I was hopeful after finding a number of trojans with TrojanHunter that things would just come back up, but alas...
I am running an inherited and poorly maintained W2K mail server. The mail services still work (thankfully), but the desktop icons and taskbar don't come up. I can access apps via the taskmgr, but can't get IE to come up.
Here is my log file. I'd appreciate any help. Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 10:29:25 AM, on 10/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\Program Files\Dell\OpenManage\OLDiags\bin\OLDserv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\sfmsvc.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Exchsrvr\bin\events.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.micro...N-US&pr=kbinfo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.p...quicksilver.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124820449171
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {E19F9330-3110-11d4-991C-005004D3B3DB} (Java Runtime Environment 1.3.0_01) - http://192.168.1.166..._0_01-win-i.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = montgomerycobb.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{84C0BA0D-50C7-47D7-9A63-6343584CEAD3}: NameServer = 206.13.28.12,206.13.30.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{88B7424B-4A3D-482F-BA85-D3AD1EED47A7}: NameServer = 206.13.28.12,206.13.30.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = montgomerycobb.com
O20 - Winlogon Notify: EFS - C:\WINNT\SYSTEM32\sclgntfy.dll
O23 - Service: Localhost Service (Anti-V) - Unknown owner - C:\WINNT\system32\certmngr.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: cmd - Unknown owner - G:\CMD.EXE (file missing)
O23 - Service: dellw3c - Unknown owner - C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
O23 - Service: dellw3j - Unknown owner - C:\Program Files\Dell\OpenManage\OLDiags\bin\OLDserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Access Service (r_server) - Unknown owner - C:\WINNT\system32\discovice.exe" /service (file missing)
O23 - Service: Utility Manager (UtilMan) - Unknown owner - C:\WINNT\System32\UtilMan.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)