
This is my first time using this forum..I need a help to resolve my Win NT server performance problem, which I suspect because of unwanted script, virus, Trojan, spyware, Malware, etc running on the server..I am still unable to detect what virus affected to the server.. I have scanned AVG trial version and managed to clean/quarantine several trojan and adware. However, the problem is still occured. The server's performance will become unstable once there is an unknown process running at the background - "CMD.exe". And this process can't be killed by using normal WIndows Task Manager, however, I managed to kill it using ProcViewer.. Once it killed, the CPU resource usage become stable again until for about sometimes it will happend again. If you need the screen capture of the Task Manager I will forward that later.
Pls. find the following hijackthis log for the server. Really appreaciate if anyone can help to le me know what kind of problem it is.
Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 4:19:29 PM, on 22/02/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\Program Files\Trend\SProtect\SpntSvc.exe
C:\Program Files\Trend\SProtect\StWatchDog.exe
C:\Program Files\Trend\SProtect\StOPP.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\MSSQL7\Binn\sqlmangr.exe
F:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\agent\pbeagent.exe
F:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\server\PBESER~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
C:\Program Files\Common Files\CA\BrightStor\UniAgent\UnivAgent.exe
C:\Program Files\Common Files\CA\BrightStor\DBAcommon\DBASVR.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\Program Files\Trend\SProtect\EarthAgent.exe
C:\WINNT\SYSTEM32\DWRCST.exe
C:\WINNT\System32\esserver.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
C:\CA_LIC\LogWatNT.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\CA\BrightStor Backup Agent for Open Files\Ofant.exe
C:\WIN32APP\DOCSNTFS\docsntfs.exe
c:\winnt\system32\pstores.exe
C:\Program Files\CA\BrightStor ARCserve Backup Agent for SQL\dbasqlr.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\SENS.EXE
C:\Program Files\RaidMan\RaidServ.exe
C:\WINNT\System32\WBEM\winmgmt.exe
C:\MSSQL7\binn\sqlagent.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
H:\TechnoNet\techno\JKKP\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://thesource.hewitt.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ESFTP] C:\Program Files\ESFTP.COM\ESFTP\esftp.exe /STARTUP
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://thesource.hewitt.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jkkp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.20.16.2 10.20.16.3 10.21.81.214
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - F:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - F:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrightStor Discovery Service (CASDiscoverySvc) - Computer Associates - C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
O23 - Service: CA BrightStor Universal Agent (CASUniversalAgent) - Computer Associates - C:\Program Files\Common Files\CA\BrightStor\UniAgent\UnivAgent.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\CA_LIC\lic98rmtd.exe
O23 - Service: CA BrightStor Backup Agent RPC Server (DbaRpcService) - Computer Associates - C:\Program Files\Common Files\CA\BrightStor\DBAcommon\DBASVR.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: DOCS Open Document Sentry Agent (DOCSDSA) - PC DOCS Inc - C:\WINNT\DOCSOPEN\DSA\docsdsa.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Trend ServerProtect Agent (EarthAgent) - Trend Micro Inc. - C:\Program Files\Trend\SProtect\EarthAgent.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe
O23 - Service: Manager Backup (ManagerBackup) - Unknown owner - C:\NTMGR\Backup\MBackup.exe
O23 - Service: Multitasking Manager (ManagerService) - Plasmon Data Ltd - C:\NTMGR\Manager.exe
O23 - Service: CA Backup Agent for Open Files (OpenFileAgent) - Computer Associates International, Inc. - C:\Program Files\CA\BrightStor Backup Agent for Open Files\Ofant.exe
O23 - Service: DOCS Open File Security (PC DOCS OPEN File Security) - Unknown owner - C:\WIN32APP\DOCSNTFS\docsntfs.exe
O23 - Service: CA BrightStor Backup Agent Remote Service (RemoteDbagent) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup Agent for SQL\dbasqlr.exe
O23 - Service: ServeRAID Manager Agent (ServeRAIDManagerAgent) - Unknown owner - C:\Program Files\RaidMan\RaidServ.exe
O23 - Service: Trend ServerProtect (SpntSvc) - Trend Micro Inc. - C:\Program Files\Trend\SProtect\SpntSvc.exe
O23 - Service: TME10RC - Unknown owner - C:\WINNT\Rcserv.exe (file missing)
O23 - Service: Windows Internet Service - Unknown owner - C:\WINNT\iexplore.exe (file missing)