Archived from groups: microsoft.public.win2000,microsoft.public.win2000.group_policy,microsoft.public.win2000.security (
More info?)
The only real way is to reinstall the operating system from scratch and
harden it and your network to prevent the same from happening again. but
there are some things you can try. First of course is to run an antivirus
program with the latest definitions and also run a parasite detection
removal program such as AdAware SE. Trend Micro has a great stand alone
utility that also scans for and removes many common malwares. Just download
Sysclean and the pattern file into the a folder to run from. Note that it is
not unusual for an antivirus program to report nothing found when a second
opinion will find a problem. Pest Patrol is also very good at finding a LOT
of stuff on a computer such as trojans and keyboard loggers.
http://www.trendmicro.com/download/dcs.asp -- Sysclean malware detection
and removal.
http://www.trendmicro.com/download/pattern.asp -- this is updated often
http://www.microsoft.com/technet/security/chklist/w2ksvrcl.mspx -- good
tips from Microsoft on how to harden your computer.
http://www.pestpatrol.com/ -- Pest Patrol [now owned by Computer
Associates]
SysInternals provides some great free tools to help analyze your computer to
see if rouge processes are running. In particular download TCPView, Process
Explorer, Autoruns, and PsList. TCPView will show what ports you computer is
using and the associated process/executable, Process Explorer will give much
more detailed info about processes and if you view a processes properties it
will show the associated services and tcp/ip usage, Autoruns will show
startup programs in various places on the computer and let you disable them,
and PsList is a command line process viewer which you should use to view
running processes locally and when shown from a remote computer to compare
the results. A hidden service or root kit infection may not show when
processes are enumerated locally but they will when shown from another
computer on the network, which you can do with PsList. If you do find a
hidden process that can not be remove by normal means you might try scanning
the computer from another computer on the network or even one of the free
online services. --- Steve
http://www.sysinternals.com/ntw2k/freeware/pslist.shtml -- PsList
http://www.sysinternals.com/ntw2k/source/tcpview.shtml -- TCPView and
SysInternals website.
"Kent P. Iler" <kent@iler.NOSPAM.com> wrote in message
news:ljBed.415094$mD.112414@attbi_s02...
> Hi,
>
> We had a directory under c:\winnt\system32\ named OS2. It had a buch of
> files like:
> ndde.exe, nbthlp.exe, lssvc.exe, list.exe.
>
> There looks like there was also a batch file with these commands in it:
>
> regedit /s radmin.reg
> nvsvc.exe /install /silence
> nvsvc.exe /pass:Hack3d /port:5100 /save /silence
> nvsvc.exe /start /silence
> net start r_server
>
> How can I check for installed services that are supposed to be running
> silently? I'm concerned there are still backdoors on this server.
>
> Thanks.
>
> -- Kent Iler
> ----------------------------------------------------------------------
> kent@iler.NOSPAM.com
> Please CC: all replies via e-mail
> Remove .NOSPAM from e-mail address
>
>
Facebook
Twitter
Instagram