Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help with unidentifiable bandwidth spike


  • Please log in to reply

#1
ignatious

ignatious

    New Member

  • Member
  • Pip
  • 1 posts
Hello,

I have recently been getting enormous bandwidth spikes, usually late at night, on my Windows 2000 web server. A couple weeks ago I tried everything in the Malware Removal Checklist on this forum, and it appeared to help. But it has started again. The only thing I came across was my McAfee Anti-Virus found SQLSlammer.worm - but it was in a BlackIce log file (*.enc). I have since learned that BlackIce logs info about the worm when it attacks that McAfee can misinterpret as an infection. Regardless, I removed it. In any case, I have went through all the steps again in this forum, and as far as I can tell I am clean. So below is my Hijack This log - any help would be deeply appreciated.

Thank you!!!

Logfile of HijackThis v1.99.1
Scan saved at 12:04:45 AM, on 10/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Dell\OpenManage\ihv\CIO\IOMGR.EXE
C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\MailSite\HTTPMA.EXE
D:\Program Files\MailSite\LDAP3A.EXE
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\Common

Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
C:\Program Files\Dell\OpenManage\ihv\CIO\PORTSERV.EXE
C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
D:\Program Files\MailSite\POP3A.EXE
C:\Program Files\Dell\OpenManage\RAC\MN\racsrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
D:\Program Files\MailSite\SMTPDA.EXE
D:\Program Files\MailSite\SMTPRA.EXE
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\PROGRA~1\WEBTRE~1\wtrs_ui.exe
D:\PROGRA~1\WEBTRE~1\wtrs.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\OpenManage\ihv\CIO\IOMRPCCM.EXE
C:\Program Files\Dell\OpenManage\ihv\CIO\IOMRPCEV.EXE
C:\Program Files\Dell\OpenManage\ihv\CIO\CIONOTIFIER.EXE
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
D:\Program Files\MailSite\IMAP4A.EXE
D:\Program Files\MailSite\MAILMA.EXE
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\logon.scr
C:\downloads\hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -

{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network

Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Microsoft Office] c:\winnt\system32\telnet.bat
O4 - Global Startup: BlackICE Server Protection.lnk = C:\Program

Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O16 - DPF: {0075546E-5D3D-11D2-A3E5-0060971304D8} (WTX_Installer Class)

-

http://www.webtrends...ls/v5.4/Microso

ft/wtx_setup.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -

http://support.dell....iler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.micros...n/x86/client/wu

web_site.cab?1124126100718
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...rendmicro.com/h

ousecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI

Registry Information Class) -

http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 44keys.net
O17 -

HKLM\System\CCS\Services\Tcpip\..\{EE65B9D7-C340-4F40-9BE3-C766B2FD6F5F}

: NameServer = 127.0.0.1
O17 -

HKLM\System\CCS\Services\Tcpip\..\{F0F051CF-8613-44F9-A6DA-568DD799DA32}

: NameServer = 127.0.0.1
O17 -

HKLM\System\CCS\Services\Tcpip\..\{F52FA86C-C2D0-4346-9A5E-5A4DB8A14972}

: NameServer = 64.70.0.135,204.70.127.127,204.70.127.128
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 44keys.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 44keys.net
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINNT\System32\ati2plxx.exe
O23 - Service: AVG System (avg) - Unknown owner -

c:\winnt\system32\avg.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program

Files\ISS\BlackICE\blackd.exe
O23 - Service: CIO Array Management Service 4.01 (CIOArrayManagement) -

Adaptec, Inc. - C:\Program Files\Dell\OpenManage\ihv\CIO\IOMGR.EXE
O23 - Service: CIOArrayManager RPC Command - Unknown owner - C:\Program

Files\Dell\OpenManage\ihv\CIO\IOMRPCCM.EXE
O23 - Service: CIOArrayManager RPC Event - Unknown owner - C:\Program

Files\Dell\OpenManage\ihv\CIO\IOMRPCEV.EXE
O23 - Service: CIO Event Notifier (CIOEventNotifier) - Unknown owner -

C:\Program Files\Dell\OpenManage\ihv\CIO\CIONOTIFIER.EXE
O23 - Service: Dell OpenManage Server Agent Event Monitor (dcevt32) -

Dell Computer Corporation. - C:\Program

Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
O23 - Service: Dell OpenManage Server Agent (dcstor32) - Dell Computer

Corporation. - C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MailSite HTTP Management Agent (HTTPMA) - Rockliffe

Systems, Inc - D:\Program Files\MailSite\HTTPMA.EXE
O23 - Service: MailSite IMAP4 Server (IMAP4A) - Rockliffe Systems, Inc -

D:\Program Files\MailSite\IMAP4A.EXE
O23 - Service: MailSite LDAP Directory Server (LDAP3A) - Rockliffe

Systems, Inc. - D:\Program Files\MailSite\LDAP3A.EXE
O23 - Service: MailSite Mail Management Server (MAILMA) - Rockliffe

Systems, Inc - D:\Program Files\MailSite\MAILMA.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network

Associates, Inc. - C:\Program Files\Network Associates\Common

Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network

Associates, Inc. - C:\Program Files\Network

Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network

Associates, Inc. - C:\Program Files\Network

Associates\VirusScan\VsTskMgr.exe
O23 - Service: mr2kserv - Unknown owner - C:\Program

Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner -

C:\WINNT\system32\netdded.exe
O23 - Service: NobleNet Portmapper - Unknown owner - C:\Program

Files\Dell\OpenManage\ihv\CIO\PORTSERV.EXE
O23 - Service: Persits Software EmailAgent - Unknown owner - C:\Program

Files\Persits Software\AspEmail\BIN\EmailAgent.exe" /run (file missing)
O23 - Service: Stateless Packet Filtering (PktFilter) - Unknown owner -

C:\WINNT\system32\pktfltsrv.exe
O23 - Service: MailSite POP3 Server (POP3A) - Rockliffe Systems, Inc -

D:\Program Files\MailSite\POP3A.EXE
O23 - Service: Remote Access Controller (RAC) Service (RACSRVC) - Dell

Computer Corporation - C:\Program

Files\Dell\OpenManage\RAC\MN\racsrvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program

Files\ISS\BlackICE\rapapp.exe
O23 - Service: Routing Table Service (r_server) - Unknown owner -

C:\WINNT\system32\rasvc32.exe" /service (file missing)
O23 - Service: Server Administrator - Dell Computer Corporation -

C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
O23 - Service: MailSite SMTP Delivery Agent (SMTPDA) - Rockliffe

Systems, Inc - D:\Program Files\MailSite\SMTPDA.EXE
O23 - Service: MailSite SMTP Receiver (SMTPRA) - Rockliffe Systems, Inc

- D:\Program Files\MailSite\SMTPRA.EXE
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp.

- C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
O23 - Service: WebTrends Reporting UI (wtinterface) - Unknown owner -

D:\PROGRA~1\WEBTRE~1\wtrs_ui.exe
O23 - Service: WebTrends Reporting Center (wtrs) - WebTrends Corp. -

D:\PROGRA~1\WEBTRE~1\wtrs.exe
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP