We have a 2000 server I was looking at the other day(while updating norton corporate) and I noticed servudaemon.exe running as a service off the root of c. We do not run anything off the root of c so I scanned it with norton. Norton didn't find anything so I loaded ewido and it tagged it as backdoor.servu-based. I gather its some sort of ftp server software. Anyway, I disabled the service and let ewido remove it. I then ran rootkit revealer and checked the recycle bin for a hidden ftp site. I can't find anything wrong or out of the ordinary other than this service running off the root of c. 1)Why didn't Norton pick it up? 2)Do I need to be concerned since I didn't find anything else? There was an ini file with the .exe file but I am unsure as to what it means. This is it as follows:None of the directories referenced in homedir exist. [GLOBAL] Version=184.108.40.206 ProcessID=2488 [DOMAINS] Domain1=0.0.0.0||9636|stro|1|0|0 [Domain1] User1=yurex|1|0 User2=up|1|0 User3=ftpmaniac|1|0 SignOn=c:\WINDOWS\dll\loginfo.txt SQLListAll= SQLListName= SQLListSort= SQLDelete= SQLInsert= SQLUpdate= ReplyHello=YuReX PresenTe : ReplyNoAnon=Stop logg toi avant ReplyTooMany=Trop de peuple resaie encore ReplyDown=Down revienez plus tard ReplyOffline=Le serveur est temporairement fermer revenez plus tard MaxNrUsers=3 User4=over2|1|0 User5=up2|1|0 User6=par|1|0 RatioFree1=C:\ RatioFree2=D:\ RatioFree3=E:\ RatioFree4=F:\ RatioFree5=G:\ Password=hzAF65B47EA5D7E0E6FBE6B5CC25821FDC HomeDir=c:\ TimeOut=3600 Maintenance=System Access1=G:\|RWAMELCDP Access2=d:\|RWAMELCDP Access3=d:\|RWAMELCDP Access4=D:\|RWAMELCDP Access5=F:\|RWAMELCDP Access6=e:\|RWAMELCDP Access7=c:\|RWAMELCDP Password=ulEE976AD82C153D0DADB80BF3D5BE7F77 HomeDir=f:\backupbrspodpl01\winnt\sysvol\data\dll RelPaths=1 TimeOut=1200 Access1=F:\backupbrspodpl01\WINNT\SYSVOL\DATA\dll|RWAMELCDP Access2=d:\|RWAMELCDP Password=vn9AD6385218DABBEC6C0B0A85A14962ED HomeDir=d:\Lotus\Domino\Data\modems\data\dl RelPaths=1 TimeOut=600 Access1=d:\Lotus\Domino\Data\modems\data\dl|RWAMELCDP Password=le970297A758078469759ED077F288CE81 HomeDir=d:\lotus\domino\data\modems\data\dl RelPaths=1 MaxUsersLoginPerIP=1 TimeOut=300 Access1=d:\Lotus\Domino\Data\modems\data\dl|RLP Password=oe9241BF4F6A25F55814952CF13BFF7176 HomeDir=f:\backupbrspodpl01\winnt\sysvol\data\etoile RelPaths=1 TimeOut=600 Access1=f:\backupbrspodpl01\winnt\sysvol\data\etoile|RWAMLCDP Password=fcE119288B197A518D11751642E12B4CBA HomeDir=f:\backupbrspodpl01\winnt\sysvol\data\dll RelPaths=1 TimeOut=600 Access1=F:\backupbrspodpl01\WINNT\SYSVOL\DATA\dll|RLP 3)I also found a file off the root called superlol.exe but couldn't find anything about it and it was not running. Any other programs you guys would suggest running?