Edited by Shane23, 15 April 2004 - 10:44 AM.
Windows 2000 Server
Started by
Shane23
, Apr 15 2004 10:42 AM
#1
Posted 15 April 2004 - 10:42 AM
#2
Posted 15 April 2004 - 10:52 AM
Hey Shane,
I know you have posted before, but let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.
Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.
Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.
ditto
I know you have posted before, but let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.
Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.
Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.
ditto
#3
Posted 15 April 2004 - 12:19 PM
Logfile of HijackThis v1.97.7
Scan saved at 1:36:18 PM, on 4/15/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\GRISOFT\AVG6\avgserv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\LXSUPMON.EXE
C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
C:\WINNT\System32\CAPM1RSK.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mmc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.frontrange.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DrvManger] rundll32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SysInit] wininit32.exe
O4 - HKLM\..\RunServices: [SysInit] wininit32.exe
O4 - HKCU\..\Run: [SysInit] wininit32.exe
O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.frontrange.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{517D4788-E47C-405D-A4AB-379BBDC445AC}: NameServer = 207.191.50.10,207.191.1.10
Scan saved at 1:36:18 PM, on 4/15/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\GRISOFT\AVG6\avgserv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\LXSUPMON.EXE
C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
C:\WINNT\System32\CAPM1RSK.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mmc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.frontrange.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DrvManger] rundll32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SysInit] wininit32.exe
O4 - HKLM\..\RunServices: [SysInit] wininit32.exe
O4 - HKCU\..\Run: [SysInit] wininit32.exe
O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.frontrange.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{517D4788-E47C-405D-A4AB-379BBDC445AC}: NameServer = 207.191.50.10,207.191.1.10
#4
Posted 15 April 2004 - 04:10 PM
At a quick glance I see the Xabot worm:
O4 - HKLM\..\Run: [SysInit] wininit32.exe
More info on Xabot:
http://securityrespo...xabot.worm.html
Try this free online virus scan:
http://housecall.tre.../start_corp.asp
When finshed, reboot your computer. Then go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
C:\WINNT\system32\mshta.exe
(This is a dialer, it attempts to dial an oversees number for Internet access and bill the charges to you).
These are suspicious. Do you know what they're for? If not, remove.
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
C:\WINNT\System32\CAPM1RSK.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
This entry could also be as result of a virus: Leave for now.
O4 - HKLM\..\Run: [DrvManger] rundll32.exe
Reboot your PC.
If you would please, rescan with HijackThis and post a fresh log.
O4 - HKLM\..\Run: [SysInit] wininit32.exe
More info on Xabot:
http://securityrespo...xabot.worm.html
Try this free online virus scan:
http://housecall.tre.../start_corp.asp
When finshed, reboot your computer. Then go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
C:\WINNT\system32\mshta.exe
(This is a dialer, it attempts to dial an oversees number for Internet access and bill the charges to you).
These are suspicious. Do you know what they're for? If not, remove.
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
C:\WINNT\System32\CAPM1RSK.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
This entry could also be as result of a virus: Leave for now.
O4 - HKLM\..\Run: [DrvManger] rundll32.exe
Reboot your PC.
If you would please, rescan with HijackThis and post a fresh log.
#5
Posted 16 April 2004 - 09:16 AM
Logfile of HijackThis v1.97.7
Scan saved at 10:30:42 AM, on 4/16/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\GRISOFT\AVG6\avgserv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\LXSUPMON.EXE
C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
C:\WINNT\System32\CAPM1RSK.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.frontrange.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DrvManger] rundll32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SysInit] wininit32.exe
O4 - HKLM\..\RunServices: [SysInit] wininit32.exe
O4 - HKCU\..\Run: [SysInit] wininit32.exe
O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.frontrange.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{517D4788-E47C-405D-A4AB-379BBDC445AC}: NameServer = 207.191.50.10,207.191.1.10
Scan saved at 10:30:42 AM, on 4/16/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\GRISOFT\AVG6\avgserv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\LXSUPMON.EXE
C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
C:\WINNT\System32\CAPM1RSK.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.frontrange.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DrvManger] rundll32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SysInit] wininit32.exe
O4 - HKLM\..\RunServices: [SysInit] wininit32.exe
O4 - HKCU\..\Run: [SysInit] wininit32.exe
O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.frontrange.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{517D4788-E47C-405D-A4AB-379BBDC445AC}: NameServer = 207.191.50.10,207.191.1.10
#6
Posted 16 April 2004 - 02:44 PM
Did removing the dialer cure the problem?
If not, try these tools:
http://housecall.trendmicro.com/
http://www.moosoft.com/
If not, try these tools:
http://housecall.trendmicro.com/
http://www.moosoft.com/
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users