Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Get list of processes, failing


  • Please log in to reply

#16
darth_ash

darth_ash

    Member 1K

  • Member
  • PipPipPipPip
  • 1,382 posts
You can download HijackThis from the following link:
http://www.geekstogo...n=download&id=3.
For instructions on using HijackThis refer:
http://www.geekstogo...?showtopic=2852.
(Goto Step FIVE there)
  • 0

Advertisements


#17
codecraig

codecraig

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Here is the hijack log
----------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:20:10 AM, on 8/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\craig\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113420104317
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://10.10.10.10/msrdp.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



thanks.
  • 0

#18
darth_ash

darth_ash

    Member 1K

  • Member
  • PipPipPipPip
  • 1,382 posts
Open Computer Managenment on both PCs:
(Start -> Run. Type: compmgmt.msc. Press <Enter>)

In Computer Managenment window, in the left-pane, click System Tools -> Shared Folders -> Shares.
Check if IPC$ and ADMIN$ are in the list.
If not, use the net use command to acquire those shares.
  • 0

#19
codecraig

codecraig

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
yes they are both in the shares folder for both machines
  • 0

#20
codecraig

codecraig

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Note, I installed VMWare and ran Win XP inside of it....this is on computerB, we'll call the VMWare Win XP computerC (1.1.1.3)

Now from Computer A if I do...

tasklist /S 1.1.1.3 /U administrator /P password

i get the tasklist (of the win xp vmware OS)......any idea what that means? it seems like VMWare does something which allows it work...any idea?

one other thing is that the computerC version of win xp does not have service pack2 ....could it be SP2?
  • 0

#21
darth_ash

darth_ash

    Member 1K

  • Member
  • PipPipPipPip
  • 1,382 posts
Lets see the problem continues if we use another utility to list the tasks.
Download:
PsTools.
Use the PsList utility in it.
For details on usage of PsList, refer:
http://www.sysintern...ies/PsList.html

Edited by darth_ash, 25 August 2005 - 09:17 AM.

  • 0

#22
codecraig

codecraig

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Failed. Results:

C:\tools>pslist.exe -t \\1.1.1.2 -u administrator -p password

PsList 1.26 - Process Information Lister
Copyright © 1999-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

Failed to take process snapshot on 1.1.1.2.
Make sure that the Remote Registry service is running on the remote system, that
you havefirewall ports allow RPC access, and your account has read access the f
ollowing key on the remote system:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib

how can i ensure the key has read access? I have verified no firewall is running, and the Remote Registry service is running on both computers.

thanks
  • 0

#23
darth_ash

darth_ash

    Member 1K

  • Member
  • PipPipPipPip
  • 1,382 posts
To check the access rights for the Registry Key:
Open regedit.
Goto the registry key you mentioned in your previous post.
Right-click on it and in the context-menu click Permissions.
  • 0

#24
codecraig

codecraig

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
well the key has "Full Control" and "Read" as allowed...for administrators, so i guess the PsList tool is missing something else.
  • 0

#25
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
Let's think this through here

VMware uses a virtual connection to communicate, so a tasklist command will interface through that and be unaffected by any barrier at the physical level

Looking at your hijacklog, i wonder if Norton's AV programs could be interfering, since they run at a very basic level and are in memory-perhaps they are preventing the activity..I would disable it and see if the behavior changes

I also note the following

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://10.1 0.10.10/msrdp.cab

View Post



THese are Windows XP machines with remote desktop built in, why did you load the remote desktop client that you use for pre-windowsxp machines?

Also, I note

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

View Post


This is a packet capture protocol that operates very low in the OSI stack (level 2? Cannot recall). Could the installation of this be causing the issue? I see it was removed/missing....when was it installed and how was it removed?
  • 0

Advertisements


#26
codecraig

codecraig

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
I unloaded the Symantec AV client and stopped all Symantec* services....no change.

The remote desktop thing is because of an application I accessed via a web browser which did remote desktop, and must have loaded that file.

As far as winpcap, that is used for numerous things, including Ethereal. Anyhow, I have re-installed WinPCap, and hijack still says "file missing"....so I uninstalled WinPCap, and that message is now gone from the hijack log.

I tried running tasklist again, still get the same error
"ERROR: Logon failure: unknown user name or bad password."

Any other ideas?
  • 0

#27
codecraig

codecraig

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
not sure if this helps to explain anything, but I tried creating a small VBScript using WMI...

strComputer = "1.1.1.2"
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")

..and it fails, saying..

"Microsoft VBScript runtime error: Permission denied: 'GetObject' "

...which seems weird as well....may not have anything to do with it, but just thought I'd add it just in case.
  • 0

#28
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
basically telling you what the others are---that it cannot access the other PC..

Have you tried to rebuilt the ipstack....I just see no reason this is not working. You're doing everything correctly. Sometimes, it's just a deep windows config problem that is manifesting itself oddly.
  • 0

#29
codecraig

codecraig

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
"have you rebuilt the ipstack".....no, what do you suggest? using ethereal or somethign?

thanks
  • 0

#30
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
if sp2
start > run
netsh winsock reset
<enter>
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP