General discussion

Locked

Win2K compromised machine

By ShopTech ·
I have a user with a Win2K machine, no Admin password, no antivirus. Our sysadmins shut off her port due to extremely high volumes of network traffic emanating from her machine. She has W32.Magister, Backdoor.trojan, and hacktool as determined by Symantec Antivirus. There is nothing loading in the run key of HKey/LocalMachine/Software/Microsoft/Windows/CurrentVersion. There is nothing loading in the startup folder. There is nothing suspicious in the .ini files. There are no shares except for the Win2K ones. But after cleaning the viruses, the system's CPU usage is pegged at 100%, with ~60% used by Winsock.exe, and ~40% used by services.exe. This is without a network connection. There is a process running called FireDaemon which I can't turn off. I have researched FireDaemon, but it is inconclusive as to whether a hacker may have placed it on the machine to run their process. Any ideas? The user would really hate to have to wipe it and star over again.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Win2K compromised machine

by TheChas In reply to Win2K compromised machine

You can start by replacing the files that are running with known clean ones from either the CD, or another W2K machine with the same level service pack installed.

Many hacker tools hide in the guise of 'normal' files and services.

You might want to check the properties for ALL system files, and replace any with suspicious information (size, date, etc.)

Chas

Collapse -

Win2K compromised machine

by ShopTech In reply to Win2K compromised machine

Poster rated this answer

Collapse -

Win2K compromised machine

by d.walker5 In reply to Win2K compromised machine

TheChas is right about reloading clean files. Once a hacker gets in the best thing to do is start over with from a clean backup. However, you might try http://www.misec.net/trojanhunter.jsp. This trojan hunter is free for the first 30 days. I've used it with some sucess. Good luck!

Collapse -

Win2K compromised machine

by ShopTech In reply to Win2K compromised machine

Poster rated this answer

Collapse -

Win2K compromised machine

by shmaltz In reply to Win2K compromised machine

You can run SFC to find out if any of your files have been replaced with modified ones.

Collapse -

Win2K compromised machine

by ShopTech In reply to Win2K compromised machine

Poster rated this answer

Collapse -

Win2K compromised machine

by EnserNG In reply to Win2K compromised machine

Due to the level of compromise, it may be better to wipe and re-install the machine (time and frustration-wise). If you have run one, or a combination of the latest A/V and are still having those problems, connect remotely -if possible- to copy what files you can and then reload and include antivirus and passwords, et cetera.

You would be wise to check all interconnected machines as well, even if that means shutting down some evening SOON and scanning each and every machine with a NON-WRITABLE, bootable full version of anti-virus with the latest A/V definitions.

Imagine if that spread to more than one machine, especially if any of the virii are date-sensitive time bomb types....

Hope this helps, and good luck!

Nikk

Collapse -

Win2K compromised machine

by ShopTech In reply to Win2K compromised machine

Poster rated this answer

Collapse -

Win2K compromised machine

by ShopTech In reply to Win2K compromised machine

This question was closed by the author

Back to Security Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums