Answers to your tech questions
Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

      
 
 Reply to this topicStart new topic
> Malware on 2003 R2 Exchange server
Lee McLaren
post Jul 23 2008, 05:34 PM
Post #1


New Member
*

Group: New Member
Posts: 1
Joined: 22-July 08
Member No.: 80,443
Operating System: Windows Server 2003
Hi,

I have a Windows 2003 AD member Exchange server, recently it was infected with a number of pieces of malware, AV log list below, using Spybot and NOD32 I think I may have removed all of the problems but would appreciate some expert advise.

One of the effects was the creation of a number of fake AD administrator accounts.

Logs attached below, I don't like the look of "O23 - Service: Windows Accounts Driver (windows_0) - Unknown owner - C:\WINDOWS\system32\yessfee.exe (file missing)" in the HJT log but I think it may be ok as the file is missing.

thanks

Lee McLaren



AV LOG LIST:
Time Module Object Name Threat Action User Information
22/07/2008 8:54:23 AM AMON file C:\Program Files\Internet Explorer\Down(0).exe probably a variant of Win32/PSW.QQPass.NDF trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\IEXPLORE.EXE. The file was moved to quarantine. You may close this window.
22/07/2008 8:54:01 AM AMON file C:\WINDOWS\TEMP\275908594312.exe a variant of Win32/Hupigon trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\svchost.exe. The file was moved to quarantine. You may close this window.
22/07/2008 8:53:51 AM AMON file C:\WINDOWS\TEMP\275182812924.exe a variant of Win32/Hupigon trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\svchost.exe. The file was moved to quarantine. You may close this window.
22/07/2008 8:53:12 AM AMON file C:\WINDOWS\system32\run.vbs VBS/TrojanDownloader.Small.L trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a modified file. The file was moved to quarantine. You may close this window.
21/07/2008 9:32:26 AM AMON file C:\WINDOWS\system32\run.vbs VBS/TrojanDownloader.Small.L trojan Event occurred when attempting to access the file.
17/07/2008 9:26:15 AM AMON file C:\WINDOWS\TEMP\Tmp147.tmp a variant of Win32/DoS.Sypak trojan quarantined - deleted Event occurred on a file modified by the application: C:\WINDOWS\system32\ftp.exe. The file was moved to quarantine. You may close this window.
16/07/2008 10:51:55 AM Kernel file C:\yessfee.exe quarantined






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:52 AM, on 24/07/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\serverappliance\appmgr.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\Symantec\Backup Exec\NT\dlomaintsvcu.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\system32\serverappliance\elementmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
c:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\serverappliance\srvcsurg.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\IMFcompanion\IMFcompanion.exe
C:\Documents and Settings\administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hjt-data.trend-braintree.com/hjt/an...?report=6968768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Zeehan Zinc
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://hjt-data.trend-braintree.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1178799892493
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tas.zeehanzinc.com
O17 - HKLM\Software\..\Telephony: DomainName = tas.zeehanzinc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF440878-B7D0-4489-A13F-81E996FE84AA}: NameServer = 10.10.10.12,10.10.10.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tas.zeehanzinc.com
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: Backup Exec DLO Maintenance Service (DLOMaintenanceSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\NT\dlomaintsvcu.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
O23 - Service: Windows Accounts Driver (windows_0) - Unknown owner - C:\WINDOWS\system32\yessfee.exe (file missing)

--
End of file - 6527 bytes
Go to the top of the page
 
+Quote Post
« Next Oldest · HijackThis™ Logs and Infections Removal · Next Newest »
 

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 
RSS Time is now: 12th October 2008 - 02:38 AM
Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy
Powered By IP.Board © 2008  IPS, Inc.