First of all, GREAT service You guys have here, EXCELLENT!!!!
I have no idea anymore what's wrong with my win2000. I have done everything You advice in the "Start here"-page and found several malware with different programs but STILL my PC won't work well.
IE won't open any pages, Control Panel doesn't open at all, can't open C:/WINNT folder etc.
"netstat" command on cmd gives several lines like this:
TCP wwwserveri:1263 u15164207.onlinehome-server.com:nicname TIME_WAIT
TCP wwwserveri:1264 u15169564.onlinehome-server.com:nicname TIME_WAIT
TCP wwwserveri:1265 u15169564.onlinehome-server.com:nicname TIME_WAIT
TCP wwwserveri:1266 u15169564.onlinehome-server.com:nicname TIME_WAIT
My ewido report is here:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 12:51:36, 17.08.2005
+ Report-Checksum: 860E2966
+ Scan result:
[632] C:\WINNT\system32\crt.exe -> Backdoor.ServU-based : Cleaned with backup
[888] c:\winnt\system32\FireDaemon.EXE -> Backdoor.SdBot.nj : Cleaned with backup
[1220] c:\winnt\system32\drivers\FireDaemon.EXE -> Backdoor.SdBot.nj : Cleaned with backup
C:\WINNT\system32\CRT.EXE -> Backdoor.ServU-based : Cleaned with backup
C:\WINNT\system32\crt.zip/crt.exe -> Backdoor.ServU-based : Cleaned with backup
C:\WINNT\system32\dll.exe -> Backdoor.ServU-based : Cleaned with backup
C:\WINNT\system32\drivers\Firedaemon.exe -> Backdoor.SdBot.nj : Cleaned with backup
C:\WINNT\system32\FireDaemon.exe -> Backdoor.SdBot.nj : Cleaned with backup
C:\WINNT\Tasks\~tmp\WINLOGIN2.EXE -> Backdoor.ServU.a : Cleaned with backup
::Report End
HiJackThis log is here:
Logfile of HijackThis v1.99.1
Scan saved at 15:14:59, on 17.08.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\WINNT\system32\svr32.Exe
C:\Program Files\CallerIP\cip-nt.exe
C:\WINNT\system32\jview.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CallerIP\CallerIP.exe
C:\mysql\bin\mysqld-max-nt.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\jview.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINNT\system32\tlntsvr.exe
C:\PROGRA~1\INTERC~1\WebSvcNT.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\INTERC~1\INTERCHG.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mobsync.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\mysql\bin\winmysqladmin.exe
C:\Geek\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rauma.tut.fi/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{6674AF30-FF57-40D8-AC3A-6B6437AF9176}: NameServer = 130.230.86.193,130.230.86.131
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: SVR32 (AppToService_SVR32) - Basta Computing - C:\WINNT\system32\svr32.Exe
O23 - Service: Visualware CallerIP (CallerIP) - Unknown owner - C:\Program Files\CallerIP\cip-nt.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-max-nt (file missing)
O23 - Service: FireDaemon Service: Registry Backup (Registry Backup) - Unknown owner - c:\winnt\system32\FireDaemon.EXE (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - c:\winnt\crss.exe" /service (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: FireDaemon Service: svchost (svchost) - Unknown owner - c:\winnt\system32\drivers\\FireDaemon.EXE (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Infinite InterChange Service (WebSvcNT) - Unknown owner - C:\PROGRA~1\INTERC~1\WebSvcNT.EXE
I hope You can help me PLEASE!