever seemed right

never got the sasser worm this time.

But fell asleep doing the norton update as it took an hour, then it was
beeping, found backdoor ? worm and ? beagle or ? worm blah blah

today did full scan, found 4 viruses and it says it cleaned them. it had
a
popup saying Windows updatez.exe was infected and kept generating it
faster than I could click okay

so its sitting here behaving for a while, but its not on the network.
Firewall? yes no doubt. I dont have one but they are very important. Im
so out of the loop on how to manage win2000, I dont know if there is a
free
one, my dsl CD claimed to have one by MSN8 or ? but there is no setup
window.

Well one thing for sure, viruses didnt just go away like a fad, they seem
to
be more prevalent than ever

Well if it had that much malware on it and it was my computer, I would
backup my needed data and do a fresh install to a formatted drive. If
your
computer has some backdoor root kits it could be very difficult to detect
and remove them. If you do a reinstall be sure to take steps to prevent
future infections. The main vulnerabilities are not using a properly
configured firewall, not using a strong password for user accounts, not
keeping current with virus definitions and not scanning ALL email
attachments, using too loose security settings for IE, and not keeping
current with critical updates at Windows Updates.

Sounds like you are like me and like to check things out to try and
figure
out what is going on. If so, try downloading some free tools from
SysInternals. In particular user Process Explorer, TCPView, and Autoruns. PE
can show the processes and map them to the owner executables and in
properties of a process show what service it is if any. Be very
suspicious
of any process [ that has a path to a file] that does not show a
publisher
name for the executable. Autoruns will show startup application/services
from various places on your system and TCPView will show what executable is
using a port. --- Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Hey thanks for that Steven. Im checking those websites now.

The laptop was super duper infected. (is that the right way to say
it?)
I
would start with dir a*.exe

then let it show the exe names, and since Ive used DOS a lot over the
years
rather than spend time in a useful way, like at the beach, the odd
named
ones I typed in and would delete spyware ones.

But then I couldnt get into the registry manually, the regsvr32 /u
"filename" wouldnt work, in fact regsvr32 shows in the directory but wont
execute at all

I had downloaded the trendmicro virus scan thing you mentioned the
night
it
happened. the download took almost an hour and it was so bad that one
mouse
click took at least 30 seconds to have any effect.

doing cntrl/alt/del gets the control screen thing (windows2000 pro) after
5
seconds, but click on task manager would cause that box to disappear
and
nothing would happen, well except the disk would be going full speed at
something.

I was going to start it up and see what happened, but the most bad .exe
and
.dll files I found, and the fact I cannot unregister them, or even find
where the registry is at? (under a limited dos prompt) I put the original
win2000 CD in there and am fixing it manually.

It would report: hey dude, this isnt the original NTOSKRNL32 that I put in
here originally, whats up with that? should I like, replace it or
what?
and
I said do it

then it said this file and that file and.... so I clicked all and it just
finished updating and is rebooting win2000. lets see what it does now...

its booting very slowly, now there is an arrow against the blue screen,
now
its starting up, now an hourglass, applying security policy... I can check
the football score and get some coffee while Im waiting... okay its asking
for my old password to logon? okay, lets see, just an arrow against blue,
super slow

now it drew a box to load personal settings, took 1 second to draw the
box,
lines filled now the music, some disk activity, now its drawing the
desktop,
but why is it going so slow? its a p3 at 450... now arrow and hourglass,
disk chugging

clicks take a very long time, ctrl/alt/del and task manager? hmm
nothing
is
happening, now its running trend micro virus scan...

it only found 1 virus, 00004146.exe

now lets look at add/remove programs

BullsEye Network
Silicon Motion display driver
WebRebates (by TopRebates.com)
Winad Client
Windows SR 2.0


The best way is to use tools such as AdAware or the beta version of
Microsoft's spyware remover AND to scan your computer with your antivirus
program being sure to update it's definition files first. The new MS
product
has a "protect" mode to help prevent spyware installation. I have had
pretty
good luck with it and it is available at the link below. Normally you do
not
need to reinstall the operating system unless your antivirus program
finds
significant problems with malware such as trojans, worms, and viruses
indicating a highly compromised system that may also have undetectable
back
doors such as root kits installed on it. --- Steve

http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://mvps.org/winhelp2002/unwanted.htm --- tips to help reduce
parasites
[spyware, adware, hijacks]

delete files to wipe out the spybot stuff?

its my laptop, the first time I used it at a hotel on business, the
room
thing said to visit this website, click OK and YES to every
question,
then
enjoy the internet.

Guess what? It was saying yes to upload spyware and trojans into my
computer.

I contacted the hotel and they played innocent saying we dont know, its
a
secure and safe service, you must have visited "bad" sites or
something.
It was my first experience with spyware/spybot stuff, going to
add/remove
programs, it showed 3 or 4 which I tried to remove, it said please
answer
these questions and forward them to us: why do you want to
uninstall?
1.
system too slow 2. dont like popups
etc...

So my question is, now Im going to fix my laptop, used the win2000
CD
to
boot up and have a console prompt. Is there a common way you know
about
to
delete the spyware bugs and fix the install? Do I have to delete
all
and
start over? Use the disk utility to write all zeros?

thanks in advance

 

[Bradley1234]

Right I turned off print/file sharing and disabled most all accounts.

I still got viruses but Norton said it q'd them. One day it said hey, there
are some files claiming to be Norton AV .exe or .dll files but they are in
the wrong place, looks like mal-ware thats renamed itself to Norton file
names.

Then I downloaded the Microsoft beta spyware blocker, it works awesome!
dont know the url right now

the system is still super slow, but there is only 64Mb of ram and a 2.1G
disk. The default graphics was just grindingly slow, I ran some HP.com
online test and it found what drivers I need, ran a bit faster, but clicking
on Start and it stays indented for about 3 seconds, click back arrow on the
ie browser? the back button slowly moves, then it goes out for a few
seconds, then returns, anyway I think of it as a large PDA

Is there some way to save the windows updates for my win2000 to a CD and use
them next time? Ill probably get a new hard drive and install.... again.

Ive got all these critical updates, can they be saved?

I forgot how bad a dialup connection sucks! Anyhow Zone Alarm makes a decent
free for personal use firewall and it is fairly easy to configure. I would
also check to see if you have file and print sharing enabled on your laptop.
If you do and you do not need to share files with anyone be sure to disable
it. It also sometimes helps to boot into safe mode to do malware/parasite
detection and removal. In a pinch you can enable tcp/ip filtering for tcp
ONLY as a rudimentary firewall. To do that open network connection
properties, go to tcp/ip properties/advanced/options and then properties for
tcp/ip filtering. Select enable tcp/ip filtering and in the first section
for tcp ports select permit only and leave the list blank. That will act as
a crude stateful firewall for TCP [without any download!] . Do not do the
same for UDP as you will lose your dns name resolution for the internet.
Just keep in mind that you have it enabled and disable it after you install
a firewall. --- Steve

http://www.snapfiles.com/Freeware/security/fwfirewall.html -- Zone Alarm
available here.
http://www.microsoft.com/athome/security/protect/default.aspx -- Protect
your PC tips from MS.

Aha, thanks Steven that helps. I ended up reformatting the drive
yesterday,
its a laptop with a super small 2.1G disk. It insists on making 2 drives,
so I changed the fdisk setup, first by deleting all partitions, then
loading
msdos, tried to load win2000 but it wouldnt boot from the cd, (some cpu
glitch) deleted the partitions again well anyway I changed them by 1,
hoping
that would throw off the file indexing mechanism

loaded SP4 which I thought enough to buy from Microsoft; then loaded
Norton
AV, did the live updates, 24Mb of stuff, and yanked the network cable as
soon as that loaded

I had changed all security settings so that nobody can logon from the
network, created guest account with long username and long pwd, must use
ctrl/alt/del to logon, and whatever seemed right

never got the sasser worm this time.

But fell asleep doing the norton update as it took an hour, then it was
beeping, found backdoor ? worm and ? beagle or ? worm blah blah

today did full scan, found 4 viruses and it says it cleaned them. it had
a
popup saying Windows updatez.exe was infected and kept generating it
faster than I could click okay

so its sitting here behaving for a while, but its not on the network.
Firewall? yes no doubt. I dont have one but they are very important. Im
so out of the loop on how to manage win2000, I dont know if there is a
free
one, my dsl CD claimed to have one by MSN8 or ? but there is no setup
window.

Well one thing for sure, viruses didnt just go away like a fad, they seem
to
be more prevalent than ever

Well if it had that much malware on it and it was my computer, I would
backup my needed data and do a fresh install to a formatted drive. If
your
computer has some backdoor root kits it could be very difficult to detect
and remove them. If you do a reinstall be sure to take steps to prevent
future infections. The main vulnerabilities are not using a properly
configured firewall, not using a strong password for user accounts, not
keeping current with virus definitions and not scanning ALL email
attachments, using too loose security settings for IE, and not keeping
current with critical updates at Windows Updates.

Sounds like you are like me and like to check things out to try and
figure
out what is going on. If so, try downloading some free tools from
SysInternals. In particular user Process Explorer, TCPView, and

Autoruns.
PE

can show the processes and map them to the owner executables and in
properties of a process show what service it is if any. Be very
suspicious
of any process [ that has a path to a file] that does not show a
publisher
name for the executable. Autoruns will show startup application/services
from various places on your system and TCPView will show what

executable
is

using a port. --- Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Hey thanks for that Steven. Im checking those websites now.

The laptop was super duper infected. (is that the right way to say
it?)
I
would start with dir a*.exe

then let it show the exe names, and since Ive used DOS a lot over the
years
rather than spend time in a useful way, like at the beach, the odd
named
ones I typed in and would delete spyware ones.

But then I couldnt get into the registry manually, the regsvr32 /u
"filename" wouldnt work, in fact regsvr32 shows in the directory but wont
execute at all

I had downloaded the trendmicro virus scan thing you mentioned the
night
it
happened. the download took almost an hour and it was so bad that one
mouse
click took at least 30 seconds to have any effect.

doing cntrl/alt/del gets the control screen thing (windows2000 pro) after
5
seconds, but click on task manager would cause that box to disappear
and
nothing would happen, well except the disk would be going full speed at
something.

I was going to start it up and see what happened, but the most bad ..exe
and
.dll files I found, and the fact I cannot unregister them, or even find
where the registry is at? (under a limited dos prompt) I put the original
win2000 CD in there and am fixing it manually.

It would report: hey dude, this isnt the original NTOSKRNL32 that I

put
in

here originally, whats up with that? should I like, replace it or
what?
and
I said do it

then it said this file and that file and.... so I clicked all and it just
finished updating and is rebooting win2000. lets see what it does now...

its booting very slowly, now there is an arrow against the blue screen,
now
its starting up, now an hourglass, applying security policy... I can check
the football score and get some coffee while Im waiting... okay its asking
for my old password to logon? okay, lets see, just an arrow against blue,
super slow

now it drew a box to load personal settings, took 1 second to draw the
box,
lines filled now the music, some disk activity, now its drawing the
desktop,
but why is it going so slow? its a p3 at 450... now arrow and hourglass,
disk chugging

clicks take a very long time, ctrl/alt/del and task manager? hmm
nothing
is
happening, now its running trend micro virus scan...

it only found 1 virus, 00004146.exe

now lets look at add/remove programs

BullsEye Network
Silicon Motion display driver
WebRebates (by TopRebates.com)
Winad Client
Windows SR 2.0


The best way is to use tools such as AdAware or the beta version of
Microsoft's spyware remover AND to scan your computer with your antivirus
program being sure to update it's definition files first. The new MS
product
has a "protect" mode to help prevent spyware installation. I have had
pretty
good luck with it and it is available at the link below. Normally

you
do

not
need to reinstall the operating system unless your antivirus program
finds
significant problems with malware such as trojans, worms, and viruses
indicating a highly compromised system that may also have undetectable
back
doors such as root kits installed on it. --- Steve

http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://mvps.org/winhelp2002/unwanted.htm --- tips to help reduce
parasites
[spyware, adware, hijacks]

delete files to wipe out the spybot stuff?

its my laptop, the first time I used it at a hotel on business, the
room
thing said to visit this website, click OK and YES to every
question,
then
enjoy the internet.

Guess what? It was saying yes to upload spyware and trojans into my
computer.

I contacted the hotel and they played innocent saying we dont

know,
its

a
secure and safe service, you must have visited "bad" sites or
something.
It was my first experience with spyware/spybot stuff, going to
add/remove
programs, it showed 3 or 4 which I tried to remove, it said please
answer
these questions and forward them to us: why do you want to
uninstall?
1.
system too slow 2. dont like popups
etc...

So my question is, now Im going to fix my laptop, used the win2000
CD
to
boot up and have a console prompt. Is there a common way you know
about
to
delete the spyware bugs and fix the install? Do I have to delete
all
and
start over? Use the disk utility to write all zeros?

thanks in advance

 

[Steven L Umbach]

64 MB is really going to give slow performance with a lot of disk activity
to the page file on a W2K computer. If you can also increase your ram even
to just 96MB would improve performance quite a bit. Of course even more
would be better. You may be able to find cheap ram on Ebay for your laptop.
I agree that the new MS Spyware program looks very promising. You can not
save critical updates from the current installation unless you downloaded
and have the actual .exe files, but you can download them to disk using the
catalog option. The links below explain more. If you do a new install, first
install the service back before you do critical updates and do not connect
to the internet until you have some sort of firewall protection. --- Steve

http://support.microsoft.com/default.aspx?kbid=323166

Right I turned off print/file sharing and disabled most all accounts.

I still got viruses but Norton said it q'd them. One day it said hey,
there
are some files claiming to be Norton AV .exe or .dll files but they are in
the wrong place, looks like mal-ware thats renamed itself to Norton file
names.

Then I downloaded the Microsoft beta spyware blocker, it works awesome!
dont know the url right now

the system is still super slow, but there is only 64Mb of ram and a 2.1G
disk. The default graphics was just grindingly slow, I ran some HP.com
online test and it found what drivers I need, ran a bit faster, but
clicking
on Start and it stays indented for about 3 seconds, click back arrow on
the
ie browser? the back button slowly moves, then it goes out for a few
seconds, then returns, anyway I think of it as a large PDA

Is there some way to save the windows updates for my win2000 to a CD and
use
them next time? Ill probably get a new hard drive and install.... again.

Ive got all these critical updates, can they be saved?

I forgot how bad a dialup connection sucks! Anyhow Zone Alarm makes a decent
free for personal use firewall and it is fairly easy to configure. I
would
also check to see if you have file and print sharing enabled on your laptop.
If you do and you do not need to share files with anyone be sure to disable
it. It also sometimes helps to boot into safe mode to do malware/parasite
detection and removal. In a pinch you can enable tcp/ip filtering for tcp
ONLY as a rudimentary firewall. To do that open network connection
properties, go to tcp/ip properties/advanced/options and then properties for
tcp/ip filtering. Select enable tcp/ip filtering and in the first section
for tcp ports select permit only and leave the list blank. That will act as
a crude stateful firewall for TCP [without any download!] . Do not do the
same for UDP as you will lose your dns name resolution for the internet.
Just keep in mind that you have it enabled and disable it after you install
a firewall. --- Steve

http://www.snapfiles.com/Freeware/security/fwfirewall.html -- Zone Alarm
available here.
http://www.microsoft.com/athome/security/protect/default.aspx -- Protect
your PC tips from MS.

Aha, thanks Steven that helps. I ended up reformatting the drive
yesterday,
its a laptop with a super small 2.1G disk. It insists on making 2 drives,
so I changed the fdisk setup, first by deleting all partitions, then
loading
msdos, tried to load win2000 but it wouldnt boot from the cd, (some cpu
glitch) deleted the partitions again well anyway I changed them by 1,
hoping
that would throw off the file indexing mechanism

loaded SP4 which I thought enough to buy from Microsoft; then loaded
Norton
AV, did the live updates, 24Mb of stuff, and yanked the network cable
as
soon as that loaded

I had changed all security settings so that nobody can logon from the
network, created guest account with long username and long pwd, must
use
ctrl/alt/del to logon, and whatever seemed right

never got the sasser worm this time.

But fell asleep doing the norton update as it took an hour, then it was
beeping, found backdoor ? worm and ? beagle or ? worm blah blah

today did full scan, found 4 viruses and it says it cleaned them. it had
a
popup saying Windows updatez.exe was infected and kept generating it
faster than I could click okay

so its sitting here behaving for a while, but its not on the network.
Firewall? yes no doubt. I dont have one but they are very important. Im
so out of the loop on how to manage win2000, I dont know if there is a
free
one, my dsl CD claimed to have one by MSN8 or ? but there is no setup
window.

Well one thing for sure, viruses didnt just go away like a fad, they seem
to
be more prevalent than ever
Well if it had that much malware on it and it was my computer, I would
backup my needed data and do a fresh install to a formatted drive. If
your
computer has some backdoor root kits it could be very difficult to detect
and remove them. If you do a reinstall be sure to take steps to
prevent
future infections. The main vulnerabilities are not using a properly
configured firewall, not using a strong password for user accounts,
not
keeping current with virus definitions and not scanning ALL email
attachments, using too loose security settings for IE, and not keeping
current with critical updates at Windows Updates.

Sounds like you are like me and like to check things out to try and
figure
out what is going on. If so, try downloading some free tools from
SysInternals. In particular user Process Explorer, TCPView, and Autoruns.
PE
can show the processes and map them to the owner executables and in
properties of a process show what service it is if any. Be very
suspicious
of any process [ that has a path to a file] that does not show a
publisher
name for the executable. Autoruns will show startup application/services
from various places on your system and TCPView will show what executable
is
using a port. --- Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Hey thanks for that Steven. Im checking those websites now.

The laptop was super duper infected. (is that the right way to say
it?)
I
would start with dir a*.exe

then let it show the exe names, and since Ive used DOS a lot over
the
years
rather than spend time in a useful way, like at the beach, the odd
named
ones I typed in and would delete spyware ones.

But then I couldnt get into the registry manually, the regsvr32 /u
"filename" wouldnt work, in fact regsvr32 shows in the directory but
wont
execute at all

I had downloaded the trendmicro virus scan thing you mentioned the
night
it
happened. the download took almost an hour and it was so bad that one
mouse
click took at least 30 seconds to have any effect.

doing cntrl/alt/del gets the control screen thing (windows2000 pro)
after
5
seconds, but click on task manager would cause that box to disappear
and
nothing would happen, well except the disk would be going full speed at
something.

I was going to start it up and see what happened, but the most bad .exe
and
.dll files I found, and the fact I cannot unregister them, or even find
where the registry is at? (under a limited dos prompt) I put the
original
win2000 CD in there and am fixing it manually.

It would report: hey dude, this isnt the original NTOSKRNL32 that I put
in
here originally, whats up with that? should I like, replace it or
what?
and
I said do it

then it said this file and that file and.... so I clicked all and it
just
finished updating and is rebooting win2000. lets see what it does
now...

its booting very slowly, now there is an arrow against the blue screen,
now
its starting up, now an hourglass, applying security policy... I can
check
the football score and get some coffee while Im waiting... okay its
asking
for my old password to logon? okay, lets see, just an arrow against
blue,
super slow

now it drew a box to load personal settings, took 1 second to draw the
box,
lines filled now the music, some disk activity, now its drawing the
desktop,
but why is it going so slow? its a p3 at 450... now arrow and
hourglass,
disk chugging

clicks take a very long time, ctrl/alt/del and task manager? hmm
nothing
is
happening, now its running trend micro virus scan...

it only found 1 virus, 00004146.exe

now lets look at add/remove programs

BullsEye Network
Silicon Motion display driver
WebRebates (by TopRebates.com)
Winad Client
Windows SR 2.0


The best way is to use tools such as AdAware or the beta version of
Microsoft's spyware remover AND to scan your computer with your
antivirus
program being sure to update it's definition files first. The new
MS
product
has a "protect" mode to help prevent spyware installation. I have had
pretty
good luck with it and it is available at the link below. Normally you
do
not
need to reinstall the operating system unless your antivirus
program
finds
significant problems with malware such as trojans, worms, and viruses
indicating a highly compromised system that may also have undetectable
back
doors such as root kits installed on it. --- Steve

http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://mvps.org/winhelp2002/unwanted.htm --- tips to help reduce
parasites
[spyware, adware, hijacks]

delete files to wipe out the spybot stuff?

its my laptop, the first time I used it at a hotel on business, the
room
thing said to visit this website, click OK and YES to every
question,
then
enjoy the internet.

Guess what? It was saying yes to upload spyware and trojans into my
computer.

I contacted the hotel and they played innocent saying we dont know,
its
a
secure and safe service, you must have visited "bad" sites or
something.
It was my first experience with spyware/spybot stuff, going to
add/remove
programs, it showed 3 or 4 which I tried to remove, it said
please
answer
these questions and forward them to us: why do you want to
uninstall?
1.
system too slow 2. dont like popups
etc...

So my question is, now Im going to fix my laptop, used the
win2000
CD
to
boot up and have a console prompt. Is there a common way you
know
about
to
delete the spyware bugs and fix the install? Do I have to delete
all
and
start over? Use the disk utility to write all zeros?

thanks in advance