Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Mail server put on blacklist due to trojans..


  • Please log in to reply

#1
kdtrimble

kdtrimble

    New Member

  • Member
  • Pip
  • 3 posts
I believe I am in over my head here. Would you mind seeing what you can do? Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 3:49:43 PM, on 3/15/2005
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\llssrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Protector Plus\PPAVMon.exe
C:\Program Files\Protector Plus\PPServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\sbscrexe.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\BIN\OWSTIMER.EXE
C:\WINDOWS\system32\tlntsvr.exe
C:\WINNT\SYSTEM32\win32dns.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\wmiaqsrv.exe
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\WINDOWS\system32\wmisrv.exe
C:\WINDOWS\system32\drivers\wupdmgr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\Explorer.EXE
\PPC02\Clients\Setup\applnch.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\PROGRA~1\PROTEC~1\PPTbc.EXE
C:\PROGRA~1\PROTEC~1\PPInupdt.exe
C:\WINDOWS\system32\napolecy.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [WinMgmt.exe] C:\WINDOWS\system32\WinMgmt.exe
O4 - HKLM\..\Run: [IISAdmin] c:\winnt\system32\logonsrv.exe
O4 - HKLM\..\Run: [SQLManager] c:\c:\winnt\system32\sqlmng.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [qgqqft] C:\WINNT\SYSTEM32\ukaky.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [egikugu] napolecy.exe
O4 - HKLM\..\RunServices: [egikugu] napolecy.exe
O4 - HKCU\..\Run: [Windows] C:\WINDOWS\system32\system.exe
O4 - HKCU\..\Run: [egikugu] napolecy.exe
O4 - Startup: Server Management.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\Software\..\Telephony: DomainName = PPC2.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD7B1A59-8E2A-4647-8924-1F746FCD51B4}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PPC2.local
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: Distributed NT LM Security Manager (msdsec) - Unknown owner - C:\WINNT\SYSTEM32\msdsec.exe (file missing)
O23 - Service: Internet Explorer (Msiexp) - Unknown owner - C:\WINDOWS\system32\spool\PRINTERS\explorer.exe (file missing)
O23 - Service: MSIn Task Manager (MSItsk) - Unknown owner - C:\WINDOWS\system32\MSIntskmngr.exe (file missing)
O23 - Service: Messenger Plug-In (msmsgr) - Unknown owner - C:\WINDOWS\system32\msmsgr.exe (file missing)
O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Program Files\Protector Plus\PPAVMon.exe
O23 - Service: Protector Plus Service (UnRegistered) (ProtectorPlusService) - Unknown owner - C:\Program Files\Protector Plus\PPServ.exe
O23 - Service: Spooler Service (scouby) - Unknown owner - C:\WINDOWS\system32\winrep.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Servuce Host (Svchst) - Unknown owner - C:\WINDOWS\system32\SERVICE.exe (file missing)
O23 - Service: Server Manager (SvrMgr) - Unknown owner - C:\WINNT\SYSTEM32\svrmgr.exe (file missing)
O23 - Service: IPSEC Net Handler (win32h) - Unknown owner - C:\WINDOWS\system32\update.dll (file missing)
O23 - Service: Win32 DNS Service (WinDNS) - Unknown owner - C:\WINNT\SYSTEM32\win32dns.exe
O23 - Service: Winset DNS Server (Winset) - Unknown owner - C:\WINDOWS\system32\windllshost.exe (file missing)

Here is the result of a Trojanhunter scan but I do not know what to do after this.

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
Port 31337/TCP is open (matches BackOrifice.120) (Tell me more about port alerts...)
Port 31337/TCP is open (matches BlueEye.100) (Tell me more about port alerts...)
Port 31337/TCP is open (matches Khaled.100) (Tell me more about port alerts...)
Port 31337/TCP is open (matches OPC.200) (Tell me more about port alerts...)
Memory scan
No trojans found in memory
File scan (autostarted files, running executables)
Found possible trojan file: C:\WINDOWS\system32\wmiaqsrv.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\system32\wmisrv.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\system32\drivers\wupdmgr.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
No trojan files found
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP