TCP/IP Service "Monty" <flatpint[ at ]hotmail.com> 09.07.2007 16:04:51 Hope someone can shed light and help me. SBS 2003 R2 I have a service TCP/IP Service which runs C:\WINDOWS\system32\tcpsrv.exe, this is corrupt by a Trojan. Sophos put out an IDE on 2nd July but back up tapes from April to date have this file as infected. Bit worrying that it has been there ages before an IDE is published. So I have no good files of tcpsrv.exe This service has SERVER and WORKSTATION dependencies. Deleting this file does not allow have of my important services to run. I am a little lost, can anyone help please Monty

Re: TCP/IP Service Owen Williams [SBS MVP] <Owen[ at ]NoSpam_CVTCLLC.com> 10.07.2007 02:20:07 In article <eN8C4KkwHHA.3400[ at ]TK2MSFTNGP03.phx.gbl>, flatpint[ at ]hotmail.com says... On my own SBS (which is not R2 but is otherwise up-to-date, including Win Svr 2003 SP2): * The Services MMC is *not* showing a service call "TCP/IP Service". The only remotely similar service displayed is "TCP/IP NetBIOS Helper." * There is *no* program with the name "tcpsrv.exe" in C:\WINDOWS\system32. In fact, there is no such program anywhere on the C: drive. (There _is_ a "tcpsvcs.exe" in C:\WINDOWS\system32.) So, first, you don't have to worry about restoring a "good" tcpsrv.exe because there is no such program. Second, sounds like a good idea to remove the Trojan! Can Sophos tech support help? If not, perhaps this will provide some guidance: http://www.experts- exchange.com/Software/Internet_Email/Spy_Ad_Blockers/HijackThis/Q_22634691.html If you want to live a little dangerously, you can try starting SBS in Safe Mode (without networking) and renaming or deleting tcpsrv.exe, then rebooting normally to see if the service is gone and there are no bad effects. -- Owen Williams [SBS MVP] [Quoted Text] > Hope someone can shed light and help me. > > SBS 2003 R2 > > I have a service TCP/IP Service which runs C:\WINDOWS\system32\tcpsrv.exe, > this is corrupt by a Trojan. > > Sophos put out an IDE on 2nd July but back up tapes from April to date have > this file as infected. Bit worrying that it has been there ages before an > IDE is published. > > So I have no good files of tcpsrv.exe > > This service has SERVER and WORKSTATION dependencies. > > Deleting this file does not allow have of my important services to run. > > I am a little lost, can anyone help please > > Monty

Re: TCP/IP Service "Monty" <flatpint[ at ]hotmail.com> 10.07.2007 08:42:21 Owen, thanks for the comments. I have changed the dependancies on this service and quarantineed the file for a few days to make sure it is OK. Sophos have looked at the file and said to delete it but they could not help on the dependancies etc... So a bit of careful guess work and fingers crossed so far so good. Cheers "Owen Williams [SBS MVP]" <Owen[ at ]NoSpam_CVTCLLC.com> wrote in message news:MPG.20fcb6e3d53662ac989770[ at ]news.microsoft.com... [Quoted Text] > In article <eN8C4KkwHHA.3400[ at ]TK2MSFTNGP03.phx.gbl>, flatpint[ at ]hotmail.com > says... > > On my own SBS (which is not R2 but is otherwise up-to-date, including Win > Svr > 2003 SP2): > > * The Services MMC is *not* showing a service call "TCP/IP Service". The > only > remotely similar service displayed is "TCP/IP NetBIOS Helper." > > * There is *no* program with the name "tcpsrv.exe" in C:\WINDOWS\system32. > In > fact, there is no such program anywhere on the C: drive. (There _is_ a > "tcpsvcs.exe" in C:\WINDOWS\system32.) > > So, first, you don't have to worry about restoring a "good" tcpsrv.exe > because > there is no such program. > > Second, sounds like a good idea to remove the Trojan! Can Sophos tech > support > help? If not, perhaps this will provide some guidance: > > http://www.experts- > exchange.com/Software/Internet_Email/Spy_Ad_Blockers/HijackThis/Q_22634691.html > > If you want to live a little dangerously, you can try starting SBS in Safe > Mode > (without networking) and renaming or deleting tcpsrv.exe, then rebooting > normally to see if the service is gone and there are no bad effects. > > -- Owen Williams [SBS MVP] > >> Hope someone can shed light and help me. >> >> SBS 2003 R2 >> >> I have a service TCP/IP Service which runs >> C:\WINDOWS\system32\tcpsrv.exe, >> this is corrupt by a Trojan. >> >> Sophos put out an IDE on 2nd July but back up tapes from April to date >> have >> this file as infected. Bit worrying that it has been there ages before an >> IDE is published. >> >> So I have no good files of tcpsrv.exe >> >> This service has SERVER and WORKSTATION dependencies. >> >> Deleting this file does not allow have of my important services to run. >> >> I am a little lost, can anyone help please >> >> Monty