I must post this hack which has come to our attention if for no other reason to save some other administrators some time. First I found the exists of a service called network.exe within System32 though as we all know the name is not important. Look for any unknown service running. Search your regkeys and kill the reference that starts this service.

You will know you have the problem when you cannot click on anything within Enterprise Manager like a database or Logins and go to properties. The error will appear related to xpstar.dll at this point. Well you can copy them from another SQL install or simply run SP4 SQL 2000 again. But this only fixes SQL it does not get to the root of the problem.

The cause is a .bat or .cmd which has been inserted to do the dirty work. Search your system for the offending, in this case it was known as a761.bat but again it can be named anything. So remove the registry entry that tells the bat to run when you logon. Or you have not beat anything yet.

So lets look at the .bat file.

net stop mssqlserver
net stop mssqlserver /Y
DEL C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll
DEL C:\Program Files\Microsoft SQL Server\MSSQL\Binn\odsole70.dll
DEL C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xpstar.dll
del c:\PROGRA~1\MICROS~1\MSSQL\Binn\xplog70.dll
del c:\PROGRA~1\MICROS~1\MSSQL\Binn\xpstar.dll
del c:\PROGRA~1\MICROS~1\MSSQL\Binn\odsole70.dll
net start mssqlserver

So after we are done making sure the bad code has been removed then make sure the files are in place, as I said this can be done either copying them or reinstall SP4 for SQL 2000.

I won't go into how we stop the badguy from returning. That is up to each administrator what method you want to take. I offer this only as a way to get you out of trouble and allow you the time to think about how they did it and how to prevent it.