HI All - As always, I get here when all else fails.
I have a client's system (Win2k) on a baby network (12 sta.) that is attracting attention by sending out thousands of packets continuously. The ISP is about to turn off service if we don't 'clean' the system. I have performed the usual due diligence:
NAV
AVG
SpyBot
Windows Defender
Hijackthis (log follows)
But I'm at a loss
Any ideas appreciated
Thanks, Pat
Logfile of HijackThis v1.99.1
Scan saved at 8:55:12 PM, on 11/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\spools
v.exe
C:\PROGRA~1\Grisoft\AVGFRE
~1\avgamsv
r.exe
C:\PROGRA~1\Grisoft\AVGFRE
~1\avgupsv
c.exe
C:\PROGRA~1\Grisoft\AVGFRE
~1\avgemc.
exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchos
t.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sql
servr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\regsvc
.exe
C:\WINDOWS\system32\MSTask
.exe
C:\WINDOWS\System32\WBEM\W
inMgmt.exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\MsgSys
.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE
~1\avgcc.e
xe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE
~1\avgwb.d
at
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
R0 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://www.njo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH
elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
06D7942484
F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
0A0C908246
7} - C:\WINDOWS\system32\msdxm.
ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE
~1\avgcc.e
xe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
" -atboottime
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
on.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
~1\avgamsv
r.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
~1\avgupsv
c.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
~1\avgemc.
exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
After all that, go ahead and put the system back on the network while Task Manager is up and running. See what processes jump to the fore. Obviously this isn't much help if a rootkit's to blame but it's a start.