Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

Windows 2000 Server Log

This is a discussion on Windows 2000 Server Log within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Can someone take a look at this and let me know what they think.. Thanks Nicholas Also under the running


 
 
Thread Tools Search this Thread
Old 05-14-2008, 02:11 PM   #1
Registered Member
 
Join Date: Apr 2008
Posts: 2
OS: 2000



Can someone take a look at this and let me know what they think.. Thanks Nicholas


Also under the running processes it does not show in the scan, but in the taskmanager there are like 50+ copies of csrss.exe running..



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:31 PM, on 5/14/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
d:\Program Files\Bell & Howell\lmgrd.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
\D14MM441\BHDMS\Bellhowell.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\lserver.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wusvc.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\hphmon05.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\WINNT\system32\rdpclip.exe
d:\Program Files\Bell & Howell\TurboCon.exe
d:\Program Files\Bell & Howell\Zybis.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
d:\Program Files\Bell & Howell\TurboCon.exe
d:\Program Files\Bell & Howell\Zybis.exe
D:\Program Files\Bell & Howell\ZybisAccounting.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
d:\Program Files\Bell & Howell\TurboCon.exe
d:\Program Files\Bell & Howell\Zybis.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis\HiJackThis.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.starband.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MsSpool] c:\winnt\system32\SystemSpool.dll /h
O4 - HKLM\..\Run: [SystemSpool.dll] c:\winnt\system32\SystemSpool.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\system32\hphmon05.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-1202660629-1004336348-839522115-1126\..\Run: [] (User 'Client1')
O4 - HKUS\S-1-5-21-1202660629-1004336348-839522115-1126\..\RunOnce: [*LogMeInRescue_0] "C:\Documents and Settings\Administrator\WINDOWS\LMI2.tmp\lmi_rescue.exe" -runonce reboot (User 'Client1')
O4 - HKUS\S-1-5-21-1202660629-1004336348-839522115-1128\..\Run: [] (User 'Client3')
O4 - HKUS\S-1-5-21-1202660629-1004336348-839522115-1128\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Client3')
O4 - HKUS\S-1-5-21-1202660629-1004336348-839522115-1133\..\Run: [] (User 'Client8')
O4 - HKUS\S-1-5-21-1202660629-1004336348-839522115-1133\..\RunOnce: [] (User 'Client8')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm265YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator\WINDOWS\web\related.htm (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\rnr20.dll' missing
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: *.edcor.com
O15 - Trusted Zone: http://www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: *.xmradio.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.in.honda.com/rraaapps/rra...ingActiveX.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rra...X/RraainAX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = funmart.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = funmart.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = funmart.local
O23 - Service: Adaptec Storage Manager Agent (AdaptecStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Bell & Howell DMS Licensing - GLOBEtrotter Software Inc. - d:\Program Files\Bell & Howell\lmgrd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Windows Update (wusvcd) - Unknown owner - C:\WINNT\system32\wusvc.exe
O23 - Service: XBaseMS-Service - Transaction Software, D 81737 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
O24 - Desktop Component 0: (no name) - http://www.ktmservice.net/images/KTMWerk.gif
O24 - Desktop Component 1: (no name) - file:///C:/ktmservicenet/ktm/images/start.jpg
O24 - Desktop Component 2: (no name) - http://www.caedes.net/Zephir/tmpl/de...lay-little.gif

--
End of file - 12406 bytes

__________________
neckermann is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 02:18 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts