One the 26th of June in the afternoon we found that our MS Databases did not exist on our server.. Including the directory were they were stored.
I wen to server and found that it there were many errors that were being shown in error messages.. (I do not remeber what they were)
I had to reboot servers, Server Windows 2K..
I have tried serveral data recovery programs and there is no trace of the missing data bases.. I can only find one db that was deleted about 6 months ago.. Not one Trace. I can find the directory.
I have been investigating and have found the following. In the recycle bin files a file named dc1.exe.
In c root files named hist (which is an application) jkDe witch is a batch file my cjjk which is another batch file..
Bottom line is that I realize that these are spy ware or malicous ware programs.. I need to know 3 things Urgently
1. How do I recovery our data bases... (And no there is no current back up)
2. How do I get rid of these malware programs.
3 How do I prevent this from happening agian..
Thanks in advance for your help..
Bob
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:05:36 PM, on 6/30/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\firebird\firebird_1_5\bin\fbguard.exe
C:\Program Files\firebird\firebird_1_5\bin\fbserver.exe
C:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Codework\BrowseControl\BCServer\BCServer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINNT\system32\TINTSETPS.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINNT\explorer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [STV] winscrne.exe
O4 - HKLM\..\Run: [KvStart] C:\WINNT\system32\RegSrvc.exe
O4 - HKLM\..\Run: [PHIME2002BSync] TINTSETPS.EXE
O4 - HKLM\..\RunServices: [STV] winscrne.exe
O4 - HKCU\..\Run: [PHIME2002BSync] TINTSETPS.EXE
O4 - HKCU\..\Run: [Internet Security Service] C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe
O4 - HKLM\..\Policies\Explorer\Run: [nyuserinit] C:\WINNT\system32\inf\svchostc.exe C:\WINNT\twftadfia16_080617.dll tanlt88
O4 - HKUS\.DEFAULT\..\Run: [STV] winscrne.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [PHIME2002BSync] TINTSETPS.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: office.lnk = C:\WINNT\system\sgcxcxxaspf080617.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D780DD09-27A6-4F9A-89EC-FFDCF54E156C}: NameServer = 200.31.12.1,200.31.17.92
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: BrowseControl Server (BCServer) - Codework Limited - C:\Program Files\Codework\BrowseControl\BCServer\BCServer.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: Events Log (Event) - Unknown owner - C:\WINNT\system32\drivers\csrss.exe (file missing)
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\firebird\firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\firebird\firebird_1_5\bin\fbserver.exe
O23 - Service: fxSVC (fxScanner) - Unknown owner - C:\WINNT\fxsvc.exe (file missing)
O23 - Service: AMD PowerNow! ™ Technology Service (GemServ) - Advanced Micro Devices - C:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: PSEXESVC - Sysinternals - C:\WINNT\System32\PSEXESVC.EXE
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINNT\system32\scardsvr32.exe (file missing)
--
End of file - 7253 bytes
Reason for Edit: Merged posts.
Please don't post more than once or bump the topic as Helpers usually first look for threads with no replies.
Edited by Octagonal, 01 July 2008 - 01:52 AM.
Sign In
Create Account
