Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Server Infections: Desperate for Help! [RESOLVED]


  • This topic is locked This topic is locked

#1
thilton19

thilton19

    Member

  • Member
  • PipPip
  • 32 posts
Hello All,

I'm desperate here. I've got a mail/DNS server that is infected with spyware and viruses. I've downloaded and run Ad-aware, Spybot, CWshredder, MCAfee Stinger and I also run McAfee VirusScan Enterprise 7.0, and while I am able to detect the infections I can't completely clean them. A few spyware apps keep returning:

Netsys
1800Solutions.SearchAssistant
DSO Exploit
DyFuCA.InternetOptimizer
Haxdoor-H

I'm also seeing a reoccurrance of a virus with the file "ssl.exe" I believe it's related to the W32.Sdbot.worm.gen.by. My Av software finds it, deletes it but it comes back. Here is my HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:53:00 AM, on 8/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
E:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
E:\iFtpSvc\iFtpSvc.exe
F:\IMail\IMAP4D32.exe
F:\IMAIL\IWebCal.exe
F:\IMail\iwebmsg.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
E:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
F:\IMail\POP3D32.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
F:\Program Files\Simple DNS Plus\sdnsmain.exe
F:\IMail\smtpd32.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\sysdown.exe
F:\IMail\SYSLOGD.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
c:\winnt\system32\secpol.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\WINNT\System32\svchost.exe
E:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\taskmgr.exe
E:\Program Files\Network Associates\VirusScan\mcupdate.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
E:\HijackThis\HijackThis.exe

O1 - Hosts: 216.132.31.195 mail.optimer.com optimer.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\ldlgsg.exe reg_run
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\15.tmp
O4 - HKLM\..\Run: [ShStatEXE] "E:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124501309468
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DC9C542-033D-469B-BF72-D9D26A11E7F6}: NameServer = 208.255.176.2,198.6.1.146,208.255.176.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD3C80F7-09B8-4754-BCBA-1F7B98FA2168}: NameServer = 208.255.176.2,208.255.176.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{2DC9C542-033D-469B-BF72-D9D26A11E7F6}: NameServer = 208.255.176.2,198.6.1.146,208.255.176.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{2DC9C542-033D-469B-BF72-D9D26A11E7F6}: NameServer = 208.255.176.2,198.6.1.146,208.255.176.2
O23 - Service: Compaq NIC Agents (CPQNicMgmt) - Compaq Computer Corp. - C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
O23 - Service: Compaq Web Agent (CpqWebMgmt) - Compaq Computer Corp. - C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
O23 - Service: Compaq Foundation Agents (CqMgHost) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
O23 - Service: Compaq Server Agents (CqMgServ) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
O23 - Service: Compaq Storage Agents (CqMgStor) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - E:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IMail FINGER Server (FINGRD32) - Ipswitch, Inc. - F:\IMail\FINGRD32.exe
O23 - Service: Ipswitch WS_FTP Server (iFtpSvc) - Ipswitch, Inc. 81 Hartwell Ave. Lexington MA. 02421 - E:\iFtpSvc\iFtpSvc.exe
O23 - Service: IMail LDAP Server (ILDAP) - Ipswitch, Inc. - F:\IMail\ILDAP.exe
O23 - Service: IMail IMAP4 Server (IMAP4D32) - Ipswitch, Inc. - F:\IMail\IMAP4D32.exe
O23 - Service: IMail Monitor Service (IMonitor) - Ipswitch, Inc. - F:\IMAIL\IMonitor.exe
O23 - Service: IMail Web Calendar Service (IWebCal) - Ipswitch, Inc. - F:\IMAIL\IWebCal.exe
O23 - Service: IMail Web Service (IWEBMSG) - Ipswitch, Inc. - F:\IMail\iwebmsg.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - E:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: IMail POP3 Server (POP3D32) - Ipswitch, Inc. - F:\IMail\POP3D32.exe
O23 - Service: IMail PWD Server (PSERVE) - Ipswitch, Inc. - F:\IMail\PSERVE.exe
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\Rpcmon.exe (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: Simple DNS Plus (sdnsplus) - JH Software - F:\Program Files\Simple DNS Plus\sdnsmain.exe
O23 - Service: IMail SMTP Server (SMTPD32) - Ipswitch, Inc. - F:\IMail\smtpd32.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe
O23 - Service: Surveyor - Compaq Computer Corp. - C:\compaq\survey\Surveyor.EXE
O23 - Service: Compaq System Management Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\System32\sysdown.exe
O23 - Service: IMail Sys Logger Service (SYSLOGD) - Ipswitch, Inc. - F:\IMail\SYSLOGD.exe
O23 - Service: IMail WHOIS Server (WHOISD32) - Ipswitch, Inc. - F:\IMail\WHOISD32.exe

My biggest concern is that I have 5 servers total that are in this workgroup that are having problems to one degree or another. If I get one system clean I fear that the others are reinfecting it. Also, these are production systems so rebuilding them is not a luxury I have. I've got to get them cleaned. Oh, and I have to go out of town on Friday and Saturday so time is of the essence.

I'm a desperate man here. ANY help is GREATLY appreciated!!!!

HELP!!!! :tazz:

Troy
  • 0

Advertisements


#2
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

Open Ewido again
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

Reboot and Post the report Ewido made and a new Hijackthis log here in a reply.
  • 0

#3
thilton19

thilton19

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thanks. I'm scanning my server now and will post the logs when it's done. Boy, it sure is taking a long time.

Troy
  • 0

#4
thilton19

thilton19

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
OK, so I ran the ewido scanner (which took forever) but here's the log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:07:38 AM, 8/24/2005
+ Report-Checksum: C04FDD65

+ Scan result:

HKLM\SOFTWARE\motoin -> Spyware.Delfin : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\Mvu -> Spyware.Delfin : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\bigman@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\bigman@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\bigman@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\cln26CE.tmp -> TrojanDownloader.Dyfuca.dp : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\uninstall.exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ntnk.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\system@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\system@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\system@adtrak[1].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\system@ysbweb[1].txt -> Spyware.Cookie.Ysbweb : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\6XJX8LYV\power_remove[1].exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\6XJX8LYV\sacc_remove[1].exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\6XJX8LYV\stubinstaller4292[1].exe -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\6XJX8LYV\thin-149-1-x-x[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\6XJX8LYV\ysb_regular[1].cab/ysbactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GJS5KDGJ\bundle_mediamotor1004[1].exe -> Adware.Saha : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GJS5KDGJ\optimize[1].exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\PNVPQ4AZ\876029[1].exe -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\PNVPQ4AZ\actalert[1].exe -> TrojanDownloader.Dyfuca.dp : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\YVHTDUH7\0006_regular[1].cab/istactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
C:\WINNT\876029.exe -> Adware.SaveNow : Cleaned with backup
C:\WINNT\Buddy.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\imGiant.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\WINNT\system32\conres.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINNT\system32\jbjne.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINNT\system32\ldlgsg.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINNT\system32\pvpaw.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINNT\system32\sgsjfjs.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINNT\system32\ssl.exe -> Backdoor.IRCBot.ex : Cleaned with backup
C:\WINNT\Temp\Del19B0.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
C:\WINNT\Temp\hoo1A1E.tmp -> Spyware.180Solutions : Cleaned with backup
C:\WINNT\Temp\iinstall.exe -> TrojanDownloader.IstBar.li : Cleaned with backup
C:\WINNT\Temp\res19B1.tmp -> Spyware.180Solutions : Cleaned with backup
C:\WINNT\Temp\THI1D2C.tmp\imGiant.cab/imGiant.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\Temp\THI1D2C.tmp\imGiant.dll -> Adware.BetterInternet : Cleaned with backup


::Report End
*********************************
and here's the latest HijakThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:13:08 PM, on 8/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
E:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\iFtpSvc\iFtpSvc.exe
F:\IMail\IMAP4D32.exe
F:\IMAIL\IWebCal.exe
F:\IMail\iwebmsg.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
E:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
F:\IMail\POP3D32.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
F:\Program Files\Simple DNS Plus\sdnsmain.exe
F:\IMail\smtpd32.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\sysdown.exe
F:\IMail\SYSLOGD.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
c:\winnt\system32\secpol.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
E:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\taskmgr.exe
E:\Program Files\Network Associates\VirusScan\SCAN32.EXE
E:\HijackThis\HijackThis.exe

O1 - Hosts: 216.132.31.195 mail.optimer.com optimer.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [ShStatEXE] "E:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124501309468
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DC9C542-033D-469B-BF72-D9D26A11E7F6}: NameServer = 208.255.176.2,198.6.1.146,208.255.176.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD3C80F7-09B8-4754-BCBA-1F7B98FA2168}: NameServer = 208.255.176.2,208.255.176.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{2DC9C542-033D-469B-BF72-D9D26A11E7F6}: NameServer = 208.255.176.2,198.6.1.146,208.255.176.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{2DC9C542-033D-469B-BF72-D9D26A11E7F6}: NameServer = 208.255.176.2,198.6.1.146,208.255.176.2
O23 - Service: Compaq NIC Agents (CPQNicMgmt) - Compaq Computer Corp. - C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
O23 - Service: Compaq Web Agent (CpqWebMgmt) - Compaq Computer Corp. - C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
O23 - Service: Compaq Foundation Agents (CqMgHost) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
O23 - Service: Compaq Server Agents (CqMgServ) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
O23 - Service: Compaq Storage Agents (CqMgStor) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - E:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMail FINGER Server (FINGRD32) - Ipswitch, Inc. - F:\IMail\FINGRD32.exe
O23 - Service: Ipswitch WS_FTP Server (iFtpSvc) - Ipswitch, Inc. 81 Hartwell Ave. Lexington MA. 02421 - E:\iFtpSvc\iFtpSvc.exe
O23 - Service: IMail LDAP Server (ILDAP) - Ipswitch, Inc. - F:\IMail\ILDAP.exe
O23 - Service: IMail IMAP4 Server (IMAP4D32) - Ipswitch, Inc. - F:\IMail\IMAP4D32.exe
O23 - Service: IMail Monitor Service (IMonitor) - Ipswitch, Inc. - F:\IMAIL\IMonitor.exe
O23 - Service: IMail Web Calendar Service (IWebCal) - Ipswitch, Inc. - F:\IMAIL\IWebCal.exe
O23 - Service: IMail Web Service (IWEBMSG) - Ipswitch, Inc. - F:\IMail\iwebmsg.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - E:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: IMail POP3 Server (POP3D32) - Ipswitch, Inc. - F:\IMail\POP3D32.exe
O23 - Service: IMail PWD Server (PSERVE) - Ipswitch, Inc. - F:\IMail\PSERVE.exe
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\Rpcmon.exe (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: Simple DNS Plus (sdnsplus) - JH Software - F:\Program Files\Simple DNS Plus\sdnsmain.exe
O23 - Service: IMail SMTP Server (SMTPD32) - Ipswitch, Inc. - F:\IMail\smtpd32.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: Surveyor - Compaq Computer Corp. - C:\compaq\survey\Surveyor.EXE
O23 - Service: Compaq System Management Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\System32\sysdown.exe
O23 - Service: IMail Sys Logger Service (SYSLOGD) - Ipswitch, Inc. - F:\IMail\SYSLOGD.exe
O23 - Service: IMail WHOIS Server (WHOISD32) - Ipswitch, Inc. - F:\IMail\WHOISD32.exe
*******************************************
When I run Spybot S&D now I still get the Netsys and 1800Solutions spyware, along with Haxdoor-H and DSO Exploit but Haxdoor is because I'm running RAdmin on this box. DSO is not an issue as this server is running the latest version of IE will all patches.

What's my next step? :tazz:

Troy
(feeling better!!!)

Attached Files


  • 0

#5
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Your log is clean :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Credit to PGPhantom for canned speech.
  • 0

#6
thilton19

thilton19

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thanks 'therock247uk'! The ewido tool was the ticket! The servers running well.

Thanks also for the advice of hte other tools. I use Ad-aware and Spybot but they just weren't enough. I'll check out the others. The biggest thing I have to do is to keep my boss from production servers to surf the web. Yes, all this was because my boss was checking some websites using the primary hosting email server!!!!!

Oh well, that's my battle.

Good night!

Troy
  • 0

#7
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP