[172x]

My server (Windows 2000 Server with SP4) event log was filled with Event Id 1000 every 5 minutes. I get this error message "Failed to Open the Group Policy Object. You maynot have appropriate rights." when I open Domain Controller Security Policy.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 05/06/2008
Time: 10:21:55
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 05/06/2008
Time: 10:21:54
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot access the file gpt.ini for GPO The file must be present at the location <>. (). Group Policy processing aborted.

I found a few suspect files in:
C:\WINNT\wmsoft14338.exe
C:\WINNT\wmsoft23171.exe
C:\WINNT\wmsoft85684.exe
C:\WINNT\wiadss.exe
c:\WINNT\SYSVOL\sysvol\wmsoft23171.exe

And a suspect Services name "MS NET Service" is running.


I scanned my server with Trend Micro OfficeScan but no virus was detected.


****************************

Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\WINNT\system32\Dfssvc.exe
D:\Program Files\Trend\Smex\EUQ\EUQMonitor.exe
C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\wiadss.exe
C:\Program Files\Exchsrvr\bin\srsmain.exe
C:\Program Files\Microsoft BackOffice\Connectivity\POP3 Connector\vmimb.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
D:\Ofcscan\PCCSRV\web\service\ofcservice.exe
C:\WINNT\System32\locator.exe
D:\Program Files\Trend\Smex\svcGenericHost.exe
D:\Program Files\Trend\Smex\svcGenericHost.exe
D:\Program Files\Trend\Smex\SMEX_Master.exe
D:\Program Files\Trend\Smex\SMEX_SystemWatcher.exe
C:\WINNT\system32\MSTask.exe
D:\Ofcscan\PCCSRV\Web\Service\DbServer.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
D:\Program Files\Pwrchute\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\TEMP\OS437E.EXE
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\modemshr.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Microsoft Shared Fax\Bin\FXSSVC.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Exchsrvr\connect\msmcon\bin\mt.exe
C:\Program Files\Exchsrvr\bin\events.exe
D:\Program Files\Trend\Smex\SMEX_RemoteConfig.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\GuildFTPd\GuildFTPd.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Virus remover tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [Service] C:\WINNT\system32\smsx.exe
O4 - HKLM\..\Run: [Explorer] C:\WINNT\System32\admin\admin.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spoolsvc.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\winIogon.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: GuildFTPd FTP Deamon.lnk = C:\Program Files\GuildFTPd\GuildFTPd.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://192.168.0.1/...html/AtxEnc.cab
O16 - DPF: {8990AFAD-D352-42AC-A72F-A660BBF6E209} (OfficeScan Management Console) - http://unicoelec.uni.../AtxConsole.cab
O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://192.168.0.1/...html/AtxPie.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = unicoe.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{1971D310-FE97-4939-88D5-FA6D2D88E91E}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = unicoe.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{1971D310-FE97-4939-88D5-FA6D2D88E91E}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = unicoe.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{1971D310-FE97-4939-88D5-FA6D2D88E91E}: NameServer = 192.168.0.1
O23 - Service: Backup Exec 8.x Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec 8.x Alert Server (BackupExecAlertServer) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
O23 - Service: Backup Exec 8.x Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec 8.x Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec 8.x Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
O23 - Service: Backup Exec 8.x Notification Server (BackupExecNotificationServer) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
O23 - Service: Backup Exec 8.x Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Compaq NIC Agents (CPQNicMgmt) - Compaq Computer Corp. - C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINNT\System32\CpqRcmc.exe
O23 - Service: Compaq Version Control Agent (cpqvcagent) - Compaq Computer Corporation - C:\Compaq\vcagent\vcagent.exe
O23 - Service: Compaq Web Agent (CpqWebMgmt) - Compaq Computer Corp. - C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
O23 - Service: Compaq Foundation Agents (CqMgHost) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
O23 - Service: Compaq Server Agents (CqMgServ) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
O23 - Service: Compaq Storage Agents (CqMgStor) - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EUQ_Monitor - Trend Micro Inc. - D:\Program Files\Trend\Smex\EUQ\EUQMonitor.exe
O23 - Service: EUQ_Setup - Trend Micro Inc. - D:\Program Files\Trend\Smex\EUQ\setupInstExchangeRule.exe
O23 - Service: Free Proxy Service (FreeProxy) - Unknown owner - C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe
O23 - Service: Microsoft H.323 Gatekeeper (GKSVC) - Unknown owner - svchost.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScan Master Service (ofcservice) - Trend Micro Inc. - D:\Ofcscan\PCCSRV\web\service\ofcservice.exe
O23 - Service: ScanMail for Microsoft Exchange Master Service (ScanMail_Master) - Trend Micro Inc. - D:\Program Files\Trend\Smex\svcGenericHost.exe
O23 - Service: ScanMail for Microsoft Exchange Remote Configuration Server (ScanMail_RemoteConfig) - Trend Micro Inc. - D:\Program Files\Trend\Smex\svcGenericHost.exe
O23 - Service: ScanMail for Microsoft Exchange System Watcher (ScanMail_SystemWatcher) - Trend Micro Inc. - D:\Program Files\Trend\Smex\svcGenericHost.exe
O23 - Service: Surveyor - Compaq Computer Corp. - C:\compaq\survey\Surveyor.EXE
O23 - Service: Compaq System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\System32\sysdown.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Uninterruptible Power Supply (UPS) - APC - D:\Program Files\Pwrchute\ups.exe

--
End of file - 9141 bytes

[Advertisements]

Anybody can help me?

[172x]

Anybody can help me?