Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Having problems with noytcyr, roytctm, wsldoekd, tdydowkc and related


  • Please log in to reply

#1
Dorian_NYC

Dorian_NYC

    New Member

  • Member
  • Pip
  • 2 posts
Hi,

I have two Windows 2000 Servers that have these infections ... as fast as can remove some of these files they keep on coming back.

I have installed the Malwarebytes' Anti-Malware which helped remove Spy Guard 2008 ... can you tell I've been frustrated ...

Here is my Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:19 AM, on 12/28/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
C:\Program Files\GFI\SELM 5\selmalrt.exe
C:\Program Files\GFI\SELM 5\selmarch.exe
C:\Program Files\GFI\SELM 5\selmcoll.exe
C:\PROGRA~1\GFI\SELM5~1\selmcomm.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\GFI\SELM 5\selm_mon.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\logon.scr
C:\Stuff\OTMoveIt3.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Stuff\HiJackThis.exe
C:\WINNT\system32\udxfytw.sys

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: LANguard S.E.L.M. Status Monitor.lnk = C:\Program Files\GFI\SELM 5\selm_mon.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...72/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1230082519640
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.pd0sbh.net/TSWeb/msrdp.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{080873A2-5A00-4D4D-9516-0A0CC1E54925}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4C85BDD-B9AC-4F51-BA68-25FEA6159078}: NameServer = 209.87.79.232,209.87.64.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{080873A2-5A00-4D4D-9516-0A0CC1E54925}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{080873A2-5A00-4D4D-9516-0A0CC1E54925}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: dyqtws.dll
O23 - Service: afisicx - Unknown owner - C:\WINNT\system32\afisicx.exe
O23 - Service: Backup Exec 8.x Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec 8.x Alert Server (BackupExecAlertServer) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
O23 - Service: Backup Exec 8.x Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec 8.x Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec 8.x Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
O23 - Service: Backup Exec 8.x Notification Server (BackupExecNotificationServer) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
O23 - Service: Backup Exec 8.x Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Compaq NIC Agents (CPQNicMgmt) - Compaq Computer Corp. - C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINNT\System32\CpqRcmc.exe
O23 - Service: Compaq Version Control Agent (cpqvcagent) - Compaq Computer Corporation - C:\Compaq\vcagent\vcagent.exe
O23 - Service: Compaq Web Agent (CpqWebMgmt) - Compaq Computer Corp. - C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
O23 - Service: Compaq Foundation Agents (CqMgHost) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
O23 - Service: Compaq Server Agents (CqMgServ) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
O23 - Service: Compaq Storage Agents (CqMgStor) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GFI LANguard S.E.L.M. 5.0 Alerter agent service (GFI SELM 5 Alerter) - GFI Software Ltd. - C:\Program Files\GFI\SELM 5\selmalrt.exe
O23 - Service: GFI LANguard S.E.L.M. 5.0 Archiver agent service (GFI SELM 5 Archiver) - Unknown owner - C:\Program Files\GFI\SELM 5\selmarch.exe
O23 - Service: GFI LANguard S.E.L.M. 5.0 Collector agent service (GFI SELM 5 Collector) - GFI Software Ltd. - C:\Program Files\GFI\SELM 5\selmcoll.exe
O23 - Service: eTrust InoculateIT Admin Server (InoNmSrv) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Ms DataBase Manager Service (mscncosd) - Unknown owner - C:\WINNT\system32\mscnco.exe
O23 - Service: noytcyr - Unknown owner - C:\WINNT\system32\noytcyr.exe
O23 - Service: roytctm - Unknown owner - C:\WINNT\system32\roytctm.exe
O23 - Service: Surveyor - Compaq Computer Corp. - C:\compaq\survey\Surveyor.EXE
O23 - Service: hp ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\System32\sysdown.exe
O23 - Service: tdydowkc - Unknown owner - C:\WINNT\system32\tdydowkc.exe
O23 - Service: Logon Authentication Service (WINVINFO) - Unknown owner - C:\WINNT\system32\wbem\wmiservice.exe (file missing)
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe (file missing)
O23 - Service: wsldoekd - Unknown owner - C:\WINNT\system32\wsldoekd.exe

--
End of file - 9748 bytes

Ideally I would like to be able to work on these servers remotely as getting to the location is not easy.


Any help you can give will be gratly appreciated...
Dorian_NYC
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Dorian_NYC

Welcome to G2Go. :)
=====================
Hi are you a business or a repair shop that needs help?
Do you have an IT department that can clean this for you?
  • 0

#3
Dorian_NYC

Dorian_NYC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I do custom printing work and I have the servers for creating and ripping files. I am usually really good at keeping my servers clean but I don't know what happened ... any help would be appreciated and I would be more than happy to recompense for the help ... it's a bad time to be down ...
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I will be happy to clean both servers for you but right now we will do one at a time :)
======
Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
=============
ALso please Click Here to download catchme.exe save it to your desktop and double click it to run it.
It will create a txt file on your desktop.
Please post the contents of that log in your next reply as well.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP