No replies to this topic

[jcharnley]

Hi im having afew problems with my windows 2000 server. Yesterday every computer connected to the network was running slow, I virused scanned it found 2 trojans. I might also have aworm or some sort. Could you take alook at this log and tell me what you think Thanks HKLM\SECURITY\Policy\Secrets\SAC* 4/6/2003 4:13 PM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 4/6/2003 4:13 PM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SCM:{32B7E16F-061D-4769-A507-9402E8C020AC}* 2/9/2005 3:55 PM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}* 4/2/2003 5:12 AM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SCM:{4ABABDDF-B4AA-40fb-B0F3-DE3021506472}* 2/9/2005 3:55 PM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\TS:InternetConnectorPswd* 4/2/2003 5:11 AM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\XATM:374423e1-6cf5-4348-8e4a-0630a98706ad* 4/6/2003 9:56 PM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\BKUPEXEC\MSSQLServer\uptime_time_utc 5/7/2008 11:45 AM 8 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\uptime_time_utc 5/7/2008 11:45 AM 8 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System* 3/15/2005 10:25 PM 0 bytes Key name contains embedded nulls (*) C:\Documents and Settings\Administrator.RCS1\Application Data\Mozilla\Firefox\Profiles\mlplvwgz.default\parent.lock 5/7/2008 11:49 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Administrator.RCS1\Local Settings\Temp\Rar$EX00.843 5/7/2008 11:57 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Administrator.RCS1\Local Settings\Temp\Rar$EX00.843\Eula.txt 5/7/2008 11:57 AM 6.84 KB Hidden from Windows API. C:\Documents and Settings\Administrator.RCS1\Local Settings\Temp\Rar$EX00.843\tcpvcon.exe 5/7/2008 11:57 AM 129.04 KB Hidden from Windows API. C:\Documents and Settings\Administrator.RCS1\Local Settings\Temp\Rar$EX00.843\tcpview.chm 5/7/2008 11:57 AM 39.08 KB Hidden from Windows API. C:\Documents and Settings\Administrator.RCS1\Local Settings\Temp\Rar$EX00.843\Tcpview.exe 5/7/2008 11:57 AM 145.04 KB Hidden from Windows API. C:\Documents and Settings\Administrator.RCS1\Recent\TcpView.zip.lnk 5/7/2008 11:56 AM 470 bytes Hidden from Windows API. C:\WINNT\system32\Perflib_Perfdata_abc.dat 5/7/2008 11:45 AM 16.00 KB Visible in Windows API, but not in MFT or directory index. D:\cumbsupp\LPT1:BCH857.WRK 9/12/2003 12:43 AM 1.53 KB Hidden from Windows API. D:\User Files\comp\Profiles\Program Files\d2000\LPT1:BCH633.WRK 4/8/2006 7:48 PM 1.52 KB Hidden from Windows API. D:\User Files\comp\Profiles\Program Files\d2000\LPT1:BCH635.WRK 4/8/2006 7:48 PM 1.52 KB Hidden from Windows API. Someing was deffo messin arouond with it. as when i came back from the weekend CMD was open, They where trying to download wplayer.exe from a FTP site Please help

Edited by jcharnley, 07 May 2008 - 05:37 AM.