Need help getting rid of a Win2K service/virus

[Saintaw]

UMRG32.exe is infected by a trojan (so my AV software says: BKDR_BO2K.10). I can't delete the file, not stop the service (tried deleting the file & stopping the services, both were denied to me, eventhough I am logged as admin).

How can I get rid of it ?

[Wlfgng]

try booting to safe mode and deleting the file.

[qts]

Boot to a command line and copy a clean version from your install directory.

[Siaf__csf]

How did you manage to get back orifice to your computer?

Tsk tsk..

http://www.hackfix.org/bofix/fix2k.shtml

[Saintaw]

It is not actually mine (I'm running XP) but my neighbours...I have no clue on how he managed to get that one, as he is as computer savy as my inlaw (j/k Michel!) I'll try the above fixes when I get back home this evening, thanks

[straffo]

In this case you can mount his HD on your computer

[Chairboy]

What antivirus program do you have?  NAV can remove it.  If you can't get rid of something from inside windows w/ NAV, you just boot from the NAV (or NIS  or NSW(which comes w/ NAV)) CD and run the virus removal tool.  Since your OS isn't running, there are no files in  use.

[SKurj]

Tried deleting it from a dos box?


SKurj

[AKIron]

If his drive is FAT32 you can boot from a floppy and replace the file. If not, you can boot from his Win2K CD and run install in repair mode.

[Siaf__csf]

Yeah or he can do it the easy way as described on the instructions on the net LOL.

[Saintaw]

It's been done, thanks

[Siaf__csf]

It's always a good idea to keep an eye on the process list also. I found out once that a server of a friend of mine was compromised.. Someone was using it to share warez on the net

How did I find it out? I browsed the task list and saw processes running that shouldn't be there. I then opened google and saw those processes were related to irc and hacking..