As others have said, if you're not sure what other damage the Trojan might have caused the safest method is a reinstall. If you are confident that you've completely removed it then you can just copy the services file from another machine - unless you've installed any special services there won't be any extra entries. I'd guess the part you're missing is as shown below. The only thing which can bite you here is forgetting to press Enter at the end of the last line...
Steve ftp-data 20/tcp #FTP, data ftp 21/tcp #FTP. control -----Original Message----- From: Chris J. Popp [mailto:[EMAIL PROTECTED]] Sent: 20 December 2002 20:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 TCP problem! The windows 2000 system is a laptop, and not part of the network here at work. I understand about the LMHOSTS, and I dont use it. The only problem I see is that I can't ftp up to my server from that laptop and I get the error Request 5 Done. StatusCode = 500 LastResponse was : '500 ESocketException: connect: WSocketResolveProto: Cannot convert protocol 'tcp'' Error = 500 (500 ESocketException: connect: WSocketResolveProto: Cannot convert protocol 'tcp') So, is that telling me my protocols file is bad? Thanks, Chris -----Original Message----- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 1:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 TCP problem! Chris - I'm sure you could write some sort of script - -If you do in fact USE LMHOST files - but I would just enter them manually as tit is intended - - -that is of course if you have made up your mind to not go the recommended route and rebuild your system. Keep this in mind- - if you don't rebuild your box - - - you could have remnants of the Trojan - - the hacker that created it could have slipped a backdoor to your system past you - all sorts of things could go on buddy. Bottom line is - work smarter not harder - rebuild now before you put even MORE information on your system that you could lose. I don't know what your capacity is in your company - and this is NOT meant as an insult - - but if you do not know what LMHOST files are and you are in some sort of a networking position - chances are you don't use them. If you are in some sort of a networking capacity - you really should know what little files like these are and what their purpose is - - not many folks depend on LMHOST anymore - - -a lot of people are still using HOSTS though. -----Original Message----- From: Chris J. Popp [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 2:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 TCP problem! Can I somehow generate those without editing by hand, to make sure that it's done right? -----Original Message----- From: Al Garrett [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 1:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 2000 TCP problem! One more thing to add.... If you are putting entries into an LMHOSTS file, there are spacing and case sensitivities to watch for (MS KnowledgeBase article 180094 refers). As the sample shows below, a domain controller is identified by it's NetBIOS name in the second line, and the DOMAIN name it serves is ID'd in the third line. The comment line has the spacing and numbers to use as a guide. The quotes are necessary as are the capital letters. # IP Address "123456789012345*7890" 10.0.0.1 MYSERVER #PRE #DOM:MYSCHOOL.EDU 10.0.0.1 "FACULTY \0x1b" #PRE Al Garrett -----Original Message----- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 9:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 TCP problem! Well - here's the thing. If you did in fact have some sort of TROJAN on that box - - I would recommend scrubbing the disk and building the disk back from scratch. I KNOW it's a pain, especially if you have a lot of things loaded on that box. But if you don't I guarantee you (maybe not tomorrow - maybe not until 6 months from now) you will have problems again. The rebuild will also replace your HOSTS/LMHOSTS to the original state. That being said - - - -if you don't want to do it - - you host file simply correlates an IP address to the UNC of a box on your network The entries would look like this: 201.124.152.24 boxname 201.124.152.27 boxname 201.124.152.124 boxname Of course the IPs and names would be specific to YOUR IP range and names -- - and if you don't know - you must include the TAB SPACE between the IP and the name -----Original Message----- From: Chris J. Popp [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 12:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 TCP problem! Sorry, my typo on ETC So, how do I recreate those? And should I have that there so I can FTP and get rid of these errors? Thanks, Chris -----Original Message----- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 10:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 TCP problem! The ETC ( not ECT dir inside the DRIVERS folder holds your HOSTS HOSTS.SAM LMHOST LMHOSTS.SAM YES you need the directory and contents if you utilize HOSTS and LMHOSTS at all -----Original Message----- From: Chris J. Popp [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 11:27 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Windows 2000 TCP problem! I'm getting an error in a FTP program on a Windows 2000 Pro machine. Request 5 Done. StatusCode = 500 LastResponse was : '500 ESocketException: connect: WSocketResolveProto: Cannot convert protocol 'tcp'' Error = 500 (500 ESocketException: connect: WSocketResolveProto: Cannot convert protocol 'tcp') All I could find on this was that there should be a dir at winnt\system32\drivers\ect The ect dir is gone. Had a trojan horse on that system that when I removed it, removed the dir. The question is, what can be done to repair the damage? Do I just create a dir? Are there files that should be there? Do I need to remove and reinstall software? I have uninstalled and reinstalled TCP/IP to no avail. Thanks, Chris List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
