Server 2000 acting up

Unknown · November 2006

I have a small oiffice server running W2K server. Lately it seams to have a few issues like not being able to go online except for the very fiurst couple of seconds on boot up and then it decides to restart itself for no apparent reason I have been looking aroundf a lot of boards and reading as much as possible but everything I try seems to have no effect so I am hoping this route will help me out. I have gone through most tof the steps in the sticky thread except for the online scans (can't get online) Other PC on the same network have no issues. I have some sort of connection because I can ping from that site to google but no connection via IE. Here is my hijackthis log Abd many thanks for any help

Logfile of HijackThis v1.99.1
Scan saved at 3:55:04 PM, on 11/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\udzou.exe
C:\WINNT\system32\cjnr4r46718675.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\WINNT\system32\nlkfev78831927.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
C:\WINNT\system32\nlkfev78831927.exe
C:\Program Files\Novosoft\Handy Backup\hbagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OfficeCalendar Server\OfficeCalendarServer.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINNT\system32\mrtMngr.EXE
C:\WINNT\system32\HPZipm12.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O1 - Hosts: 80.112008 www.symantec.com
O1 - Hosts: 80.112008 securityresponse.symantec.com
O1 - Hosts: 80.112008 symantec.com
O1 - Hosts: 80.112008 pandasoftware.com
O1 - Hosts: 80.112008 www.pandasoftware.com
O1 - Hosts: 80.112008 www.sophos.com
O1 - Hosts: 80.112008 sophos.com
O1 - Hosts: 80.112008 www.mcafee.com
O1 - Hosts: 80.112008 mcafee.com
O1 - Hosts: 80.112008 downloads-us1.kaspersky-labs.com
O1 - Hosts: 80.112008 downloads1.kaspersky-labs.com
O1 - Hosts: 80.112008 downloads2.kaspersky-labs.com
O1 - Hosts: 80.112008 downloads3.kaspersky-labs.com
O1 - Hosts: 80.112008 dnl-eu5.kaspersky-labs.com
O1 - Hosts: 80.112008 liveupdate.symantecliveupdate.com
O1 - Hosts: 80.112008 www.viruslist.com
O1 - Hosts: 80.112008 viruslist.com
O1 - Hosts: 80.112008 f-secure.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [cjnr4r48171650] C:\WINNT\system32\cjnr4r48171650.exe
O4 - HKLM\..\Run: [sklrr7y1107803] C:\WINNT\system32\sklrr7y1107803.exe
O4 - HKLM\..\Run: [cjnr4r41939240] C:\WINNT\system32\cjnr4r41939240.exe
O4 - HKLM\..\Run: [udzok] udzou.exe
O4 - HKLM\..\Run: [cjnr4r46718675] C:\WINNT\system32\cjnr4r46718675.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [mlsdf8h9043799] C:\WINNT\system32\mlsdf8h9043799.exe
O4 - HKLM\..\Run: [nlkfev78831927] C:\WINNT\system32\nlkfev78831927.exe
O4 - HKLM\..\RunServices: [udzok] udzou.exe
O4 - HKLM\..\RunServices: [cjnr4r41939240] C:\WINNT\system32\cjnr4r41939240.exe
O4 - HKLM\..\RunServices: [cjnr4r48171650] C:\WINNT\system32\cjnr4r48171650.exe
O4 - HKLM\..\RunServices: [sklrr7y1107803] C:\WINNT\system32\sklrr7y1107803.exe
O4 - HKLM\..\RunServices: [cjnr4r46718675] C:\WINNT\system32\cjnr4r46718675.exe
O4 - HKLM\..\RunServices: [mlsdf8h9043799] C:\WINNT\system32\mlsdf8h9043799.exe
O4 - HKLM\..\RunServices: [nlkfev78831927] C:\WINNT\system32\nlkfev78831927.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ServUTrayIcon] C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O4 - HKCU\..\Run: [udzok] udzou.exe
O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: OfficeCalendar Server.lnk = C:\Program Files\OfficeCalendar Server\OfficeCalendarServer.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Print Spooler Service (euaoyslaei4iuau) - Unknown owner - C:\WINNT\system32\nlkfev78831927.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINNT\lsass.exe (file missing)
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

SpywareShooter · November 2006

[STEP 1] Fix HijackThis Entries:

Fix the following entries with HijackThis by placing checkmarks in the boxes next to them and clicking "Fix Checked".

O1 - Hosts: 80.112008 www.symantec.com
O1 - Hosts: 80.112008 securityresponse.symantec.com
O1 - Hosts: 80.112008 symantec.com
O1 - Hosts: 80.112008 pandasoftware.com
O1 - Hosts: 80.112008 www.pandasoftware.com
O1 - Hosts: 80.112008 www.sophos.com
O1 - Hosts: 80.112008 sophos.com
O1 - Hosts: 80.112008 www.mcafee.com
O1 - Hosts: 80.112008 mcafee.com
O1 - Hosts: 80.112008 downloads-us1.kaspersky-labs.com
O1 - Hosts: 80.112008 downloads1.kaspersky-labs.com
O1 - Hosts: 80.112008 downloads2.kaspersky-labs.com
O1 - Hosts: 80.112008 downloads3.kaspersky-labs.com
O1 - Hosts: 80.112008 dnl-eu5.kaspersky-labs.com
O1 - Hosts: 80.112008 liveupdate.symantecliveupdate.com
O1 - Hosts: 80.112008 www.viruslist.com
O1 - Hosts: 80.112008 viruslist.com
O1 - Hosts: 80.112008 f-secure.com
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [cjnr4r48171650] C:\WINNT\system32\cjnr4r48171650.exe
O4 - HKLM\..\Run: [sklrr7y1107803] C:\WINNT\system32\sklrr7y1107803.exe
O4 - HKLM\..\Run: [cjnr4r41939240] C:\WINNT\system32\cjnr4r41939240.exe
O4 - HKLM\..\Run: [udzok] udzou.exe
O4 - HKLM\..\Run: [cjnr4r46718675] C:\WINNT\system32\cjnr4r46718675.exe
O4 - HKLM\..\Run: [mlsdf8h9043799] C:\WINNT\system32\mlsdf8h9043799.exe
O4 - HKLM\..\Run: [nlkfev78831927] C:\WINNT\system32\nlkfev78831927.exe
O4 - HKLM\..\RunServices: [udzok] udzou.exe
O4 - HKLM\..\RunServices: [cjnr4r41939240] C:\WINNT\system32\cjnr4r41939240.exe
O4 - HKLM\..\RunServices: [cjnr4r48171650] C:\WINNT\system32\cjnr4r48171650.exe
O4 - HKLM\..\RunServices: [sklrr7y1107803] C:\WINNT\system32\sklrr7y1107803.exe
O4 - HKLM\..\RunServices: [cjnr4r46718675] C:\WINNT\system32\cjnr4r46718675.exe
O4 - HKLM\..\RunServices: [mlsdf8h9043799] C:\WINNT\system32\mlsdf8h9043799.exe
O4 - HKLM\..\RunServices: [nlkfev78831927] C:\WINNT\system32\nlkfev78831927.exe
O4 - HKCU\..\Run: [udzok] udzou.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/e...rInstaller.exe
O23 - Service: Print Spooler Service (euaoyslaei4iuau) - Unknown owner - C:\WINNT\system32\nlkfev78831927.exe
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINNT\lsass.exe (file missing)

[STEP 2] Remove Malicious Files:

Locate the following files using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

C:\WINNT\system32\cjnr4r48171650.exe
C:\WINNT\system32\sklrr7y1107803.exe
C:\WINNT\system32\cjnr4r41939240.exe
udzou.exe
C:\WINNT\system32\cjnr4r46718675.exe
C:\WINNT\system32\mlsdf8h9043799.exe
C:\WINNT\system32\nlkfev78831927.exe

[STEP 3] Remove Malicious Folders:

Locate the following folders using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

C:\Program Files\Error Nuker\

[STEP 4]Report Back to us:

Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.

craig043 · November 2006

Ok the first step has been acomplised and it is already acting better I can get online as of this minute. The only issue was with a couple of those crj.....456.exe files said they could not be deleted but I removed them on reboot. Alos there was no erronuker folder to delete

Here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 5:29:35 PM, on 11/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
C:\Program Files\Novosoft\Handy Backup\hbagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OfficeCalendar Server\OfficeCalendarServer.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINNT\system32\mrtMngr.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\HPZipm12.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKCU\..\Run: [ServUTrayIcon] C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: OfficeCalendar Server.lnk = C:\Program Files\OfficeCalendar Server\OfficeCalendarServer.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Print Spooler Service (euaoyslaei4iuau) - Unknown owner - C:\WINNT\system32\nlkfev78831927.exe (file missing)
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINNT\lsass.exe (file missing)
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

Again thanks for the help

SpywareShooter · November 2006

[STEP 1] Fix HijackThis Entries:

Fix the following entries with HijackThis by placing checkmarks in the boxes next to them and clicking "Fix Checked".

O23 - Service: Print Spooler Service (euaoyslaei4iuau) - Unknown owner - C:\WINNT\system32\nlkfev78831927.exe (file missing)
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINNT\lsass.exe (file missing)

[STEP 2]Run Additional Tools:

Your HijackThis log shows no more signs of executable malware. However, this does not mean that your system is completely clean. In order to make sure that all remaining pieces of this malware have been removed, it is reccomended that you download and scan with Ewido Anti-Malware. Please do an Ewido scan and post the log here.:

Download Ewido

[STEP 3]Report Back to us:

Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.

craig043 · November 2006

Ok that is done I am attaching the AVG scan log here and the new hijack log after that. Also the readouts for active scan bitdefender and a few popup from norton. Seams things are losening up and running a little bit now. Being able to go online helps to.

AVG Scan

AVG Anti-Spyware - Scan Report

+ Created at: 2:03:58 PM 11/22/2006

+ Scan result:

D:\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\Media_Jukebox_Plus_v8[1].0.400 (www.crack.cd).zip/NukeBox.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Ignored.
D:\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\NukeBox.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Ignored.

::Report end

hijack scan

Logfile of HijackThis v1.99.1
Scan saved at 2:13:38 PM, on 11/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\SpywareDetector\LiveUpdateSD.exe
C:\WINNT\system32\exn.exe
C:\WINNT\system32\0x32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
C:\Program Files\Novosoft\Handy Backup\hbagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OfficeCalendar Server\OfficeCalendarServer.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINNT\system32\mrtMngr.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\HPZipm12.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [exn] C:\WINNT\system32\exn.exe
O4 - HKLM\..\Run: [Numerical Xterm Agent] 0x32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Numerical Xterm Agent] 0x32.exe
O4 - HKCU\..\Run: [ServUTrayIcon] C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: OfficeCalendar Server.lnk = C:\Program Files\OfficeCalendar Server\OfficeCalendarServer.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Print Spooler Service (euaoyslaei4iuau) - Unknown owner - C:\WINNT\system32\nlkfev78831927.exe (file missing)
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINNT\lsass.exe (file missing)
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

Also a bitdefender scan
BitDefender Online Scanner

Scan report generated at: Wed, Nov 22, 2006 - 07:47:05

Scan path: A:\;C:\;D:\;E:\;F:\;G:\;

Statistics

Time

13:16:04

Files

4295750

Folders

27420

Boot Sectors

5

Archives

25749

Packed Files

522072

Results

Identified Viruses

7

Infected Files

21

Suspect Files

1

Warnings

0

Disinfected

0

Deleted Files

23

Engines Info

Virus Definitions

317343

Engine build

AVCORE v1.0 (build 2368) (i386) (Nov 16 2006 11:31:19)

Scan plugins

13

Archive plugins

38

Unpack plugins

6

E-mail plugins

6

System plugins

1

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01180000.VBN

Infected with: Exploit.ADODB.Stream.AT

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01180000.VBN

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01180000.VBN

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01280000.VBN

Infected with: Exploit.ADODB.Stream.AT

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01280000.VBN

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01280000.VBN

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03900000.VBN

Infected with: Exploit.ADODB.Stream.AT

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03900000.VBN

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03900000.VBN

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04340000.VBN

Infected with: Exploit.ADODB.Stream.AT

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04340000.VBN

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04340000.VBN

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\069C0000.VBN

Infected with: Exploit.ADODB.Stream.AT

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\069C0000.VBN

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\069C0000.VBN

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06A80000.VBN

Infected with: Exploit.ADODB.Stream.AT

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06A80000.VBN

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06A80000.VBN

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06CC0000.VBN

Infected with: Exploit.ADODB.Stream.AT

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06CC0000.VBN

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06CC0000.VBN

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06DC0000.VBN

Infected with: Exploit.ADODB.Stream.AT

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06DC0000.VBN

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06DC0000.VBN

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07040000.VBN

Infected with: Exploit.ADODB.Stream.AT

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07040000.VBN

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07040000.VBN

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB40000.VBN

Infected with: Exploit.ADODB.Stream.AT

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB40000.VBN

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB40000.VBN

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ABC0000.VBN

Infected with: Exploit.ADODB.Stream.AT

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ABC0000.VBN

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ABC0000.VBN

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AC80000.VBN

Infected with: Exploit.ADODB.Stream.AT

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AC80000.VBN

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AC80000.VBN

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CF40000.VBN

Infected with: Backdoor.Rbot.FUO

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CF40000.VBN

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CF40000.VBN

Deleted

C:\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dc1.exe

Infected with: Trojan.Spambot.I

C:\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dc1.exe

Disinfection failed

C:\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dc1.exe

Deleted

C:\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dc3.exe

Infected with: Trojan.Spambot.I

C:\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dc3.exe

Disinfection failed

C:\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dc3.exe

Deleted

C:\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dc5.exe

Infected with: Trojan.Spambot.I

C:\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dc5.exe

Disinfection failed

C:\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dc5.exe

Deleted

C:\WINNT\system32\CloseAll.exe

Infected with: Generic.Malware.SYd!g.AA67EC65

C:\WINNT\system32\CloseAll.exe

Disinfection failed

C:\WINNT\system32\CloseAll.exe

Deleted

C:\WINNT\system32\z.exe

Infected with: Trojan.Spambot.Y

C:\WINNT\system32\z.exe

Disinfection failed

C:\WINNT\system32\z.exe

Deleted

D:\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\fwp.exe

Infected with: Trojan.Downloader.INService.Gen

D:\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\fwp.exe

Disinfection failed

D:\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\fwp.exe

Deleted

D:\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\Media_Jukebox_Plus_v8[1].0.400 (www.crack.cd).zip=>fwp.exe

Infected with: Trojan.Downloader.INService.Gen

D:\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\Media_Jukebox_Plus_v8[1].0.400 (www.crack.cd).zip=>fwp.exe

Disinfection failed

D:\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\Media_Jukebox_Plus_v8[1].0.400 (www.crack.cd).zip=>fwp.exe

Deleted

D:\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\Media_Jukebox_Plus_v8[1].0.400 (www.crack.cd).zip

Updated

F:\D\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\fwp.exe.zip=>fwp.exe

Infected with: Trojan.Downloader.INService.Gen

F:\D\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\fwp.exe.zip=>fwp.exe

Disinfection failed

F:\D\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\fwp.exe.zip=>fwp.exe

Deleted

F:\D\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\fwp.exe.zip

Updated

F:\D\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dd25\backup.pst.zip=>backup.pst=>[Subject: [Norton AntiSpam] Welcome to my hometown][From: onlinetaxes]=>(body)=>(Compressed Rtf)

Suspected of: Exploit.Iframe.Vulnerability

F:\D\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dd25\backup.pst.zip=>backup.pst=>[Subject: [Norton AntiSpam] Welcome to my hometown][From: onlinetaxes]=>(body)=>(Compressed Rtf)

Disinfection failed

F:\D\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dd25\backup.pst.zip=>backup.pst=>[Subject: [Norton AntiSpam] Welcome to my hometown][From: onlinetaxes]=>(body)=>(Compressed Rtf)

Deleted

F:\D\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dd25\backup.pst.zip=>backup.pst

Updated

F:\D\RECYCLER\S-1-5-21-602162358-1383384898-1343024091-500\Dd25\backup.pst.zip

Updated

This is pop up from my norton

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader
File: C:\1.vbs
Location: Quarantine
Computer: OFFICESRV1
User: SYSTEM
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Mon Nov 20 14:37:57 2006

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader
File: C:\1.vbs
Location: Quarantine
Computer: OFFICESRV1
User: SYSTEM
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Mon Nov 20 15:31:02 2006

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Spybot.Worm
File: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\DO03J797\1[1].exe
Location: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\DO03J797
Computer: OFFICESRV1
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tue Nov 21 03:11:28 2006

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan Horse
File: C:\sirh0t_changes_ur_hostfile.bat
Location: Quarantine
Computer: OFFICESRV1
User: Administrator
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Tue Nov 21 15:29:07 2006

This is active scan log

Incident Status Location

Virus:W32/SdBot.ITH.worm Disinfected C:\Documents and Settings\Administrator\cusun.wmf
Virus:W32/SdBot.ITH.worm Disinfected C:\WINNT\system32\cusun.wmf
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINNT\system32\i
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINNT\system32\n
Virus:W32/SdBot.ITH.worm Disinfected C:\WINNT\udzou.exe
Adware:Adware/IST.ISTBar Not disinfected D:\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\fwp.exe
Adware:Adware/IST.ISTBar Not disinfected D:\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\Media_Jukebox_Plus_v8[1].0.400 (www.crack.cd).zip[fwp.exe]
Potentially unwanted tool:Application/ServUBased.A Not disinfected D:\craig_work_file\Codes-programs-scripts\Utility\susetup.exe
Adware:Adware/IST.ISTBar Not disinfected F:\D\craig_work_file\Codes-programs-scripts\Utility\Media Jukebox 8.0.400 nad crack\fwp.exe.zip[fwp.exe]
Potentially unwanted tool:Application/ServUBased.A Not disinfected F:\D\craig_work_file\Codes-programs-scripts\Utility\susetup.exe.zip[susetup.exe]
Potentially unwanted tool:Application/ServUBased.A Not disinfected F:\D\craig_work_file\Codes-programs-scripts\Utility\susetup.exe.zip[susetup.exe][SERVUDAEMON.EXE]
Potentially unwanted tool:Application/ServUBased.A Not disinfected F:\D\craig_work_file\Codes-programs-scripts\Utility\susetup.exe.zip[susetup.exe][SERVUTRAY.EXE]
Potentially unwanted tool:Application/ServUBased.A Not disinfected F:\D\craig_work_file\Codes-programs-scripts\Utility\susetup.exe.zip[susetup.exe][SERVUPERFCOUNT.DLL]
Potentially unwanted tool:Application/ServUBased.A Not disinfected F:\D\craig_work_file\Codes-programs-scripts\Utility\susetup.exe.zip[susetup.exe][SERVUADMIN.EXE]

SpywareShooter · November 2006

[STEP 1] Fix HijackThis Entries:

Fix the following entries with HijackThis by placing checkmarks in the boxes next to them and clicking "Fix Checked".

O4 - HKLM\..\Run: [exn] C:\WINNT\system32\exn.exe
O4 - HKLM\..\Run: [Numerical Xterm Agent] 0x32.exe
O4 - HKLM\..\RunServices: [Numerical Xterm Agent] 0x32.exe
O23 - Service: Print Spooler Service (euaoyslaei4iuau) - Unknown owner - C:\WINNT\system32\nlkfev78831927.exe (file missing)
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINNT\lsass.exe (file missing)

[STEP 2] Remove Malicious Files:

Locate the following files using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

C:\WINNT\system32\exn.exe
0x32.exe

[STEP 3]Report Back to us:

Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.

craig043 · November 2006

Major problem I did the above now I can not access this server from any other pcs and I get a one or more services were not able to start message. What do I do now? I have the hijack log back ups

SpywareShooter · November 2006

Since you kept the backups, restore them, and try it again. But this time instead of doing it at once, just do it one entry at a time until you find which one caused the problem.

Server 2000 acting up

Comments