Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Mail Server Infected (I think)

Started by siothelad , Dec 13 2007 05:51 AM

  • Please log in to reply

#1
siothelad
Posted 13 December 2007 - 05:51 AM

siothelad

    New Member

  • Member
  • Pip
  • 1 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:07, on 13/12/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\system32\certsrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\system32\sfmsvc.exe
C:\WINDOWS\system32\sfmprint.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\mysql\bin\mysqld-nt.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Dell\RAID Storage Manager\StorServ.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\USBToolbox\Res.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\F-Secure\FSAUS.PM\bin\bwadmin.exe
D:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3873747241-2024155984-4165086326-1109\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'fsms_COMITSERVER')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://dl.betanews.com
O15 - ESC Trusted Zone: http://mail.comitmarketing.com
O15 - ESC Trusted Zone: http://www.google.ie
O15 - ESC Trusted Zone: http://pagead2.googlesyndication.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com
O15 - ESC Trusted Zone: http://www.novara.ie
O15 - ESC Trusted Zone: http://www.petri.co.il
O15 - ESC Trusted Zone: http://laotzu.acc.umu.se
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://192.168.0.5
O15 - ESC Trusted IP range: http://127.0.0.1
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1146643651597
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = comitmarketing.local
O17 - HKLM\Software\..\Telephony: DomainName = comitmarketing.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A46F9B1-1DE8-44A2-B4DD-4AC75B2DC318}: NameServer = 192.168.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = comitmarketing.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = comitmarketing.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Server (FSAUS) - BackWeb - C:\Program Files\F-Secure\FSAUS.PM\bin\server.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: F-Secure Policy Manager Server (fsms) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\apache.exe
O23 - Service: F-Secure Policy Manager Web Reporting (fspmwr) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\Web Reporting\bin\fspmwrservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySql - Unknown owner - D:/mysql/bin/mysqld-nt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: RAID Storage Manager Agent (RAIDStorAgent) - Dell - C:\Program Files\Dell\RAID Storage Manager\StorServ.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 15059 bytes
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP