Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Server Issue


  • Please log in to reply
7 replies to this topic

#1 Coop-Show

Coop-Show

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 27 May 2005 - 12:13 PM

Below is the log.

Symptoms: No icons or Start Menu after logging into the computer. Start menu shows up and disappears after a split second. Please help if you can. I appreciate it.


Logfile of HijackThis v1.99.1
Scan saved at 9:34:50 AM, on 5/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\Program Files\Common Files\CA\Alert\ALERT.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe
C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe
C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
C:\Program Files\ComputerAssociates\ARCserve\caserved.exe
C:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe
C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe
C:\Program Files\ComputerAssociates\ARCserve\cadiscovd.exe
C:\Program Files\ComputerAssociates\ARCserve\Catirpc.exe
C:\ca_lic\lic98rmt.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\ComputerAssociates\ARCserve\caloggerd.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\ca_lic\LogWatNT.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\Program Files\ComputerAssociates\ARCserve\Mediasvr.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\ComputerAssociates\ARCserve\caauthd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\ComputerAssociates\ARCserve\LQServer.exe
C:\Program Files\ComputerAssociates\ARCserve\asalert.exe
C:\Program Files\ComputerAssociates\ARCserve\LDBServer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\taskmgr.exe
E:\hi.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pennvirginia.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8EDAFBB-964E-4209-A8ED-8F8C8805E219}: NameServer = 192.168.11.90
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = removedforsafety.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = removedforsafety.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\Common Files\CA\Alert\ALERT.EXE
O23 - Service: ASDiscoverySvc - Unknown owner - C:\Program Files\ComputerAssociates\ARCserve\asdscsvc.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CA BrightStor Database Engine (CASDBEngine) - Computer Associates - C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe
O23 - Service: CA BrightStor Discovery Service (CASDiscoverySvc) - Computer Associates - C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
O23 - Service: CA BrightStor Job Engine (CASJobEngine) - Computer Associates - C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe
O23 - Service: CA BrightStor Message Engine (CASMsgEngine) - Computer Associates - C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: CA BrightStor Service Controller (CASSvcControlSvr) - Computer Associates - C:\Program Files\ComputerAssociates\ARCserve\caserved.exe
O23 - Service: CA BrightStor Tape Engine (CASTapeEngine) - Computer Associates - C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe
O23 - Service: CA BrightStor Domain Server (CASUnivDomainSvr) - Computer Associates - C:\Program Files\ComputerAssociates\ARCserve\cadiscovd.exe
O23 - Service: CA Remote Procedure Call Server (CATIRPC) - Computer Associates - C:\Program Files\ComputerAssociates\ARCserve\Catirpc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\ca_lic\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\ca_lic\lic98rmtd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SAV\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\ca_lic\LogWatNT.exe
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SAV\Rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:33 PM

Posted 27 May 2005 - 07:34 PM

Hi Coop-Show. The only thing I see in the log that is questionable is:E:\hi.exe
Do you know what this is? if not then terminate the process and delete the file.

If you are unsure then do the following:

Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan:E:\hi.exe
Several scanning engines will be used to check the file for any threats. Please post the results of the scans back here.

Cheers.

OT

Edited by OldTimer, 27 May 2005 - 07:34 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Coop-Show

Coop-Show
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 27 May 2005 - 09:51 PM

hi.exe is what I renamed the hijackthis.exe and burned to the CD....it is just the executable and the only way to access it was through a drive....explorer.exe will not function correctly if I try to run it...

#4 Coop-Show

Coop-Show
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 28 May 2005 - 04:47 PM

you do not see ANYTHING? I just do not understand...I have run all of the spyware tools I can think of....

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:33 PM

Posted 28 May 2005 - 05:39 PM

Hi Coop-Show. There is nothing showing in the log. Let's rty this.

Let's run a couple of scans to see if there is anything that might not be showing up in the log.

Download PFind.zip and unzip the contents to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

After you have rebooted start HijackThis and follow these steps:
  • Click on Config button
  • Click on the Misc Tools button
  • Check the checkbox for List minor sections (full)
  • Check the checkbox for List empty sections (complete)
  • Click on the Generate StartupList Log button
  • Click the Yes button to create the list
Post the contents of C:\pfind.txt and the information from the StartupList back here and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 Coop-Show

Coop-Show
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 31 May 2005 - 09:15 AM

PFIND.TXT LOG

-------------------------------------------------------------------


Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINNT folder



Checking the C:\WINNT\SYSTEM32 folder



Checking all directories under the C:\WINNT\SYSTEM32\drivers folder



Checking the C:\Documents and Settings\All Users.WINNT\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users.WINNT\Application Data folder




Checking the C:\Documents and Settings\Administrator.PENNVIRGINIA\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Administrator.PENNVIRGINIA\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINNT\
shelli~1 Thu May 5 2005 7:48:58a ...H. 84,902 82.91 K

C:\WINNT\TASKS\
sa.dat Tue May 31 2005 8:56:24a A..H. 6 0.00 K

C:\WINNT\SYSTEM32\CONFIG\
default.log Mon May 30 2005 10:00:26p A..H. 1,024 1.00 K
security.log Tue May 31 2005 8:23:20a A..H. 1,024 1.00 K
software.log Tue May 31 2005 9:00:56a A..H. 1,024 1.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 87,980 bytes 85.92 K

#7 Coop-Show

Coop-Show
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 31 May 2005 - 09:16 AM

Startup List Log

----------------------------------------------------------------

StartupList report, 5/31/2005, 9:12:31 AM
StartupList version: 1.52.2
Started from : C:\adtools\hi.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\Program Files\Common Files\CA\Alert\ALERT.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe
C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe
C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
C:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe
C:\Program Files\ComputerAssociates\ARCserve\caserved.exe
C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe
C:\Program Files\ComputerAssociates\ARCserve\cadiscovd.exe
C:\Program Files\ComputerAssociates\ARCserve\Catirpc.exe
C:\ca_lic\lic98rmt.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\ComputerAssociates\ARCserve\caloggerd.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\ca_lic\LogWatNT.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
C:\Program Files\ComputerAssociates\ARCserve\Mediasvr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ComputerAssociates\ARCserve\caauthd.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\ComputerAssociates\ARCserve\LQServer.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ComputerAssociates\ARCserve\LDBServer.exe
C:\Program Files\ComputerAssociates\ARCserve\asalert.exe
C:\WINNT\system32\taskmgr.exe
C:\adtools\hi.exe
C:\WINNT\system32\wuauclt.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

vptray = C:\PROGRA~1\SAV\vptray.exe
HP Network Registry Agent = C:\WINNT\system32\hpnra.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

wednesday.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINNT\system32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...38003.412650463

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 4,830 bytes
Report generated in 0.141 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:33 PM

Posted 31 May 2005 - 01:21 PM

Hey Coop-Show. Everything looks fine. Whatever the issue is it does not appear to be malware related. Have you checked your event logs to see if there are any application or system errors.

I suggest you post your question in the w2k forum and see what they come up with. There is a pretty broad base of knowledge there and they can help with system issues.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users