Whenever i logon to my win2000 server the desktop will be empty of any icons and the mouse hourglass will be there. If i logoff and login back all the icons are there. If i start Norton anti virus a window named cool comes up and then NAV screen disappears (even from system tray) i found microsoft.exe in the running processes.the antivirus in between pops up virus foung messages" trojan.dropper, bat.trojan, w32.randex etc were the virus names.Can anybody help ?

this is a two step process: First download and install TDS-3 TDS-3 Then follow this link to get the latest Radius file update for TDS-3. FOLLOW THE INSTRUCTIONS YOU SEE ON THAT PAGE TO APPLY THIS UPDATE. Update Radius Database When you open TDS-3, it will perform a quick scan. Even if it detects nothing with this quick scan, you should still perform a more thorough scan. Please select System Testing > Normal Scan in the TDS-3 Control Console. You may see results in the “alarms” column such as “Positive Identification”. Use TDS-3 to delete any confirmed threats. Right-click on any of the listed items to see a list of actions you can take. If in doubt about alarms such as “Suspicious File” ask for help or leave it alone. If the threat is part of a running process TDS-3 will ask for permission to terminate the process before attempting to remove the threat. Just let TDS-3 do its work. NOTE: If your virus scanner or other program detected a threat as “X” name, TDS-3 may not detect it by the same name. THIS IS COMMON BETWEEN DIFFERENT VIRUS/TROJAN SCANNING UTILITIES. good luck! AOSCLAY

Hi AOSCLAY, Thank you for the reply. I will try it and let you know the result. Thanks again Regs Shibu

My dear ASOCLAY, First of all let me thank you for your valuable help and the time you spent on me.Thanks again. I just now finished working on that infected win2k server. The processes running in the server didnot allow TDS to run in normal mode. And in Safe mode TDS did not find anything.Let me explain what happened. The server was secure inside our intranetwork. then a few servers were connected to DSL before we could do harden the server by installing firewall etc.And within hours all servers were infected. Symptoms: When the user login, the desktop will be blank (ie no icons) only the mouse hourglass. I noticed drive A was also being read during this time. It reads hard disk and the screen remains same. I logged off and logged in.This time the icons all appear.And a window opens "cOOL" and has a status window as child. Try to open Norton antivirus.NAV opens and immediately closes by itself.you can see "cOOL" in the task bar then. TDS started and then closed by itself. Then i started checking the processes running.I found 'ieplorer.exe', 'MicroSoft.exe', Mcaffe2005.exe', 'config33.exe', 'windows33.exe'. Edited registry. Also following folders were created in C:\winnt\system32 "SecureWindow", " WIN cleaner". cOOL was running from SecureWindow folder. ( I have both folder contents zipped.If you want to take a look tell me. i will send it to you) I still have not connected the server back to DSL.I am planning to use ZonaAlarm Pro or McAfee Professional Firewall. Any idea which is good. I am using Zonealarm pro for quite sometime.But other members of the securitry team say Mcafee is good. Will zonealarm prevent Trojan attacks? Or should I buy a seperate Trojan detector? Any help on hardening the server will be appreciated. One more thing. the Antivirus was updated daily. i guess where i went wrong was the OS hardening part.A costly lesson. Thanks again for your help.

My dear ASOCLAY, First of all let me thank you for your valuable help and the time you spent on me.Thanks again. I just now finished working on that infected win2k server. The processes running in the server didnot allow TDS to run in normal mode. And in Safe mode TDS did not find anything.Let me explain what happened. The server was secure inside our intranetwork. then a few servers were connected to DSL before we could do harden the server by installing firewall etc.And within hours all servers were infected. Symptoms: When the user login, the desktop will be blank (ie no icons) only the mouse hourglass. I noticed drive A was also being read during this time. It reads hard disk and the screen remains same. I logged off and logged in.This time the icons all appear.And a window opens "cOOL" and has a status window as child. Try to open Norton antivirus.NAV opens and immediately closes by itself.you can see "cOOL" in the task bar then. TDS started and then closed by itself. Then i started checking the processes running.I found 'ieplorer.exe', 'MicroSoft.exe', Mcaffe2005.exe', 'config33.exe', 'windows33.exe'. Edited registry. Also following folders were created in C:\winnt\system32 "SecureWindow", " WIN cleaner". cOOL was running from SecureWindow folder. ( I have both folder contents zipped.If you want to take a look tell me. i will send it to you).Deleted those folders and also a folder "VGA-0074".This folder also had similar contents like the other two.Now the server logs in correctly. (Maybe there are other processes which are still hiding) I still have not connected the server back to DSL.I am planning to use ZonaAlarm Pro or McAfee Professional Firewall. Any idea which is good. I am using Zonealarm pro for quite sometime.But other members of the securitry team say Mcafee is good. Will zonealarm prevent Trojan attacks? Or should I buy a seperate Trojan detector? Any help on hardening the server will be appreciated. One more thing. the Antivirus was updated daily. i guess where i went wrong was the OS hardening part.A costly lesson. Thanks again for your help. Have great days! good luck always! regs Shibu

I have been battling with a similar problem on my home computer. First I had what appeared to be the Sasser Worm. After running several virus scans in safe mode, I deleted files containing Agobot, Sasser, and Hacktool worms, and followed symantec's instructions for cleaning up the registry and hosts, but I still had problems. My chances of being able to run anything were about 50/50, I often had the same problem with IE that you describeed, and the host file I'd cleaned kept regenerating and blocked my access to a bunch of virus software web sites until I manually cleaned the host file after each start up. Looking into this further, I noticed the cOOL window coming up and then disapearing quickly when I started the machine. After ending several suspect processes, I was eventually able to remove cOOL from my machine using the control panel, oddly enough. I still, however, had some odd processes running, one of which was config33.exe. (others were sounofts.exe and0 uuhh6.exe) By searching and deleting I think I was able to get rid of these processes permanently -- except for uuhh6.exe, which seems to be coming from nowhere and, as far as I can tell from several web searches, doesn't exist on many other computers (no hits for uuhh6.exe on google). While the machine seems to have stable-ized (not crashing immediately after start up 50% of the time or regenerating the corrupted host file to block access to virus software websites on start up), I'm not sure I've completely gotten rid of the problem since uuhh6.exe still appears in the process list until I end it, and the computer seems to be running a little more slowly than it was (although that could jus tbe my perception). I'm surprised by the relative lack of info on both config33.exe and cOOl out there. Has anyone else had experience with this?

Am having the same problem except I am running winxp prof. I used sysclean tool from trendmicro which cleaned up alot of stuff, stinger from mcafee, and fixsasser tool from symantec and still the cool window comes up. Is tds a stand alone and/or can you run it along side pccillin or nav? How do you know which running processes to delete?