[COLOR=red] I was hacked, please help me.
NT server, somebody installed serv-u.
how do get rid of this.
any recommendations, tools.

try this to run: net stop serv-u
then watch on u're computer for
servudaemon.ini ; firedaemon.exe ; winmgnt,....
go in the dir of the file et sort files by changes date...
then u'll see certainly de last files put on u're computer...
it's certainly this one.

it might be in %windir%\system32\DWRCC Upload or as it...
it can often be also in %windir%\system32
when u find the servu exec, delete it, then open the servudaemon.ini and look for the dir of the dump that u'll delete.
then install a firewall and close port 135.
with u're firewall, u'll see certainly if a backdoor trojan is installed and u'll kill it easily...

there are a lot of things possible to do and there are certainly better but i'm not a pro.
i hope it will help u... (sorry for my english lol i'm french)

Some simple things that helped me get 'unhacked'. First I was setup as a stro. I luckily found a folder that just didn't 'fit' with my OS. So I went into that folder and saw a servu.log. I went into my folder options and selected view all hidden files. Presto, there was a bunch of hidden folders as well as some tools used for making me a scanstro.

I noticed in these hidden folders that I had servu renamed to svchost. Went into my task manager and killed svchost, not svchosts. Got that stopped and deleted. I ran msnconfig and looked in startup to see if any of the names of the programs in the folders matched any of my startup items. Yep, sure did. So I removed that from start up, restarted and deleted the rest of the files/folders.

I know that this is kinda generic, but its how it worked for me. If whoever hacked you was smart, they'll have renamed the files well and hidden them extensively.

I see al the serv-u files and processes,
but it wont let me delete or end process.
error message "access denied"
I did delete the large file 287 MB, the file they were downloading.

there are two processes that are using up cpu 100%, 50% each
53201.exe and winlogin.exe
and where is the startup folder?

thanx for all the help

goto start, run and then type in 'msconfig' without the 's. Then you'll see startup. It probably won't let you delete anything right now because the files are in use. Try disabling the processes in startup, restarting and then deleting them.

read the windows manual first. Or buy a game console it only got 1 switch for turning off and on....

"there are two processes that are using up cpu 100%, 50% each
53201.exe and winlogin.exe
and where is the startup folder?
"

what are you? Are you using daddys pc at on the weekend...

call microsoft they support you easy when you got a license..

Nuke it from orbit, It's the only way to be sure.

LOL

there are also some people that use this folder--> c:\system volume information
to hide warez



I think that the only way 2 clean it is with an expert file explorer program

chearRRrs

1. cut your inet connection
2. search for new files and services in the last days
3. copy them into a new folder an note the date of attack
3. install an ip logger
4. start up your inet connection
5. send the logfile and attack files to your police departement

I've used these tools for finding servu. They're free, simple but powerful enough to detect any serv-u on your system.

tlist.exe - tasklist viewer, i prefer it over many other similar tools 'cause it's ability to display full path and switches/attributes used to run program - good for recognising which svchost is fake ... and not only for this )
kill.exe - kills tasks
sc.exe - standard M$ utility to control services - comes with XP - can do almost anything with services - works on NT, w2k too


This and some experience is the most dangerous weapon against serv-u

Ahh... almost forgot to tell. To get these tools - google for them


EDIT:
There's even an easier way to find serv-u but i don't know which prog can help you.
Serv-U when running always creates a handle called RWinSocket. If only someone could tell me the name of program similar to tlist.exe but which can gives information about created handles too.... Anyone knows a small free cli utility like that.
(Sorry for bad english)