[darth_ash]

You can download HijackThis from the following link:
http://www.geekstogo...n=download&id=3.
For instructions on using HijackThis refer:
http://www.geekstogo...?showtopic=2852.
(Goto Step FIVE there)

[Advertisements]

Here is the hijack log
----------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:20:10 AM, on 8/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\craig\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113420104317
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://10.10.10.10/msrdp.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



thanks.

[codecraig]

Here is the hijack log
----------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:20:10 AM, on 8/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\craig\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113420104317
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://10.10.10.10/msrdp.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



thanks.

[darth_ash]

Open Computer Managenment on both PCs:
(Start -> Run. Type: compmgmt.msc. Press <Enter>)

In Computer Managenment window, in the left-pane, click System Tools -> Shared Folders -> Shares.
Check if IPC$ and ADMIN$ are in the list.
If not, use the net use command to acquire those shares.

[codecraig]

yes they are both in the shares folder for both machines

[codecraig]

Note, I installed VMWare and ran Win XP inside of it....this is on computerB, we'll call the VMWare Win XP computerC (1.1.1.3)

Now from Computer A if I do...

tasklist /S 1.1.1.3 /U administrator /P password

i get the tasklist (of the win xp vmware OS)......any idea what that means? it seems like VMWare does something which allows it work...any idea?

one other thing is that the computerC version of win xp does not have service pack2 ....could it be SP2?

[darth_ash]

Lets see the problem continues if we use another utility to list the tasks.
Download:
PsTools.
Use the PsList utility in it.
For details on usage of PsList, refer:
http://www.sysintern...ies/PsList.html

Edited by darth_ash, 25 August 2005 - 09:17 AM.

[codecraig]

Failed. Results:

C:\tools>pslist.exe -t \\1.1.1.2 -u administrator -p password

PsList 1.26 - Process Information Lister
Copyright © 1999-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

Failed to take process snapshot on 1.1.1.2.
Make sure that the Remote Registry service is running on the remote system, that
you havefirewall ports allow RPC access, and your account has read access the f
ollowing key on the remote system:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib

how can i ensure the key has read access? I have verified no firewall is running, and the Remote Registry service is running on both computers.

thanks

[darth_ash]

To check the access rights for the Registry Key:
Open regedit.
Goto the registry key you mentioned in your previous post.
Right-click on it and in the context-menu click Permissions.

[codecraig]

well the key has "Full Control" and "Read" as allowed...for administrators, so i guess the PsList tool is missing something else.

[gerryf]

Let's think this through here

VMware uses a virtual connection to communicate, so a tasklist command will interface through that and be unaffected by any barrier at the physical level

Looking at your hijacklog, i wonder if Norton's AV programs could be interfering, since they run at a very basic level and are in memory-perhaps they are preventing the activity..I would disable it and see if the behavior changes

I also note the following

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://10.1 0.10.10/msrdp.cab

THese are Windows XP machines with remote desktop built in, why did you load the remote desktop client that you use for pre-windowsxp machines?

Also, I note

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

This is a packet capture protocol that operates very low in the OSI stack (level 2? Cannot recall). Could the installation of this be causing the issue? I see it was removed/missing....when was it installed and how was it removed?

[codecraig]

I unloaded the Symantec AV client and stopped all Symantec* services....no change.

The remote desktop thing is because of an application I accessed via a web browser which did remote desktop, and must have loaded that file.

As far as winpcap, that is used for numerous things, including Ethereal. Anyhow, I have re-installed WinPCap, and hijack still says "file missing"....so I uninstalled WinPCap, and that message is now gone from the hijack log.

I tried running tasklist again, still get the same error
"ERROR: Logon failure: unknown user name or bad password."

Any other ideas?

[codecraig]

not sure if this helps to explain anything, but I tried creating a small VBScript using WMI...

strComputer = "1.1.1.2"
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")

..and it fails, saying..

"Microsoft VBScript runtime error: Permission denied: 'GetObject' "

...which seems weird as well....may not have anything to do with it, but just thought I'd add it just in case.

[gerryf]

basically telling you what the others are---that it cannot access the other PC..

Have you tried to rebuilt the ipstack....I just see no reason this is not working. You're doing everything correctly. Sometimes, it's just a deep windows config problem that is manifesting itself oddly.

[codecraig]

"have you rebuilt the ipstack".....no, what do you suggest? using ethereal or somethign?

thanks

[gerryf]

if sp2
start > run
netsh winsock reset
<enter>