Removing UTool.exe from my server - Help!

[southbeach]

I just spent a great deal of time trying to clean up my server. I have eTrust and scanned it but there is at least one that refuses to go away - UTool.exe ...

I notice two files are created by UTool - These files are in the Administrator home directory and they are named x6cdshd.exe and xrdshd.exe. I remove these programs only to be recreated back.

I have used CA, Ad-Aware, RegCure and PC Tools (PC Tools brought my server to a halt - I had to remove it). None of these seems to find it and remove it.

When I boot my server, I get a number of error
1. At least one service failed to start
2. UTool had an error and had to stop
3. Explorer had an error and had to stop

2 & 3 some times come up multiple times ...

I have tried to fight it and do not want to do a fresh install ... I am also dropping 2K3 and moving to XP (after all, I barely use the PC for hosting my personal site and PHP development).

Opting to fight and learn a few things in the process, I am looking back and realizing that I have wasted a great deal of my time and feeling very upset.

What if anything can I do to get rid of UTool?

Thank you all in advance for your assistance!


--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

 

[Zelandakh]

Remove them then create files in the same directory with those EXACT names (including .exe) and remove the delete permission from them.

Might work!

 

[markdmac]

First set the service to be disabled. Then check for running processes and stop anything related to the malware.

It may be necessary to boot into safe mode after that. I would boot into Safe Mode with Command Prompt.

Navigate to the files and delete them via command prompt.

Reboot.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[markdmac]

Oh and one more thing. Check your registry under the following 2 paths and delete entries as needed:

hklm\software\microsoft\windows\current version\run
hkcu\software\microsoft\windows\current version\run

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[southbeach]

Mark,

I followed advised on checking the registry ... Found nothing that jumped at me. I have three processes there
a) FileZilla Server
b) Realtime Monitor
c) ZScreen

In my struggles, I installed a program called "Uninstall Tool", with this, I found an entry on my Startup (Icon3E5562ED7.ico). I googled this and it comes back as belonging to CISCO VPN Client (which I use) - I opted to simply disable this - I do not remember ever setting up the VPN to run automatically.

I also followed Zelandakh advise and removed files and created two new files with exact same names - I then set their properties to READ-ONLY.

I am at work so, when I get back home tonight, I intend to reboot and see if I get any more errors ...

Thanks you both!


--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.