Chkdsk found some error files, how can I fix this?

Hi all experts,

My W2k server(with sp4, MSSQL Server) occurred some error in event log since 17 August 05 around 1:00 pm. It seems like affected by Zobot, but I use the updated virus-scanner, Trend micro, to scan the system. Also, I used the Anti-spyware to scan too. Nothing to found in both.

In funny, my MSSQL server and printer service is work.
But, when I run some application, such as open to view the control panel, or install the program by installer. The OS will hold and hang in opening control panel for a long long long time.

I found the help in web search engine following by my found error in event log.
At last, I found that.... chkdsk command

Then, I execute to this command 'chkdsk' in command prompt and the result shows:

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
CHKDSK is recovering lost files.
Recovering orphaned file PE85E6~1.DAT <12200) into directory file 2385.
Recovering orphaned file Perflib_Perfdata_87c.dat <12200) into diretory file 2385.
Recoverying orphaned file 00009.SPL (38687) into directory file 6355.
Recoverying orphaned file 00009.SHD (38688) into direcotry file 6355.
CHKDSK is verifying security descriptors (stage 3 or 3)...
Security descriptor verification completed.
CHKDK is verifying USN Journal...
...
...
...

So, now, I guess that my server problem maybe the losting or corrupted file.
Then, I run chkdsk /r (it run chkdsk command in next boot time).

If I lost the above files after fixing, How can I do?

May I recovery the above files from backup tape only, problem solved?

If you have idea, please tell me and any event log request, I can post it too.
Thanks much.

-Soke-

 

Hi soke and welcome.

First off, if you think you might have suffered from one of the Zobot variations, I'd suggest the cleaner Here from Symantec. It seems to be the best thing around for locating and completely cleaning up after all the known Zobot versions through Zobot.I. Trend hasn't done nearly as well with this particular infection.

If you run chkdsk /f or chkdsk /r and lose some files, there really isn't much you can do but in most cases it doesn't matter since the files were trashed beyond salvage in the first place. If some of them were critical system files, you can probably get back in operation with a repair reinstall of the OS. Pretty safe option in most cases though. I can only remember one NT4 server that was trashed after chkdsk finished it's repair effort.

 

First, Thanks for Newt's reply.

After I use chkdsk /f and reboot the server. Well done. No any file is corrupted now by checkdisk again.

But unfortunely, I can't find the virus the zobot variations after I use the removal tools from symantec.

'Symantec W32.Zotob.[A-G,I] Removal Tool 1.6.1
W32.Zotob.[A-G,I] has not been found on your computer.'

My server is slow performance and some application and service can't work or control.

I looked this forum and found Hijack and some online virus scanners. Hijack found some errors, but I don't know how to fix it. The virus scanner such as Panda Online Scan,Bitdefender online scan. Those are needed ActiveX under IE4.0+.

Since 17 August, my anti-virus software, Symantec Corporation 9.0 is crashed(auto-protect feature blocked) and the 'slow performance' is keep on till now. I can't re-install SAV 9.0 again because hang on installation. I try serveral free anti-virus(local run, not online scan) from internet but also can't installed. Reversely, the anti-spy software, malwarebouncer can installed.

It seems not fully hang on all application.

My situation is, my IE is not worked well. So I use Firefox instead of.
When I use IE, it run for a short time and hang, no screen appear!!

Newt, is any online scanner can execute under Mozilla Firefox?
Or any suggestion for me.

In the next post, I put the result of Hijack.(I don't know how to attach my text file in here)

-Soke-

 

StartupList report, 8/23/2005, 5:33:30 PM
StartupList version: 1.52.2
Started from : C:\sys\tools\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe
C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe
C:\Program Files\ComputerAssociates\ARCserve\RDS.EXE
C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe
C:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\LogWatNT.exe
C:\SQL2000\MSSQL\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\RaidMan\RaidServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ismserv.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\explorer.exe
C:\sys\tools\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator.CHEWYERP\Start Menu\Programs\Startup]
Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

IE 3.0 RegSvr schannel.dll = C:\WINNT\system32\regsvr32.exe /s C:\WINNT\system32\schannel.dll

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Spyware Doctor = "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[AutorunsDisabled]
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AutorunsDisabled]
AVG7_Run = C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
ccleaner = "C:\Program Files\CCleaner\ccleaner.exe" /AUTO

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i: "S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

 

Load/Run keys from C:\WINNT\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\scrnsave.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:

(no name) - (no file) - AutorunsDisabled
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll - {B56A7D7D-6927-48C8-A975-17DF180C71AC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

At928.job
At929.job
Daily RPT Backup.job
Mac Daily Backup.job
Today Full backup.job
Tommy ERP Backup.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.7657407407

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
NameSpace #3: C:\WINNT\System32\nwprovau.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll
Protocol #14: C:\WINNT\system32\msafd.dll
Protocol #15: C:\WINNT\system32\msafd.dll
Protocol #16: C:\WINNT\system32\msafd.dll
Protocol #17: C:\WINNT\system32\msafd.dll
Protocol #18: C:\WINNT\system32\msafd.dll
Protocol #19: C:\WINNT\system32\msafd.dll
Protocol #20: C:\WINNT\system32\msafd.dll
Protocol #21: C:\WINNT\system32\msafd.dll
Protocol #22: C:\WINNT\system32\msafd.dll
Protocol #23: C:\WINNT\system32\msafd.dll
Protocol #24: C:\WINNT\system32\msafd.dll
Protocol #25: C:\WINNT\system32\msafd.dll
Protocol #26: C:\WINNT\system32\msafd.dll
Protocol #27: C:\WINNT\system32\msafd.dll
Protocol #28: C:\WINNT\system32\msafd.dll
Protocol #29: C:\WINNT\system32\msafd.dll
Protocol #30: C:\WINNT\system32\msafd.dll
Protocol #31: C:\WINNT\system32\msafd.dll
Protocol #32: C:\WINNT\system32\msafd.dll
Protocol #33: C:\WINNT\system32\msafd.dll
Protocol #34: C:\WINNT\system32\msafd.dll
Protocol #35: C:\WINNT\system32\msafd.dll
Protocol #36: C:\WINNT\system32\msafd.dll
Protocol #37: C:\WINNT\system32\msafd.dll
Protocol #38: C:\WINNT\system32\msafd.dll
Protocol #39: C:\WINNT\system32\msafd.dll
Protocol #40: C:\WINNT\system32\msafd.dll
Protocol #41: C:\WINNT\system32\msafd.dll
Protocol #42: C:\WINNT\system32\msafd.dll
Protocol #43: C:\WINNT\system32\msafd.dll
Protocol #44: C:\WINNT\system32\msafd.dll
Protocol #45: C:\WINNT\system32\msafd.dll
Protocol #46: C:\WINNT\system32\msafd.dll
Protocol #47: C:\WINNT\system32\msafd.dll
Protocol #48: C:\WINNT\system32\msafd.dll
Protocol #49: C:\WINNT\system32\msafd.dll
Protocol #50: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

4mmdat: System32\DRIVERS\4mmdat.sys (manual start)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: System32\DRIVERS\adpu160m.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\services.exe (manual start)
APC PBE Agent: C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe (autostart)
APC PBE Server: C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe (autostart)
Application Management: %SystemRoot%\system32\services.exe (manual start)
ARCserve Database Engine: C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe (autostart)
ARCserve Discovery Service: C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe (autostart)
ARCserve Job Engine: C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe (autostart)
ARCserve Message Engine: C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe (autostart)
ARCserve Tape Engine: C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe (autostart)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (disabled)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (disabled)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Cheyenne Alert Notification Server: C:\Program Files\ComputerAssociates\ARCserve\Alert\ALERT.exe (manual start)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
Symantec AntiVirus Definition Watcher: "C:\Program Files\Symantec AntiVirus\DefWatch.exe" (disabled)
Distributed File System: %SystemRoot%\system32\Dfssvc.exe (autostart)
DfsDriver: system32\drivers\Dfs.sys (system)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
DNS Server: %SystemRoot%\System32\dns.exe (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
DrvFltIp: \??\C:\Program Files\MRBDG\DrvFltIp.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
HID UPS Battery Driver: System32\DRIVERS\HidBatt.sys (manual start)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
hpdat: System32\DRIVERS\hpdat.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IBM Netfinity Advanced System Management Processor: System32\DRIVERS\ibmspw.sys (autostart)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Intersite Messaging: %SystemRoot%\System32\ismserv.exe (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Kerberos Key Distribution Center: %SystemRoot%\System32\lsass.exe (autostart)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
License Logging Service: %SystemRoot%\System32\llssrv.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Event Log Watch: C:\WINNT\LogWatNT.exe (autostart)
mchInjDrv: \??\C:\DOCUME~1\brian\LOCALS~1\Temp\mc215.tmp (disabled)
Messenger: %SystemRoot%\System32\services.exe (manual start)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Search: "C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe" (autostart)
MSSQLSERVER: C:\SQL2000\MSSQL\binn\sqlservr.exe (autostart)
MSSQLServerADHelper: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (manual start)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050815.041\naveng.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050815.041\navex15.sys (manual start)
NetBEUI Protocol: System32\DRIVERS\nbf.sys (autostart)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (autostart)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
IBM ServeRAID 4M/4Mx/4L/4Lx Device Driver: system32\drivers\nfrd960.sys (system)
nfrdci: \SystemRoot\system32\drivers\nfrdci.dll (disabled)
IBM ServeRAID 4M/4Mx/4L/4Lx Performance Driver: system32\drivers\nfrdperf.sys (system)
File Replication Service: %SystemRoot%\system32\ntfrs.exe (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Gateway Service for NetWare: %SystemRoot%\System32\services.exe (disabled)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
NetWare Rdr: System32\DRIVERS\nwrdr.sys (manual start)
Microsoft USB Open Host Controller Driver: System32\DRIVERS\openhci.sys (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
PCNET Adapter Driver: System32\DRIVERS\pcntn5m.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
S3SAVAGE4: System32\DRIVERS\s3savg4m.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRoam: "C:\Program Files\Symantec AntiVirus\SavRoam.exe" (disabled)
SAVRT: \??\C:\Program Files\Symantec AntiVirus\savrt.sys (system)
SAVRTPEL: \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
ServeRAID Manager Agent: C:\Program Files\RaidMan\RaidServ.exe (autostart)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
SQLSERVERAGENT: C:\SQL2000\MSSQL\binn\sqlagent.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Symantec AntiVirus: "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" (disabled)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k tapisrv (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: \SystemRoot\System32\drivers\termdd.sys (disabled)
Terminal Services: %SystemRoot%\System32\termsrv.exe (disabled)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Server: %SystemRoot%\system32\services.exe (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
IBM ServeRAID Failover Driver: system32\drivers\twintail.sys (system)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: (disabled)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------
cont.... sorry for long result

 

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: |C:\DOCUME~1\brian\LOCALS~1\Temp\_iu14D2N.tmp||C:\DOCUME~1\ADMINI~1.CHE\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||C:\DOCUME~1\ADMINI~1.CHE\Cookies\index.dat||C:\DOCUME~1\ADMINI~1.CHE\LOCALS~1\History\History.IE5\index.dat|||

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
-------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*
--------------------------------------------------
End of report, 31,700 bytes
Report generated in 0.141 seconds

 

Logfile of HijackThis v1.99.1
Scan saved at 5:30:12 PM, on 8/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe
C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe
C:\Program Files\ComputerAssociates\ARCserve\RDS.EXE
C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe
C:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\LogWatNT.exe
C:\SQL2000\MSSQL\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\RaidMan\RaidServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ismserv.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\WINNT\explorer.exe
C:\sys\tools\HijackThis.exe

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\RunOnce: [IE 3.0 RegSvr schannel.dll] C:\WINNT\system32\regsvr32.exe /s C:\WINNT\system32\schannel.dll
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9316D524-3B58-458B-9BD3-5165D7887D14}: NameServer = 192.168.1.3,202.76.4.18
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: ARCserve Database Engine (ASDBEngine) - Computer Associates International, Inc. - C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Computer Associates - C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Job Engine (ASJobEngine) - Unknown owner - C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: ARCserve Tape Engine (ASTapeEngine) - Unknown owner - C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - C:\Program Files\ComputerAssociates\ARCserve\Alert\ALERT.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: ServeRAID Manager Agent (ServeRAIDManagerAgent) - Unknown owner - C:\Program Files\RaidMan\RaidServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

** end of two result startuplist.txt and hijackthis.txt **


Thanks for your spending time to view.

-Soke-

 

I don't see anything really exciting from the Hijackthis data. I did notice the lack of the usual R0 entries for your home page information which is interesting.

Things to check - and both are from the last section of scan information:

The 017 entry is one I couldn't identify so no idea if it is good or bad but no information on the web is usually not good so you might want to use HJT to remove it, reboot, and see if anything is better or worse. Since it is a CCS (CurrentControlSet) entry, you can always boot again and pick 'last know good configuration' to reverse the removal. Save this for a last resort option though.

The 04 RunOnce entry is one I'd get rid of I think. If a RunOnce keeps showing up, something didn't complete properly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sorry but I have zero recent experience with non-IE browsers so can't help with an online scan that will operate with Firefox.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If the Symantec tool didn't find Zobot, you don't have it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You do need a working AV program and these days, I'm not recommending Norton for the job. Too many quirks and as you've noticed, very difficult to remove from a PC. Two things to suggest on that.

Download CCleaner from http://www.ccleaner.com/ and run it to remove what it finds that needs removing. It is the safest registry cleaning tool I know of and while it isn't the most exaustive it also doesn't do damage.

Then from a start->run line, key in

Code:

sfc /scannow

and let the system file checker look for missing or damaged system files and replace any that need it.

After that, take another try at installing an AV program. I like AVG so if it will load, that's your best option I think.

 

Hi and thanks Newt again.

I have already tried to download several anti-virus/anti-spyware tools from all over the internet in past period. Server seems no virus and spyware found yet. Then, I believe that my server is free of virus/spyware.

The service is low CPU utilization and can't open IE and control the windows services. Then, I try to kill the running processes in Task Manager.

I found that several processes, which are belong the services of APC UPS agent and server, is still trying and trying to running. So, I kill them and set services manually startup in Service Manager!! The server is suddenly work as like as normal. Great!! I can install AVG and windows update by IE browser. My server is fully update and the trouble Mr. Microsoft says 'NO ANY UPDATE NEED NOW!!

Besides, today I found one 'DLLHOST.EXE' in task manager too . Is it virus or security vulnerabilities in the Windows 2000?

I found keyword 'DLLHOST.EXE' in web, say maybe computer is affected by worm W32.Welch. But I can't found the virus after I used Symantec removal tools.

The server is very smoothly now. But I am very fear what will be happen after I need reboot the server in case.

Thanks again, Newt.

-Soke-

 

SPL and SHD are the spool and shadow file involved in a print job. So these are a failed/ aborted print job, which you canceled and probably rebooted to get out of a lockup and Checkdisk recovered them. Go to control panel/ printers and open your printer and see if there are any print jobs waiting. Purge them as it is probably corrupt and will just lock things up again.

Perflib and perfdata should be registry key related
HKLM SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib
the data or .dat file should be an entry in admin tools/ perfomance / perfomance logs


http://www.iamnotageek.com/a/DLLhost.exe.php

Basically it serves a purpose similar to rundll32.exe and svchost.exe It allows programs (in this case dll files) which are normally run as part of a larger application to run on their own, it hosts them. It is normal to have multiple instances of these applications running, depending on when the registry calls for loading the dll or service.

The 017 entry is just your assinged IP
O17 - HKLM\System\CCS\Services\Tcpip\..\{9316D524-3B58-458B-9BD3-5165D7887D14}: NameServer = 192.168.1.3,202.76.4.18
192.168.1.3 is an internal (router or server assigned) while 202.76.4.18 checks as
202.76.0.0 - 202.76.15.255


netname: CPCNET-HK
descr: CPCNet Hong Kong Ltd.
descr: 20/F Lincoln House
descr: Taikoo Place
descr: 979 King's Road Quarry Bay
descr: Hong Kong
country: HK


Now if that is not you, have hijackthis fix it .




This should have cleared after running once.
O4 - HKLM\..\RunOnce: [IE 3.0 RegSvr schannel.dll] C:\WINNT\system32\regsvr32.exe /s C:\WINNT\system32\schannel.dll
You can use hijackthis to clear it (Run HJT with all other windows closed , check this and choose fix)



These are almost certainly just a case of hijackthis being unable to identify the file. This is nothing to worry about in this case.
If this has a problem associated with it you can fix them with hijackthis or reinstall the program.
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - AutorunsDisabled - (no file)


Nothing bad really in your log.

Basically, just like scandisk files, checkdisk files really do not need saving unless you have a specific need for the file in question. Then you would find the appropriate .chk file and change it to the appropriate extension and open it and save it. 2385.chk for example.

Otherwise, run disk cleanup and choose to delete old checkdisk files.

 

Thanks oshwyn5's reply and suggestion.
Regards to you let me know more about my server administration. I have no worry to handle my troubleshooting now.

Note: hijackthis is a good tools.

-Soke-

 

Soke - we are always available to offer suggestions if you get a problem you aren't sure of.