Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help on Log


  • Please log in to reply
1 reply to this topic

#1 billy.j

billy.j

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 17 August 2005 - 10:59 AM

Hi There - can you give me some help on how to clear this issue up on our server -
I have run a few different spyware packages, spybot, trojan hunter, ewido, done a full virus scan (CA - Etrust) and an online scan via Trend Micro (had to install firefox as IE hangs) all say my system is clean. Genraaly things are running at snails pace whenever I try to open anything up either locally or via terminal services.

Log:

Logfile of HijackThis v1.99.1
Scan saved at 13:41:17, on 17/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Documents and Settings\administrator.RBS\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Common Files\CA\Alert\ALERT.EXE
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
C:\Program Files\CA\BrightStor ARCserve Backup\casmrtbk.exe
C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
C:\Program Files\CA\BrightStor ARCserve Backup\RDS.EXE
C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Mediasvr.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\CA\eTrust Antivirus\InoNmSrv.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caloggerd.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caauthd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\LDBServer.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\Vizual\PD-MSSQL\SCHEDU~1.EXE
C:\Program Files\CA\BrightStor ARCserve Backup\LQServer.exe
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\lserver.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\Vizual\PD-MSSQL\VBTREC~2.EXE
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\PROGRA~1\Dell\OPENMA~1\oldiags\vendor\pcdoctor\bin\diagorb.exe
C:\PROGRA~1\Dell\OPENMA~1\oldiags\vendor\pcdoctor\bin\PCDRWDIA.EXE
C:\PROGRA~1\Dell\OPENMA~1\oldiags\vendor\pcdoctor\modules\PCDr2D3DVideo.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\VIZUAL\PD-MSSQL\SERVICEINDICATOR.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\VIZUAL\PD-MSSQL\SERVICEINDICATOR.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
P:\Media\adware and av cleanup\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rbssvr002/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rbssvr002
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Royal Blind.Org
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\RunServices: [StartSchedulingEngine] svcomsc start SchedulingEngine
O4 - HKCU\..\Run: [SI:SchedulingEngine] "C:\Program Files\VIZUAL\PD-MSSQL\SERVICEINDICATOR.EXE" SchedulingEngine
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.rbs\windows\system32\rnr20.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = edin.royalblindschool.org.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{17BA459D-E33B-4811-BD65-224D15E18C3B}: NameServer = 10.0.4.10,10.0.0.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = edin.royalblindschool.org.uk
O17 - HKLM\System\CS1\Services\Tcpip\..\{17BA459D-E33B-4811-BD65-224D15E18C3B}: NameServer = 10.0.4.10,10.0.0.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = edin.royalblindschool.org.uk
O17 - HKLM\System\CS2\Services\Tcpip\..\{17BA459D-E33B-4811-BD65-224D15E18C3B}: NameServer = 10.0.4.10,10.0.0.11
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\Common Files\CA\Alert\ALERT.EXE
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\services.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\services.exe (file missing)
O23 - Service: BrightStor AB Database Engine (CASDBEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
O23 - Service: BrightStor Discovery Service (CASDiscoverySvc) - Computer Associates - C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
O23 - Service: BrightStor AB Job Engine (CASJobEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
O23 - Service: BrightStor AB Message Engine (CASMsgEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
O23 - Service: BrightStor AB Service Controller (CASSvcControlSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
O23 - Service: BrightStor AB Tape Engine (CASTapeEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
O23 - Service: BrightStor AB Domain Server (CASUnivDomainSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
O23 - Service: CA Remote Procedure Call Server (CATIRPC) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\clipsrv.exe (file missing)
O23 - Service: Dell OpenManage Server Agent Event Monitor (dcevt32) - Dell Computer Corporation. - C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
O23 - Service: Dell OpenManage Server Agent (dcstor32) - Dell Computer Corporation. - C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
O23 - Service: Distributed File System (Dfs) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\Dfssvc.exe (file missing)
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\services.exe (file missing)
O23 - Service: DHCP Server (DHCPServer) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\tcpsvcs.exe (file missing)
O23 - Service: DNS Server (DNS) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\dns.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\services.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\services.exe (file missing)
O23 - Service: Fax Service (Fax) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\faxsvc.exe (file missing)
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Unknown owner - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice (file missing)
O23 - Service: eTrust Antivirus Admin Server (InoNmSrv) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoNmSrv.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Intersite Messaging (IsmServ) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\ismserv.exe (file missing)
O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Server (lanmanserver) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\services.exe (file missing)
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\services.exe (file missing)
O23 - Service: License Logging Service (LicenseService) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\llssrv.exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper Service (LmHosts) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\services.exe (file missing)
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: File Replication Service (NtFrs) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\ntfrs.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Policy Agent (PolicyAgent) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\services.exe (file missing)
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Routing and Remote Access (RemoteAccess) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Remote Registry Service (RemoteRegistry) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\regsvc.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\locator.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\Documents.exe (file missing)
O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\rsvp.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\MSTask.exe (file missing)
O23 - Service: Report Scheduling Engine (SchedulingEngine) - OneClickHR plc - C:\PROGRA~1\Vizual\PD-MSSQL\SCHEDU~1.EXE
O23 - Service: RunAs Service (seclogon) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\services.exe (file missing)
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Secure Port Server (Server Administrator) - Unknown owner - %SystemDrive%\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe (file missing)
O23 - Service: Internet Connection Sharing (SharedAccess) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: SNMP Service (SNMP) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\termsrv.exe (file missing)
O23 - Service: Terminal Services Licensing (TermServLicensing) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\lserver.exe (file missing)
O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\tlntsvr.exe (file missing)
O23 - Service: Distributed Link Tracking Server (TrkSvr) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\services.exe (file missing)
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\services.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\Documents.exe (file missing)
O23 - Service: Utility Manager (UtilMan) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\UtilMan.exe (file missing)
O23 - Service: VBT Recalculation (VBTRecalculate) - OneClickHR plc - C:\PROGRA~1\Vizual\PD-MSSQL\VBTREC~2.EXE
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\services.exe (file missing)
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\WBEM\WinMgmt.exe (file missing)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\Services.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\Documents and Settings\administrator.RBS\WINDOWS\System32\svchost.exe (file missing)

Have tried to clear the (file missing entries) with Hijack but they just re-appear, this has been done in safe mode as well as normal mode.

Cheers

BillyJ

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 August 2005 - 07:18 AM

Hi billy.j and Welcome to the Bleeping Computer!

Please upload this entire folder here
http://www.bleepingcomputer.com/submit-malware.php


C:\Documents and Settings\administrator.RBS\WINDOWS


After you have Uploaded it,please post back and we will go from there!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users