I have two Windows 2000 Servers that have these infections ... as fast as can remove some of these files they keep on coming back.
I have installed the Malwarebytes' Anti-Malware which helped remove Spy Guard 2008 ... can you tell I've been frustrated ...
Here is my Hijack Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:19 AM, on 12/28/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
C:\Program Files\GFI\SELM 5\selmalrt.exe
C:\Program Files\GFI\SELM 5\selmarch.exe
C:\Program Files\GFI\SELM 5\selmcoll.exe
C:\PROGRA~1\GFI\SELM5~1\selmcomm.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\GFI\SELM 5\selm_mon.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\logon.scr
C:\Stuff\OTMoveIt3.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Stuff\HiJackThis.exe
C:\WINNT\system32\udxfytw.sys
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: LANguard S.E.L.M. Status Monitor.lnk = C:\Program Files\GFI\SELM 5\selm_mon.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...72/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1230082519640
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.pd0sbh.net/TSWeb/msrdp.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{080873A2-5A00-4D4D-9516-0A0CC1E54925}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4C85BDD-B9AC-4F51-BA68-25FEA6159078}: NameServer = 209.87.79.232,209.87.64.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{080873A2-5A00-4D4D-9516-0A0CC1E54925}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{080873A2-5A00-4D4D-9516-0A0CC1E54925}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: dyqtws.dll
O23 - Service: afisicx - Unknown owner - C:\WINNT\system32\afisicx.exe
O23 - Service: Backup Exec 8.x Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec 8.x Alert Server (BackupExecAlertServer) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
O23 - Service: Backup Exec 8.x Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec 8.x Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec 8.x Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
O23 - Service: Backup Exec 8.x Notification Server (BackupExecNotificationServer) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
O23 - Service: Backup Exec 8.x Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Compaq NIC Agents (CPQNicMgmt) - Compaq Computer Corp. - C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINNT\System32\CpqRcmc.exe
O23 - Service: Compaq Version Control Agent (cpqvcagent) - Compaq Computer Corporation - C:\Compaq\vcagent\vcagent.exe
O23 - Service: Compaq Web Agent (CpqWebMgmt) - Compaq Computer Corp. - C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
O23 - Service: Compaq Foundation Agents (CqMgHost) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
O23 - Service: Compaq Server Agents (CqMgServ) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
O23 - Service: Compaq Storage Agents (CqMgStor) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GFI LANguard S.E.L.M. 5.0 Alerter agent service (GFI SELM 5 Alerter) - GFI Software Ltd. - C:\Program Files\GFI\SELM 5\selmalrt.exe
O23 - Service: GFI LANguard S.E.L.M. 5.0 Archiver agent service (GFI SELM 5 Archiver) - Unknown owner - C:\Program Files\GFI\SELM 5\selmarch.exe
O23 - Service: GFI LANguard S.E.L.M. 5.0 Collector agent service (GFI SELM 5 Collector) - GFI Software Ltd. - C:\Program Files\GFI\SELM 5\selmcoll.exe
O23 - Service: eTrust InoculateIT Admin Server (InoNmSrv) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Ms DataBase Manager Service (mscncosd) - Unknown owner - C:\WINNT\system32\mscnco.exe
O23 - Service: noytcyr - Unknown owner - C:\WINNT\system32\noytcyr.exe
O23 - Service: roytctm - Unknown owner - C:\WINNT\system32\roytctm.exe
O23 - Service: Surveyor - Compaq Computer Corp. - C:\compaq\survey\Surveyor.EXE
O23 - Service: hp ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\System32\sysdown.exe
O23 - Service: tdydowkc - Unknown owner - C:\WINNT\system32\tdydowkc.exe
O23 - Service: Logon Authentication Service (WINVINFO) - Unknown owner - C:\WINNT\system32\wbem\wmiservice.exe (file missing)
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe (file missing)
O23 - Service: wsldoekd - Unknown owner - C:\WINNT\system32\wsldoekd.exe
--
End of file - 9748 bytes
Ideally I would like to be able to work on these servers remotely as getting to the location is not easy.
Any help you can give will be gratly appreciated...
Dorian_NYC