Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Server Hijacked as spam mail server?

Started by kbomar , Mar 31 2007 12:11 PM

  • This topic is locked This topic is locked
No replies to this topic

#1 kbomar

kbomar

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 31 March 2007 - 12:11 PM

Hi, an external scan showed that we had mail servers on our network. We don't host our own mail servers. Our IP was was blacklisted for a while because of it. I am trying to track down the infected computers. Here is a log from our file server running windows 2003 small business server:

Logfile of HijackThis v1.99.1
Scan saved at 12:02:56 PM, on 3/31/2007
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WinSyslog\winsyslg.exe
C:\Program Files\Alwil Software\Management Tools\mirror\httpd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\system32\wex4962\EMCliSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FreeDNS Update\FDNSUSVC.exe
C:\Program Files\FreeDNS Update\freednsupdate.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\SPDataServer.exe
C:\WINDOWS\System32\SPLicenseManager.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\Program Files\Troxo\LiveUpdateTroxo\TroxoLiveUpdate.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wex4962\emmeter.exe
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\WINDOWS\System32\CNESvrMgr.exe
C:\Documents and Settings\Administrator\Desktop\AutoShutdown\autoshutdown2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\FreeDNS Update\FreeDNSUpdate.exe
C:\Program Files\PrintKey\printkey.exe
C:\WINDOWS\system32\mmc.exe
C:\mysql\bin\winmysqladmin.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.0.6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://192.168.0.6
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.6:3128
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [EMMeter] C:\WINDOWS\system32\wex4962\EMMeter.exe /quiet
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
O4 - HKLM\..\Run: [CNE Service Manager] C:\WINDOWS\System32\CNESvrMgr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [AutoShutdown] C:\Documents and Settings\Administrator\Desktop\AutoShutdown\autoshutdown2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: FreeDNS Update.lnk = C:\Program Files\FreeDNS Update\FreeDNSUpdate.exe
O4 - Startup: PrintKay.lnk = C:\Program Files\PrintKey\printkey.exe
O4 - Startup: Server Management.lnk = ?
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://192.168.0.6
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livesc02.cus...l/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Chrosmack.local
O17 - HKLM\Software\..\Telephony: DomainName = Chrosmack.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{4333D8BE-7340-4359-A83F-2AA7260AD456}: NameServer = 192.168.0.2,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Chrosmack.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{4333D8BE-7340-4359-A83F-2AA7260AD456}: NameServer = 192.168.0.2,4.2.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Chrosmack.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{4333D8BE-7340-4359-A83F-2AA7260AD456}: NameServer = 192.168.0.2,4.2.2.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AdisconWinSyslog (AdisconWINSyslog) - Adiscon GmbH, Germany (Info@Adiscon.com, http://www.Adiscon.com) - C:\Program Files\WinSyslog\winsyslg.exe
O23 - Service: avast! iAVS4 Mirror HTTP Server (aswHTTPMirror) - Unknown owner - C:\Program Files\Alwil Software\Management Tools\mirror\httpd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe" /service (file missing)
O23 - Service: avast! Management Server - Unknown owner - C:\Program Files\Alwil Software\Management Tools\avEngine.exe" /ServiceStart (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswWebSv.exe" /service (file missing)
O23 - Service: EMCliSrv - Express Metrix - C:\WINDOWS\system32\wex4962\EMCliSrv.exe
O23 - Service: FreeDNS Update (FreeDNSUpdate) - TechKnow Professional Services - C:\Program Files\FreeDNS Update\FDNSUSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Router Logger Refresh Controller (RLController) - - S:\LoggerSetup\RefreshLogService.exe
O23 - Service: Spector CNE Data Vault (SPDataServer) - Unknown owner - C:\WINDOWS\System32\SPDataServer.exe
O23 - Service: Spector CNE Primary Server (SPLicenseManager) - Unknown owner - C:\WINDOWS\System32\SPLicenseManager.exe
O23 - Service: TroxoLiveUpdate - TROXO - C:\Program Files\Troxo\LiveUpdateTroxo\TroxoLiveUpdate.exe

    Advertisements

Register to Remove

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·