Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Please help with hijack log file


  • This topic is locked This topic is locked
20 replies to this topic

#1 RickS

RickS

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 23 January 2006 - 08:22 PM

This server is the only one exposed to the internet, I can only find one AV software that will run. A virus recently shut down AV (eTrust) and I caught it.

Logfile of HijackThis v1.99.1
Scan saved at 4:14:07 PM, on 1/23/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\Cache\explorer.exe
C:\PROGRA~1\POWERC~1\pcns.exe
C:\Program Files\jvm\bin\java.exe
C:\Program Files\Trend\Smex\InstMon.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Trend\Smex\RMonitor.exe
C:\Program Files\Trend\Smex\RMonUI.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Trend\Smex\InstRTS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Trend\Smex\SmexVS.exe
C:\Program Files\Trend\Smex\SMEXMA.exe
C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe
C:\Program Files\Trend\Smex\WebRoot\SmexHS.exe
c:\windows\system32\inetsrv\w3wp.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
c:\windows\system32\inetsrv\w3wp.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
E:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jucheck.exe
C:\WINDOWS\regedit.exe
E:\Program Files\CA\eTrust Antivirus\InoRT.exe
E:\Program Files\CA\eTrust Antivirus\InoTask.exe
E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
E:\Program Files\CA\eTrust Antivirus\InocIT.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\WINDOWS\explorer.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\CalHelper.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\RWSADM~1.HIG\LOCALS~1\Temp\3\Rar$EX00.547\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [Realtime Monitor] E:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.p...quicksilver.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135879884671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = higoodwill.org
O17 - HKLM\Software\..\Telephony: DomainName = higoodwill.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{43E25F67-60B1-466E-B535-027804EC0554}: NameServer = 10.0.1.5,10.0.2.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = higoodwill.org
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe" 1900 1999 3 32 (file missing)
O23 - Service: BlackBerry Controller - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryController.exe
O23 - Service: BlackBerry Dispatcher - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryDispatcher.exe
O23 - Service: BlackBerry Mobile Data Service - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe" -s jvmpath="C:\Program Files\Java\j2re1.4.2_08\bin\client\jvm.dll" -XX:+DisableExplicitGC -Xss64K -Xmx256M -Xms96M -XX:NewSize=32M -XX:MaxNewSize=96M -XX:NewRatio=2 classpathdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\classpath\\" wrkdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\MAIL\\" webserverdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\webserver\\" -log.console -rbes "MAIL (file missing)
O23 - Service: BlackBerry Policy Service - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\ITAdminServer.exe
O23 - Service: BlackBerry Router - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouter.exe
O23 - Service: BlackBerry Alert (BlackBerry Server Alert) - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BESAlert.exe
O23 - Service: BlackBerry Synchronization Service (BlackBerry SyncServer) - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\SyncServer\BlackBerrySyncServer.exe" -BES "MAIL (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: DHCP Controller (dhcpcl) - Unknown owner - C:\WINDOWS\system32\dhcpcl.exe (file missing)
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Network Service (NETSVC) - Unknown owner - C:\WINDOWS\system32\wbem\netsvc.exe (file missing)
O23 - Service: PowerChute network shutdown (PowerChuteNetShut) - APC - C:\PROGRA~1\POWERC~1\pcns.exe
O23 - Service: ScanMail_MailAction - Trend Micro Inc. - C:\Program Files\Trend\Smex\SMEXMA.exe
O23 - Service: ScanMail_Monitor - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstMon.exe
O23 - Service: ScanMail_RealTimeScan - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstRTS.exe
O23 - Service: ScanMail_Web - Trend Micro Inc. - C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe

    Advertisements

Register to Remove


#2 RickS

RickS

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 January 2006 - 12:23 AM

Here's the log file after I used spynomore to clean up some nasty things...

Logfile of HijackThis v1.99.1
Scan saved at 8:20:53 PM, on 1/23/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
E:\Program Files\CA\eTrust Antivirus\InoRT.exe
E:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\Cache\explorer.exe
C:\PROGRA~1\POWERC~1\pcns.exe
C:\Program Files\jvm\bin\java.exe
C:\Program Files\Trend\Smex\InstMon.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Trend\Smex\RMonitor.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Trend\Smex\RMonUI.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Trend\Smex\InstRTS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Trend\Smex\SmexVS.exe
C:\Program Files\Trend\Smex\SMEXMA.exe
C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe
C:\Program Files\Trend\Smex\WebRoot\SmexHS.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jucheck.exe
E:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\RWSADM~1.HIG\LOCALS~1\Temp\1\Rar$EX00.281\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser protection - {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} - C:\PROGRA~1\SPYNOM~1\SNMIEG~1.DLL
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [Realtime Monitor] E:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.p...quicksilver.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135879884671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = higoodwill.org
O17 - HKLM\Software\..\Telephony: DomainName = higoodwill.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{43E25F67-60B1-466E-B535-027804EC0554}: NameServer = 10.0.1.5,10.0.2.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = higoodwill.org
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe" 1900 1999 3 32 (file missing)
O23 - Service: BlackBerry Controller - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryController.exe
O23 - Service: BlackBerry Dispatcher - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryDispatcher.exe
O23 - Service: BlackBerry Mobile Data Service - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe" -s jvmpath="C:\Program Files\Java\j2re1.4.2_08\bin\client\jvm.dll" -XX:+DisableExplicitGC -Xss64K -Xmx256M -Xms96M -XX:NewSize=32M -XX:MaxNewSize=96M -XX:NewRatio=2 classpathdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\classpath\\" wrkdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\MAIL\\" webserverdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\webserver\\" -log.console -rbes "MAIL (file missing)
O23 - Service: BlackBerry Policy Service - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\ITAdminServer.exe
O23 - Service: BlackBerry Router - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouter.exe
O23 - Service: BlackBerry Alert (BlackBerry Server Alert) - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BESAlert.exe
O23 - Service: BlackBerry Synchronization Service (BlackBerry SyncServer) - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\SyncServer\BlackBerrySyncServer.exe" -BES "MAIL (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: DHCP Controller (dhcpcl) - Unknown owner - C:\WINDOWS\system32\dhcpcl.exe (file missing)
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Network Service (NETSVC) - Unknown owner - C:\WINDOWS\system32\wbem\netsvc.exe (file missing)
O23 - Service: PowerChute network shutdown (PowerChuteNetShut) - APC - C:\PROGRA~1\POWERC~1\pcns.exe
O23 - Service: ScanMail_MailAction - Trend Micro Inc. - C:\Program Files\Trend\Smex\SMEXMA.exe
O23 - Service: ScanMail_Monitor - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstMon.exe
O23 - Service: ScanMail_RealTimeScan - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstRTS.exe
O23 - Service: ScanMail_Web - Trend Micro Inc. - C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe

#3 RickS

RickS

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 January 2006 - 01:54 PM

This is getting scary. I've deleted three accounts that were created by someone else recently with administrator rights. I saw one account get created while I was logged onto that server. If my server is behind a firewall, and the following ports are opened: ports: 25 110 443 3101 53 80 How can someone establish a RDP session with my server (as seen with Terminal Services Manager)? Please help!!! Rick

#4 RickS

RickS

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 January 2006 - 03:06 PM

Here is the log again after running Panda and Kaspersky online virus scanners and removing infected files (can you tell I'm desperate for help? :o

Logfile of HijackThis v1.99.1
Scan saved at 11:04:35 AM, on 1/24/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
E:\Program Files\CA\eTrust Antivirus\InoRT.exe
E:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\PROGRA~1\POWERC~1\pcns.exe
C:\Program Files\jvm\bin\java.exe
C:\Program Files\Trend\Smex\InstMon.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Trend\Smex\RMonitor.exe
C:\Program Files\Trend\Smex\RMonUI.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Trend\Smex\InstRTS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend\Smex\SmexVS.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Trend\Smex\SMEXMA.exe
C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe
C:\Program Files\Trend\Smex\WebRoot\SmexHS.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
E:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jucheck.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mmc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\RWSADM~1.HIG\LOCALS~1\Temp\1\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser protection - {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} - C:\PROGRA~1\SPYNOM~1\SNMIEG~1.DLL
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [Realtime Monitor] E:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.p...quicksilver.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135879884671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = higoodwill.org
O17 - HKLM\Software\..\Telephony: DomainName = higoodwill.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{43E25F67-60B1-466E-B535-027804EC0554}: NameServer = 10.0.1.5,10.0.2.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = higoodwill.org
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe" 1900 1999 3 32 (file missing)
O23 - Service: BlackBerry Controller - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryController.exe
O23 - Service: BlackBerry Dispatcher - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryDispatcher.exe
O23 - Service: BlackBerry Mobile Data Service - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe" -s jvmpath="C:\Program Files\Java\j2re1.4.2_08\bin\client\jvm.dll" -XX:+DisableExplicitGC -Xss64K -Xmx256M -Xms96M -XX:NewSize=32M -XX:MaxNewSize=96M -XX:NewRatio=2 classpathdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\classpath\\" wrkdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\MAIL\\" webserverdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\webserver\\" -log.console -rbes "MAIL (file missing)
O23 - Service: BlackBerry Policy Service - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\ITAdminServer.exe
O23 - Service: BlackBerry Router - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouter.exe
O23 - Service: BlackBerry Alert (BlackBerry Server Alert) - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BESAlert.exe
O23 - Service: BlackBerry Synchronization Service (BlackBerry SyncServer) - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\SyncServer\BlackBerrySyncServer.exe" -BES "MAIL (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: PowerChute network shutdown (PowerChuteNetShut) - APC - C:\PROGRA~1\POWERC~1\pcns.exe
O23 - Service: ScanMail_MailAction - Trend Micro Inc. - C:\Program Files\Trend\Smex\SMEXMA.exe
O23 - Service: ScanMail_Monitor - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstMon.exe
O23 - Service: ScanMail_RealTimeScan - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstRTS.exe
O23 - Service: ScanMail_Web - Trend Micro Inc. - C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe

#5 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 24 January 2006 - 04:52 PM

Hello RickS, welcome to the TC.

Not too many of use work with servers here.

I suggest you do this:

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm


Close ALL windows and browsers except HijackThis and click "Fix checked"


Let me know if that fixed it.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#6 RickS

RickS

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 January 2006 - 05:20 PM

Just did that and now when I open Internet Explorer, it tries to load the default page:
about:blank

This server was badly infected with viruses - I think I got them all, but only time will tell. Mostly AV services were shut down and the server connected to another server transmitting data over specific ports. Here the latest hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:17:18 PM, on 1/24/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
E:\Program Files\CA\eTrust Antivirus\InoRT.exe
E:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\PROGRA~1\POWERC~1\pcns.exe
C:\Program Files\jvm\bin\java.exe
C:\Program Files\Trend\Smex\InstMon.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Trend\Smex\RMonitor.exe
C:\Program Files\Trend\Smex\RMonUI.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Trend\Smex\InstRTS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend\Smex\SmexVS.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Trend\Smex\SMEXMA.exe
C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe
C:\Program Files\Trend\Smex\WebRoot\SmexHS.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\System32\svchost.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
E:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jucheck.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\windows\system32\inetsrv\w3wp.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\RWSADM~1.HIG\LOCALS~1\Temp\2\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser protection - {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} - C:\PROGRA~1\SPYNOM~1\SNMIEG~1.DLL
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [Realtime Monitor] E:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.p...quicksilver.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135879884671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = higoodwill.org
O17 - HKLM\Software\..\Telephony: DomainName = higoodwill.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{43E25F67-60B1-466E-B535-027804EC0554}: NameServer = 10.0.1.5,10.0.2.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = higoodwill.org
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe" 1900 1999 3 32 (file missing)
O23 - Service: BlackBerry Controller - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryController.exe
O23 - Service: BlackBerry Dispatcher - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryDispatcher.exe
O23 - Service: BlackBerry Mobile Data Service - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe" -s jvmpath="C:\Program Files\Java\j2re1.4.2_08\bin\client\jvm.dll" -XX:+DisableExplicitGC -Xss64K -Xmx256M -Xms96M -XX:NewSize=32M -XX:MaxNewSize=96M -XX:NewRatio=2 classpathdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\classpath\\" wrkdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\MAIL\\" webserverdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\webserver\\" -log.console -rbes "MAIL (file missing)
O23 - Service: BlackBerry Policy Service - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\ITAdminServer.exe
O23 - Service: BlackBerry Router - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouter.exe
O23 - Service: BlackBerry Alert (BlackBerry Server Alert) - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BESAlert.exe
O23 - Service: BlackBerry Synchronization Service (BlackBerry SyncServer) - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\SyncServer\BlackBerrySyncServer.exe" -BES "MAIL (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: PowerChute network shutdown (PowerChuteNetShut) - APC - C:\PROGRA~1\POWERC~1\pcns.exe
O23 - Service: ScanMail_MailAction - Trend Micro Inc. - C:\Program Files\Trend\Smex\SMEXMA.exe
O23 - Service: ScanMail_Monitor - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstMon.exe
O23 - Service: ScanMail_RealTimeScan - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstRTS.exe
O23 - Service: ScanMail_Web - Trend Micro Inc. - C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe

#7 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 24 January 2006 - 05:24 PM

go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

You need to update your Java. Remove all the older versions.
Java updates:
http://www.java.com/...load/manual.jsp

Edited by LDTate, 24 January 2006 - 05:26 PM.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#8 RickS

RickS

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 January 2006 - 05:26 PM

Cool, thanks! I'm updating Java now. I hope this server doesn't get infected again. Thanks for the help.

#9 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 24 January 2006 - 05:30 PM

Let me know how it's going :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 26 January 2006 - 10:08 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 01 February 2006 - 03:34 PM

This topic has been reopened by request of the starter of this topic. Or it has been moved to the correct forum

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 01 February 2006 - 03:35 PM

RickS, Please post a new HJT log and explain what issues you're having.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 RickS

RickS

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 01 February 2006 - 03:42 PM

Found a new administrative local user with processes running under that ID. This server is still infected with something. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:40:51 AM, on 2/1/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
E:\Program Files\CA\eTrust Antivirus\InoRT.exe
E:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\PROGRA~1\POWERC~1\pcns.exe
C:\Program Files\jvm\bin\java.exe
C:\Program Files\Trend\Smex\InstMon.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Trend\Smex\RMonitor.exe
C:\Program Files\Trend\Smex\RMonUI.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Trend\Smex\InstRTS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend\Smex\SmexVS.exe
C:\Program Files\Trend\Smex\SMEXMA.exe
C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Trend\Smex\WebRoot\SmexHS.exe
c:\windows\system32\inetsrv\w3wp.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\inetsrv\w3wp.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\DOCUME~1\RWSADM~1.HIG\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser protection - {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} - C:\PROGRA~1\SPYNOM~1\SNMIEG~1.DLL
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Realtime Monitor] E:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.p...quicksilver.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135879884671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = higoodwill.org
O17 - HKLM\Software\..\Telephony: DomainName = higoodwill.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{43E25F67-60B1-466E-B535-027804EC0554}: NameServer = 10.0.1.5,10.0.2.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = higoodwill.org
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe" 1900 1999 3 32 (file missing)
O23 - Service: BlackBerry Controller - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryController.exe
O23 - Service: BlackBerry Dispatcher - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryDispatcher.exe
O23 - Service: BlackBerry Mobile Data Service - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe" -s jvmpath="C:\Program Files\Java\j2re1.4.2_08\bin\client\jvm.dll" -XX:+DisableExplicitGC -Xss64K -Xmx256M -Xms96M -XX:NewSize=32M -XX:MaxNewSize=96M -XX:NewRatio=2 classpathdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\classpath\\" wrkdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\MAIL\\" webserverdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\webserver\\" -log.console -rbes "MAIL (file missing)
O23 - Service: BlackBerry Policy Service - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\ITAdminServer.exe
O23 - Service: BlackBerry Router - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouter.exe
O23 - Service: BlackBerry Alert (BlackBerry Server Alert) - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BESAlert.exe
O23 - Service: BlackBerry Synchronization Service (BlackBerry SyncServer) - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\SyncServer\BlackBerrySyncServer.exe" -BES "MAIL (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: PowerChute network shutdown (PowerChuteNetShut) - APC - C:\PROGRA~1\POWERC~1\pcns.exe
O23 - Service: ScanMail_MailAction - Trend Micro Inc. - C:\Program Files\Trend\Smex\SMEXMA.exe
O23 - Service: ScanMail_Monitor - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstMon.exe
O23 - Service: ScanMail_RealTimeScan - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstRTS.exe
O23 - Service: ScanMail_Web - Trend Micro Inc. - C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe
O23 - Service: Windows Messenger (winmsg) - Unknown owner - C:\WINDOWS\system32\winmsg.exe (file missing)

#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 01 February 2006 - 04:25 PM

Click start->run->type services.msc
Hit enter.
Double-click the following service:
Windows Messenger (winmsg)
Click 'stop', to stop the service if it is running, and set to 'disabled' in the pull down menu under the 'Startup type' section'
Exit services.msc

Please download and install this disk cleanup utility called Cleanup!
http://cleanup.stevengould.org/

It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space.

Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
Do NOT log off and reboot when prompted to.

Reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Run hijackthis and click the scan button, when it has finished scanning then put a tick against the following, close all other browsers and windows and click 'fix checked'

O23 - Service: Windows Messenger (winmsg) - Unknown owner - C:\WINDOWS\system32\winmsg.exe (file missing)


Boot into Safe Mode.
Windows 2000, XP:
1. Restart the computer
2. Watch the screen while it is black. After the BIOS memory check is done, start tapping the F8 key. If done right, the Windows Advanced Options Menu will appear.
3. Select Safe Mode from the menu. Starting Windows in Safe Mode may take several minutes

I am going to have you remove this bogus service NTBOOT by doing the following:
Click Start-> Run and type cmd in the Open: line. Click OK.
* Type or paste in the following in bold: sc delete winmsg
* Hit Enter
* Type: Exit
* Hit Enter

Locate and delete this file:
C:\WINDOWS\system32\winmsg.exe

Rerun Cleanup!

Reboot normally

Post a new HJT log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#15 RickS

RickS

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 01 February 2006 - 04:51 PM

Thanks, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 12:48:43 PM, on 2/1/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
E:\Program Files\CA\eTrust Antivirus\InoRT.exe
E:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\PROGRA~1\POWERC~1\pcns.exe
C:\Program Files\Trend\Smex\InstMon.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Trend\Smex\RMonitor.exe
C:\Program Files\Trend\Smex\RMonUI.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Trend\Smex\InstRTS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend\Smex\SmexVS.exe
C:\Program Files\Trend\Smex\SMEXMA.exe
C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Trend\Smex\WebRoot\SmexHS.exe
c:\windows\system32\inetsrv\w3wp.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\svchost.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\CalHelper.exe
e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\DOCUME~1\RWSADM~1.HIG\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser protection - {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} - C:\PROGRA~1\SPYNOM~1\SNMIEG~1.DLL
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Realtime Monitor] E:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.p...quicksilver.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135879884671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = higoodwill.org
O17 - HKLM\Software\..\Telephony: DomainName = higoodwill.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{43E25F67-60B1-466E-B535-027804EC0554}: NameServer = 10.0.1.5,10.0.2.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = higoodwill.org
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe" 1900 1999 3 32 (file missing)
O23 - Service: BlackBerry Controller - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryController.exe
O23 - Service: BlackBerry Dispatcher - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryDispatcher.exe
O23 - Service: BlackBerry Mobile Data Service - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe" -s jvmpath="C:\Program Files\Java\j2re1.4.2_08\bin\client\jvm.dll" -XX:+DisableExplicitGC -Xss64K -Xmx256M -Xms96M -XX:NewSize=32M -XX:MaxNewSize=96M -XX:NewRatio=2 classpathdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\classpath\\" wrkdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\MAIL\\" webserverdir="e:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\webserver\\" -log.console -rbes "MAIL (file missing)
O23 - Service: BlackBerry Policy Service - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\ITAdminServer.exe
O23 - Service: BlackBerry Router - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouter.exe
O23 - Service: BlackBerry Alert (BlackBerry Server Alert) - Research In Motion Limited - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\BESAlert.exe
O23 - Service: BlackBerry Synchronization Service (BlackBerry SyncServer) - Unknown owner - e:\Program Files\Research In Motion\BlackBerry Enterprise Server\SyncServer\BlackBerrySyncServer.exe" -BES "MAIL (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: PowerChute network shutdown (PowerChuteNetShut) - APC - C:\PROGRA~1\POWERC~1\pcns.exe
O23 - Service: ScanMail_MailAction - Trend Micro Inc. - C:\Program Files\Trend\Smex\SMEXMA.exe
O23 - Service: ScanMail_Monitor - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstMon.exe
O23 - Service: ScanMail_RealTimeScan - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstRTS.exe
O23 - Service: ScanMail_Web - Trend Micro Inc. - C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users