Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PopUps on W2K server


  • Please log in to reply
1 reply to this topic

#1 rknapke

rknapke

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 22 February 2005 - 08:54 AM

I have a W2K server that is getting alot of popups. I have ran Spybot and removed around 100 items using that. I then ran HiJackthis and removed 22 entries. We are still getting the popups. Here is a log file after I removed the 22 entries.

Logfile of HijackThis v1.99.0
Scan saved at 10:08:26 AM, on 2/21/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Trend\SProtect\SpntSvc.exe
C:\Program Files\Trend\SProtect\StWatchDog.exe
C:\Program Files\Trend\SProtect\StOPP.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\InsightXESvc.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\COMPAQ\Compaq Insight Manager 7 SP1\runtime\bin\java.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\Program Files\COMPAQ\Compaq Insight Manager 7 SP1\WebDmi\WebDmi.exe
C:\DMI\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\COMPAQ\COMPAQ~1\DMIIND~1.EXE
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
C:\WINNT\System32\snmptrap.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\WINNT\System32\cpqteam.exe
C:\WINNT\System32\Atiptaxx.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Administrator.swansonstaffing\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://swansonstaffing.com/
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Greenshades Update] C:\Great Plains\\PackageUpdate.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteloe32.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = swansonstaffing.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{6348F99C-4F7E-4241-BFFA-30B5943602D0}: NameServer = 10.65.107.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = swansonstaffing.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = swansonstaffing.local
O23 - Service: Backup Exec Remote Agent for Windows Servers - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: COMPAQ DMI Indication Handler - Compaq Computer Corporation - C:\PROGRA~1\COMPAQ\COMPAQ~1\DMIIND~1.EXE
O23 - Service: Compaq NIC Agents - Compaq Information Technologies Group, L.P. - C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
O23 - Service: Compaq Remote Monitor Service - Compaq - C:\WINNT\System32\CpqRcmc.exe
O23 - Service: Compaq Version Control Agent - Compaq Computer Corporation - C:\Compaq\vcagent\vcagent.exe
O23 - Service: Compaq Web Agent - Compaq Computer Corp. - C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
O23 - Service: Compaq Foundation Agents - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
O23 - Service: Compaq Server Agents - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
O23 - Service: Compaq Storage Agents - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Compaq Insight Manager 7 - Unknown - C:\WINNT\System32\InsightXESvc.exe
O23 - Service: Trend ServerProtect - Trend Micro Inc. - C:\Program Files\Trend\SProtect\SpntSvc.exe
O23 - Service: Surveyor - Compaq Computer Corp. - C:\compaq\survey\Surveyor.EXE
O23 - Service: Compaq System Shutdown Service - Compaq Computer Corporation - C:\WINNT\System32\sysdown.exe
O23 - Service: Compaq DMI Insight Web Management Agent - Compaq Computer Corporation - C:\Program Files\COMPAQ\Compaq Insight Manager 7 SP1\WebDmi\WebDmi.exe
O23 - Service: Win32sl - Intel - C:\DMI\Win32\bin\Win32sl.exe
O23 - Service: VNC Server Version 4 - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

This is starting to become a real problem and i am afraid these popups are going to kill my server. Any comments are much appreciated.
Thanks in advance
Rich

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,393 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:59 AM

Posted 23 February 2005 - 09:19 PM

End this process:

C:\winnt\system32\eliteloe32.exe

Fix this:

O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteloe32.exe

Delete the above file and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users