I have recently been getting enormous bandwidth spikes, usually late at night, on my Windows 2000 web server. A couple weeks ago I tried everything in the Malware Removal Checklist on this forum, and it appeared to help. But it has started again. The only thing I came across was my McAfee Anti-Virus found SQLSlammer.worm - but it was in a BlackIce log file (*.enc). I have since learned that BlackIce logs info about the worm when it attacks that McAfee can misinterpret as an infection. Regardless, I removed it. In any case, I have went through all the steps again in this forum, and as far as I can tell I am clean. So below is my Hijack This log - any help would be deeply appreciated.
Thank you!!!
Logfile of HijackThis v1.99.1
Scan saved at 12:04:45 AM, on 10/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Dell\OpenManage\ihv\CIO\IOMGR.EXE
C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\MailSite\HTTPMA.EXE
D:\Program Files\MailSite\LDAP3A.EXE
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
C:\Program Files\Dell\OpenManage\ihv\CIO\PORTSERV.EXE
C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
D:\Program Files\MailSite\POP3A.EXE
C:\Program Files\Dell\OpenManage\RAC\MN\racsrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
D:\Program Files\MailSite\SMTPDA.EXE
D:\Program Files\MailSite\SMTPRA.EXE
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\PROGRA~1\WEBTRE~1\wtrs_ui.exe
D:\PROGRA~1\WEBTRE~1\wtrs.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\OpenManage\ihv\CIO\IOMRPCCM.EXE
C:\Program Files\Dell\OpenManage\ihv\CIO\IOMRPCEV.EXE
C:\Program Files\Dell\OpenManage\ihv\CIO\CIONOTIFIER.EXE
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
D:\Program Files\MailSite\IMAP4A.EXE
D:\Program Files\MailSite\MAILMA.EXE
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\logon.scr
C:\downloads\hijack\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag]
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network
Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Microsoft Office] c:\winnt\system32\telnet.bat
O4 - Global Startup: BlackICE Server Protection.lnk = C:\Program
Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O16 - DPF: {0075546E-5D3D-11D2-A3E5-0060971304D8} (WTX_Installer Class)
-
http://www.webtrends...ls/v5.4/Microso
ft/wtx_setup.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell....iler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...n/x86/client/wu
web_site.cab?1124126100718
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...rendmicro.com/h
ousecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI
Registry Information Class) -
http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 44keys.net
O17 -
HKLM\System\CCS\Services\Tcpip\..\{EE65B9D7-C340-4F40-9BE3-C766B2FD6F5F}
: NameServer = 127.0.0.1
O17 -
HKLM\System\CCS\Services\Tcpip\..\{F0F051CF-8613-44F9-A6DA-568DD799DA32}
: NameServer = 127.0.0.1
O17 -
HKLM\System\CCS\Services\Tcpip\..\{F52FA86C-C2D0-4346-9A5E-5A4DB8A14972}
: NameServer = 64.70.0.135,204.70.127.127,204.70.127.128
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 44keys.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 44keys.net
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINNT\System32\ati2plxx.exe
O23 - Service: AVG System (avg) - Unknown owner -
c:\winnt\system32\avg.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program
Files\ISS\BlackICE\blackd.exe
O23 - Service: CIO Array Management Service 4.01 (CIOArrayManagement) -
Adaptec, Inc. - C:\Program Files\Dell\OpenManage\ihv\CIO\IOMGR.EXE
O23 - Service: CIOArrayManager RPC Command - Unknown owner - C:\Program
Files\Dell\OpenManage\ihv\CIO\IOMRPCCM.EXE
O23 - Service: CIOArrayManager RPC Event - Unknown owner - C:\Program
Files\Dell\OpenManage\ihv\CIO\IOMRPCEV.EXE
O23 - Service: CIO Event Notifier (CIOEventNotifier) - Unknown owner -
C:\Program Files\Dell\OpenManage\ihv\CIO\CIONOTIFIER.EXE
O23 - Service: Dell OpenManage Server Agent Event Monitor (dcevt32) -
Dell Computer Corporation. - C:\Program
Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
O23 - Service: Dell OpenManage Server Agent (dcstor32) - Dell Computer
Corporation. - C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
O23 - Service: ewido security suite control - ewido networks -
C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MailSite HTTP Management Agent (HTTPMA) - Rockliffe
Systems, Inc - D:\Program Files\MailSite\HTTPMA.EXE
O23 - Service: MailSite IMAP4 Server (IMAP4A) - Rockliffe Systems, Inc -
D:\Program Files\MailSite\IMAP4A.EXE
O23 - Service: MailSite LDAP Directory Server (LDAP3A) - Rockliffe
Systems, Inc. - D:\Program Files\MailSite\LDAP3A.EXE
O23 - Service: MailSite Mail Management Server (MAILMA) - Rockliffe
Systems, Inc - D:\Program Files\MailSite\MAILMA.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network
Associates, Inc. - C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network
Associates, Inc. - C:\Program Files\Network
Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network
Associates, Inc. - C:\Program Files\Network
Associates\VirusScan\VsTskMgr.exe
O23 - Service: mr2kserv - Unknown owner - C:\Program
Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner -
C:\WINNT\system32\netdded.exe
O23 - Service: NobleNet Portmapper - Unknown owner - C:\Program
Files\Dell\OpenManage\ihv\CIO\PORTSERV.EXE
O23 - Service: Persits Software EmailAgent - Unknown owner - C:\Program
Files\Persits Software\AspEmail\BIN\EmailAgent.exe" /run (file missing)
O23 - Service: Stateless Packet Filtering (PktFilter) - Unknown owner -
C:\WINNT\system32\pktfltsrv.exe
O23 - Service: MailSite POP3 Server (POP3A) - Rockliffe Systems, Inc -
D:\Program Files\MailSite\POP3A.EXE
O23 - Service: Remote Access Controller (RAC) Service (RACSRVC) - Dell
Computer Corporation - C:\Program
Files\Dell\OpenManage\RAC\MN\racsrvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program
Files\ISS\BlackICE\rapapp.exe
O23 - Service: Routing Table Service (r_server) - Unknown owner -
C:\WINNT\system32\rasvc32.exe" /service (file missing)
O23 - Service: Server Administrator - Dell Computer Corporation -
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
O23 - Service: MailSite SMTP Delivery Agent (SMTPDA) - Rockliffe
Systems, Inc - D:\Program Files\MailSite\SMTPDA.EXE
O23 - Service: MailSite SMTP Receiver (SMTPRA) - Rockliffe Systems, Inc
- D:\Program Files\MailSite\SMTPRA.EXE
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp.
- C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
O23 - Service: WebTrends Reporting UI (wtinterface) - Unknown owner -
D:\PROGRA~1\WEBTRE~1\wtrs_ui.exe
O23 - Service: WebTrends Reporting Center (wtrs) - WebTrends Corp. -
D:\PROGRA~1\WEBTRE~1\wtrs.exe