problems with malware

  • Thread starter Thread starter jdrott1
  • Start date Start date
J

jdrott1

Guest
i've been having a lot of trouble with my server trying to login to
terminal services. one minute it works fine and the next we can't get
in. after about an hour it will start working fine. can someone
check through the hijackthis log to see is something is wrong or
something is making me have a denial of service?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:58 PM, on 2/21/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\AntiVirusKit InternetSecurity\Firewall\GDFwSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AntiVirusKit InternetSecurity\AVKTray\AVKTray.exe
C:\Program Files\AntiVirusKit InternetSecurity\Firewall
\GDFirewallTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AntiVirusKit InternetSecurity\AVKTray\AVKTray.exe
C:\Program Files\Online Backup\OnlineBackup.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection -
{53707962-6F74-2D53-2644-206D7942484F} - C:
\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:
\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\AntiVirusKit
InternetSecurity\AVKTray\AVKTray.exe"
O4 - HKCU\..\Run: [@BackupScheduler] C:\Program Files\Online Backup
\OnlineBackup.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search
& Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1708537768-1303643608-839522115-1011\..\RunOnce:
[^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard
\icwconn1.exe /desktop (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files
\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User
'Default user')
O4 - Global Startup: G DATA Firewall Tray.lnk = C:\Program Files
\AntiVirusKit InternetSecurity\Firewall\GDFirewallTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files
\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-
a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
- C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:
\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) -
http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
- http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175358834078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
- http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175775957375
O17 - HKLM\System\CCS\Services\Tcpip\..\{77C7ACF2-6FAD-4DFD-
AEC0-1CB435B7143E}: NameServer = 207.230.75.48,207.230.75.50
O17 - HKLM\System\CS1\Services\Tcpip\..\{77C7ACF2-6FAD-4DFD-
AEC0-1CB435B7143E}: NameServer = 207.230.75.48,207.230.75.50
O17 - HKLM\System\CS2\Services\Tcpip\..\{77C7ACF2-6FAD-4DFD-
AEC0-1CB435B7143E}: NameServer = 207.230.75.48,207.230.75.50
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3}
- C:\Program Files\Intuit\QuickBooks Enterprise Solutions
7.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
mscoree.dll (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT
\system32\ati2sgag.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Program Files\Common
Files\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: G DATA Personal Firewall (GDFwSvc) - Unknown owner - C:
\Program Files\AntiVirusKit InternetSecurity\Firewall\GDFwSvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common
Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:
\Program Files\Common Files\Intuit\QuickBooks\FCS
\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:
\PROGRA~1\Intuit\QUICKB~1.0\QBDBMgrN.exe
O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - C:
\PROGRA~1\Intuit\QUICKB~1.0\QBDBMgrN.exe

--
End of file - 5157 bytes
 
Re: problems with malware

We do not interpret HijackThis logs in public newsgroups.

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


jdrott1 wrote:
> i've been having a lot of trouble with my server trying to login to
> terminal services. one minute it works fine and the next we can't get
> in. after about an hour it will start working fine. can someone
> check through the hijackthis log to see is something is wrong or
> something is making me have a denial of service?
<snip>
 

Similar threads

D
Windows 10 The program explorer.exe version 10.0.15063.332 stopped interacting with Windows and was closed.
Replies
0
Views
130
doclucas
D
B
I have a virus Cryp_Xed-3
Replies
2
Views
144
David H. Lipman
D
R
Problems with pops ups
Replies
6
Views
181
sgopus
S
A
WORMS ISASS NETWORK HIDDING CONECTIONS
Replies
5
Views
208
FromTheRafters
F
T
Can't download updates! I keep getting error 80244019
Replies
4
Views
247
Engel
E
Back
Top