Board hacked again

[bsidella]

I downloaded this POS as well. Can't print or turnoff/restart from the keyboard. If anyone has a fix please post. I don't have 8 hours to spare to reinstall my OS and all the files and programs.

[Windspeed]

msbee: you need at least one csrss checked in your msconfic "start up." it is a run-time program that handles interface commands in your screens/windows. if you have multple csrss files, just deactivate any after the first one down the start up list.

also, you can't run netstat from "run" in your start menu. you must run a dos command prompt. click on applications, then select "command prompt" if you are using 2000 or xp.

if the only thing you're using right now is your broswer and yet you have a "Established" foreign connection through port 6667, that is a botnet and you are still being hacked. whoever did this knew what they were doing. i believe that is why they used this specific worm and also it's connection to the system registry and csrss start up files. that's a route for a port hack if someone is doing it through a bot net.

anyone else experiencing the same problems? i'm trying to back up files right now. i could not find a working solution because could not restore. my system is messed up but i'm still able to backup what i had not mirrored in the last six months. then i'm going to do those magical words "format" and "reinstall."

[msbee]

Hi'windspeed
I am running XP.
I clicked on accesories and saw command prompt there.
I clicked on that and the black box came up, all that it shows is:
c:\documents and settings\my name
I didn't see anything that said netstat
so does that mean I am ok?
by the wya, this topic is running over in hurricane hollow forum too and someone there said she can't print. I just tried to print and I couldn't either..'I thoguht I was ok..maybe I'm not..
what a mess!!!!!!!!

[NWIASpotter]

Storm2k wasn't the only weather site hacked... It just happened again on the main weather board I'm apart of!!!

[therock1811]

Son of a gun! I'll be darned!

[Skywatch_NC]

Storm2k wasn't the only weather site hacked... It just happened again on the main weather board I'm apart of!!!

The a-hole doing these hackings is truly a WHACKO!!!

[mf_dolphin]

We found these instructions but I can't guarantee they will work. This is fairly involved but hopefully it will help some of you.

We have a serious problem. We were hacked. If you have downloaded the file PLUGIN_INSTALL.EXE that was a fake patch to your computer you must delete it asap. DO NOT INSTALL. If you have please follow the instructions below to remove it. I make no claims that this will help you or that you won't screw your computer up. This is what I did and it worked for me. Print or copy this immediately!!!!! Read all instructions BEFORE attempting. Make sure you understand them,

1. Remove your computer from the web. You should just unplug the network cable.

2. If you have system restore on...you must shut if off immediately.

3. Shut down your computer. You can ctr-alt-del and go to USERS. From there you can choose to logoff..then shutdown.

4. Reboot your computer and hold the F8 key. This will bring up a boot menu option from windows.

5. Choose SAFE MODE.

6. Search your computer for a file named sp2patch.exe

7. Go into c:/windows/system32/ and delete the folder (remember the folder name please) that sp2patch.exe was inside.

8. Go to the start button and click RUN.

9. Run REGEDIT

NOTE: Please be very careful here.
10. Do a search in regedit for the key,value, and date for CSRSS.EXE (note:this is a clone of a real windows component) Delete anything found with that key where the directory is from the folder in step 7.

11. Do a search for sp2patch.exe in regedit as well. DELETE any entries found.

12. Reboot into normal windows mode.

13. If you reboot and do not get any errors then you may have been successful. If you ctr-alt-del you can see the system processes. If you see only 1 csrss.exe then you have it.

14. Shut down, attach your network cable again and reboot.

[NWIASpotter]

Storm2k wasn't the only weather site hacked... It just happened again on the main weather board I'm apart of!!!

The a-hole doing these hackings is truly a WHACKO!!!

Yes, Eric he is... or maybe it is them... Whatever, I'm dissapointed!!!

[bsidella]

I tried the fix. It appeared to work however I still cannot print. Any suggestions???

[chadtm80]

I tried the fix. It appeared to work however I still cannot print. Any suggestions???

what happens when you try and print?

[Lindaloo]

Have you tried reinstalling your printer software?

[bsidella]

I've tried 3 times to reinstall the drivers but nothing. When I go to print it just hangs up and then says unable to print. I'm printing remotely to my main pc in my house off of a laptop. Does anyone have any ideas?

[Windspeed]

I just had too much stuff messed up, too much file corruption I couldn't entirely locate and clean up, so it just kept breaking stuff on reboot. I also couldn't successfully restore. So I had to choose the last and final option. Start from scratch. But it is nice to have piece of mind. I finally have everything back to pre-chaos. Lessons learned. It doesn't matter how great your firewall or your anti-virus protection is if you almost obliviously download an .exe file of which you are unfamiliar. Sometimes paranoia is a good thing.

msbee:

I clicked on accesories and saw command prompt there.
I clicked on that and the black box came up, all that it shows is:
c:\documents and settings\my name
I didn't see anything that said netstat
so does that mean I am ok?

Actually, you access the command prompt just as you did there. However, you actually have to _type_ in the command. Command prompt is a prompt line for text functions, like dos, linux, etc. Netstat is a program you can only run in command prompt. So you must type netstat at the command prompt line. That will allow you to see what foreign connections are in your computer. Now keep in mind, you're obviously going to see "good" foreign connections (or you wouldn't be on this webpage, or online, etc.); however, if you see anything attached to port: 6667, that may still be this hack that occurred in association with the .exe file that folks unfortunately downloaded from this page. Folks like me.

Anyway, I am all clean. I was able to backup all my personal stuff. Actually, now that I have everything back to normal, I don't mind having done this reinstall. There's just something nice about a fresh windows install. (Stuff hasn't had enough time to start screwing up on its own yet! ) But my firewall and anti-abuse software is up to date and working. So I should be good to go for a while, unless I pull another brainfart and download an erroneous .exe file from an unauthorized source.

[george_r_1961]

Marshall I had to go thru a similar process with my laptop when it got infected by a trojan and starting send out obscene IM's on MSN messenger. Make one mistake in the registry your computer gets transformed instantly into an oversized paperweight. Yes I found that out the hard way lol