SERVER SPYWARE / Can't log into only DC, any/all help is greatlyappreciated!!!!!!!!!!!!!!!!!!!!!!!

  • Thread starter Thread starter rickiez
  • Start date Start date
R

rickiez

I have a client whose server was infected with both "Cool Web Search"
and "TV Media" Spyware. The server was barely functional. The local
Admin tried running Adaware on it and every time you click to Delete,
Adaware freezes (this seems to happen all the time w/ Adaware; any
thoughts on that too would be nice.) After rebooting in safe mode,
removing any noticeable links in the startup using an XP version of
"MSConfig" and running CWShredder on it to remove "Cool Web Search" the
server rebooted fine once...........now every time I try to log in, it
goes to about to where you'd expect it to load the desktop and puts you
right back to the login screen. It even does this in safe mode. The
admin over-writes her tapes every 2 days!!!! so I can't even rebuild and
restore a recent non-infected system state. I have access to ERD
Commander so I can boot and edit that way (have to try using the Dell
Perc 4 Raid driver and hope it works), but is there a way to manually
role back the registry or something? If I was to reinstall 2K server
from CD and over-wrote the existing install would that work to repair
any missing files or registry issues and would it hurt AD? Any/all help
is greatly appreciated.............thanks so much!!!
 
I have a client whose server was infected with both "Cool Web Search"
and "TV Media" Spyware. The server was barely functional. The local
Admin tried running Adaware on it and every time you click to Delete,
Adaware freezes (this seems to happen all the time w/ Adaware; any
thoughts on that too would be nice.) After rebooting in safe mode,
removing any noticeable links in the startup using an XP version of
"MSConfig" and running CWShredder on it to remove "Cool Web Search" the
server rebooted fine once...........now every time I try to log in, it
goes to about to where you'd expect it to load the desktop and puts you
right back to the login screen. It even does this in safe mode. The
admin over-writes her tapes every 2 days!!!! so I can't even rebuild and
restore a recent non-infected system state. I have access to ERD
Commander so I can boot and edit that way (have to try using the Dell
Perc 4 Raid driver and hope it works), but is there a way to manually
role back the registry or something? If I was to reinstall 2K server
from CD and over-wrote the existing install would that work to repair
any missing files or registry issues and would it hurt AD? Any/all help
is greatly appreciated.............thanks so much!!!
Click to expand...

Reboot in safe mode, bring up task manager, kill the Explorer process -
this will appear to have locked you out, since it kills the desktop. It
will stop the infection from using the services to re-launch itself.
Now, do a crtl-alt-del and open task manager, click File, New Taks, and
then REGEDIT - this will get you into the registry so that you can
remove the offending items. I've only had to go to this extreme once,
but it saved the system. You should also try and open a command shell
and see about deleting any folders that the infection is hiding in.

I do NOT suggest that you do any of this UNLESS YOU CLEARLY UNDERSTAND
THE REGISTRY. Editing the registry can kill your installation and is not
recoverable if you really screw it up.
 
I have a client whose server was infected with both "Cool Web Search"
and "TV Media" Spyware. The server was barely functional. The local
Admin tried running Adaware on it and every time you click to Delete,
Adaware freezes (this seems to happen all the time w/ Adaware; any
thoughts on that too would be nice.) After rebooting in safe mode,
removing any noticeable links in the startup using an XP version of
"MSConfig" and running CWShredder on it to remove "Cool Web Search" the
server rebooted fine once...........now every time I try to log in, it
goes to about to where you'd expect it to load the desktop and puts you
right back to the login screen. It even does this in safe mode. The
admin over-writes her tapes every 2 days!!!! so I can't even rebuild and
restore a recent non-infected system state. I have access to ERD
Commander so I can boot and edit that way (have to try using the Dell
Perc 4 Raid driver and hope it works), but is there a way to manually
role back the registry or something? If I was to reinstall 2K server
from CD and over-wrote the existing install would that work to repair
any missing files or registry issues and would it hurt AD? Any/all help
is greatly appreciated.............thanks so much!!!
Click to expand...

rickiez,

this may be the link you need, about half way down the page there's a
process on how to fix this. Seems as though one of those spyware packages
may have changed a registry setting, and you need to restore a file from
the cd, if this is it.

funny thing, i work for a small company, 3 people, the owner/main
engineer is in another state and conversing is done by e-mail and phone.
works out pretty good actually :). anyway, he called me at home one
sunday night because he was on wits end about his main pc, it wouldn't
boot, and he did this and that, paid m$ for phone support, all in all, he
lost like 40 hours of work time fixing this. you've got to understand,
he's one of 'those' guys. not a real computer guy, he just knows enough
to be VERY dangerous. after 20 mins. of him telling me all the crap he
went thru, he told me that the whole thing started when after one of his
kids was using this pc, it had a bunch of spyware on it, and after
cleaning it, it wouldn't boot. you would start the login then it would
dump yo right back to the login screen. so i sent him this link while we
were on the phone,

http://www2.geek.com/discus/messages/196/10227.html?1095917659

his reply was...'if i had only known !'

sorry.....i had to share that. i find it humorous if noone else does.

let us know.....


DanS
 
Hmm, sounds like a shot.........I'll try it.
@trnddc07:




rickiez,

this may be the link you need, about half way down the page there's a
process on how to fix this. Seems as though one of those spyware packages
may have changed a registry setting, and you need to restore a file from
the cd, if this is it.

funny thing, i work for a small company, 3 people, the owner/main
engineer is in another state and conversing is done by e-mail and phone.
works out pretty good actually :). anyway, he called me at home one
sunday night because he was on wits end about his main pc, it wouldn't
boot, and he did this and that, paid m$ for phone support, all in all, he
lost like 40 hours of work time fixing this. you've got to understand,
he's one of 'those' guys. not a real computer guy, he just knows enough
to be VERY dangerous. after 20 mins. of him telling me all the crap he
went thru, he told me that the whole thing started when after one of his
kids was using this pc, it had a bunch of spyware on it, and after
cleaning it, it wouldn't boot. you would start the login then it would
dump yo right back to the login screen. so i sent him this link while we
were on the phone,

http://www2.geek.com/discus/messages/196/10227.html?1095917659

his reply was...'if i had only known !'

sorry.....i had to share that. i find it humorous if noone else does.

let us know.....


DanS
Click to expand...
 
rickiez said:
Hmm, sounds like a shot.........I'll try it.
Click to expand...

Whatever you end up with, gotta wonder how spyware got on the server. Who
logs into it? Who *can* log into it? Is it in a physically secure location?
Good passwords on admin accounts? No users allowed to log on?

Spyware doesn't get on a computer just because it's on a network. It happens
because someone logs in and either installs something or is surfing websites
they shouldn't be....
 
Sure, but I'm just the 3rd party break/fix guy.......ya know? The
server is in the Admins office, and as far as I know she is the only one
who can log in and she uses the Administrator account...........also
there is no terminal server or VNC, so I'm guessing she probably did it
some how.
 
rickiez said:
Sure, but I'm just the 3rd party break/fix guy.......ya know? The
server is in the Admins office, and as far as I know she is the only
one who can log in and she uses the Administrator
account...........also there is no terminal server or VNC, so I'm
guessing she probably did it some how.
Click to expand...

Yeah, I think you're right. If you can't get this server restored, perhaps
this "admin" has learned a Very Valuable Lesson. Perhaps it's time to put
the server in a locked closet and make sure nobody *ever* uses it as a
workstation. And get at least a full weeks' worth of backup tapes - ideally
two weeks, with some tapes stored offsite.

Have you checked out
http://www.microsoft.com/technet/prodtechnol/windows2000serv/proddocs/srvgs/sgsappa.mspx
?
 
Whenever I'm responsible for scheduling backups I have them rotate out 5
Friday tapes with Daily backups (if possible).
rickiez said:
Sure, but I'm just the 3rd party break/fix guy.......ya know? The
server is in the Admins office, and as far as I know she is the only
one who can log in and she uses the Administrator
account...........also there is no terminal server or VNC, so I'm
guessing she probably did it some how.
Click to expand...


Yeah, I think you're right. If you can't get this server restored, perhaps
this "admin" has learned a Very Valuable Lesson. Perhaps it's time to put
the server in a locked closet and make sure nobody *ever* uses it as a
workstation. And get at least a full weeks' worth of backup tapes - ideally
two weeks, with some tapes stored offsite.

Have you checked out
http://www.microsoft.com/technet/prodtechnol/windows2000serv/proddocs/srvgs/sgsappa.mspx
?
Lanwench [MVP - Exchange] wrote:

rickiez wrote:


Hmm, sounds like a shot.........I'll try it.


Whatever you end up with, gotta wonder how spyware got on the
server. Who logs into it? Who *can* log into it? Is it in a
physically secure location? Good passwords on admin accounts? No
users allowed to log on?

Spyware doesn't get on a computer just because it's on a network. It
happens because someone logs in and either installs something or is
surfing websites they shouldn't be....


DanS wrote:



@trnddc07:




I have a client whose server was infected with both "Cool Web
Search" and "TV Media" Spyware. The server was barely functional.
The local Admin tried running Adaware on it and every time you
click to Delete, Adaware freezes (this seems to happen all the
time w/ Adaware; any thoughts on that too would be nice.) After
rebooting in safe mode, removing any noticeable links in the
startup using an XP version of "MSConfig" and running CWShredder
on it to remove "Cool Web Search" the server rebooted fine
once...........now every time I try to log in, it goes to about to
where you'd expect it to load the desktop and puts you right back
to the login screen. It even does this in safe mode. The admin
over-writes her tapes every 2 days!!!! so I can't even rebuild

and



restore a recent non-infected system state. I have access to ERD
Commander so I can boot and edit that way (have to try using the
Dell Perc 4 Raid driver and hope it works), but is there a way to
manually role back the registry or something? If I was to
reinstall 2K server from CD and over-wrote the existing install
would that work to repair any missing files or registry issues and
would it hurt AD? Any/all

help



is greatly appreciated.............thanks so much!!!


rickiez,

this may be the link you need, about half way down the page
there's a process on how to fix this. Seems as though one of those
spyware packages may have changed a registry setting, and you need
to restore a file from the cd, if this is it.

funny thing, i work for a small company, 3 people, the owner/main
engineer is in another state and conversing is done by e-mail and
phone. works out pretty good actually :). anyway, he called me at
home one sunday night because he was on wits end about his main pc,
it wouldn't boot, and he did this and that, paid m$ for phone
support, all in all, he lost like 40 hours of work time fixing
this. you've got to understand, he's one of 'those' guys. not a
real computer guy, he just knows enough to be VERY dangerous.
after 20 mins. of him telling me all the crap he went thru, he
told me that the whole thing started when after one of his kids
was using this pc, it had a bunch of spyware on it, and after
cleaning it, it wouldn't boot. you would start the login then it
would dump yo right back to the login screen. so i sent him this
link while we were on the phone,

http://www2.geek.com/discus/messages/196/10227.html?1095917659

his reply was...'if i had only known !'

sorry.....i had to share that. i find it humorous if noone else
does.

let us know.....


DanS
Click to expand...
Click to expand...
Click to expand...
 
Back
Top