Tech Support Forum banner
Cancel

HIjacked server 2000 sbs

1822 Views 1 Reply 2 Participants Last post by  MicroBell
S
Dear all, pls could you take a look at this log for me


Logfile of HijackThis v1.99.1
Scan saved at 17:24:19, on 21/09/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Sophos\Control Center\LMSessn.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Binn\sqlservr.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\OLAP Services\Bin\msmdsrv.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\POPcon\POPconSrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sophos\Control Center\Sdbnsrvc.exe
C:\Program Files\Sophos\Control Center\Library\bin\SchdSrvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Sophos\Control Center\CertificationManagerServiceNT.exe
C:\Program Files\Sophos\Control Center\SbeMss.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SWEEPSRV.SYS
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\Remote Management System\ALCAgent.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Anvshell.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\WINNT\system32\isasse.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\System32\mdm.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Anvshell] C:\WINNT\Anvshell.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [MSControl3d1] isasse.exe
O4 - HKLM\..\Run: [WindowsUpdate] "C:\Documents and Settings\Administrator\svchostss.exe"
O4 - HKLM\..\RunServices: [MSControl3d1] isasse.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127315553437
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jtc.bex.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{99BD4271-16A0-454C-8AD5-16D85F906803}: NameServer = 192.168.1.200
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jtc.bex.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jtc.bex.org
O23 - Service: Sophos AutoUpdate Service (ActiveLinkClient) - Unknown owner - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: Sophos Session Manager (LMSessn) - TODO: <Company name> - C:\Program Files\Sophos\Control Center\LMSessn.exe
O23 - Service: Microsoft Connector for POP3 Mailboxes (MSPOP3Connector) - Unknown owner - C:\Program Files\Microsoft BackOffice\Connectivity\POP3 Connector\vmimb.exe" /SERVICE (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: POPcon: Exchg-POP3 connector (POPcon) - Christensen Software - C:\Program Files\POPcon\POPconSrv.exe
O23 - Service: Sophos Database Notification Service (sdbnsrvc) - Sophos Plc - C:\Program Files\Sophos\Control Center\Sdbnsrvc.exe
O23 - Service: Sophos Enterprise Manager Scheduler (SEMScheduler) - Unknown owner - C:\Program Files\Sophos\Control Center\Library\bin\SchdSrvc.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ALCAgent.exe" -service -name ALC (file missing)
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router (file missing)
O23 - Service: Sophos SBE Certification Manager - SOPHOS Plc - C:\Program Files\Sophos\Control Center\CertificationManagerServiceNT.exe
O23 - Service: Sophos SBE ManagementService - Sophos Plc - C:\Program Files\Sophos\Control Center\SbeMss.exe
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SWEEPSRV.SYS

PS I dont have easy access to this server, the next time I visit i need to be able to clean it.

TIA steve
See less See more
Save
Like
Status
Not open for further replies.
1 - 2 of 2 Posts
MicroBell
Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [WindowsUpdate] "C:\Documents and Settings\Administrator\svchostss.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm


C:\Documents and Settings\Administrator\svchostss.exe <--delete that file.

Reboot back to normal windows...

Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with a new hijackthis log and the info about the file below...

Please visit this website - http://virusscan.jotti.org/
Submit these file(s) for a comprehensive scan & then post the results back here

C:\WINNT\system32\isasse.exe
See less See more
Save
Like
1 - 2 of 2 Posts
Status
Not open for further replies.
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top