Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 
This topic is locked
Server 2003 sp1: Problems began when I noticed "strange" services running on my server (service=dudu path=c:\program files\HJ\backups\qiandu.exe) and other services:prsvr.exe, Windnser(dnsservice.exe) and messagerp. After disabling the services, and thwarting whatever it was, I started to notice accounts being created (this is an Exchange server by the way) by themselves... After MUCH research, I'm starting to lose it...all that I do has no effect, and the bad .exe's just continue to "change" to another name.
Without further adieu, here is my Hijack this log... Any help is GREATLY appreciated (Symantec was ABSOLUTELY no help at all) Thanks In Advance!
Logfile of HijackThis v1.99.1
Scan saved at 8:00:54 AM, on 8/2/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\certsrv.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\CBA\pds.exe
D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SAV\Rtvscan.exe
C:\hp\hpsmh\bin\smhstart.exe
D:\Program Files\Symantec\Backup Exec\beremote.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
D:\Program Files\Exchsrvr\bin\exmgmt.exe
D:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
D:\Program Files\Exchsrvr\bin\store.exe
D:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SAV\VPTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\rc\winvnc4.exe
C:\WINDOWS\system32\wins\winback.exe
C:\Documents and Settings\c2agent\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1/c2
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [WinVNC] "C:\WINDOWS\system32\rc\winvnc4.exe" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - Global Startup: desktop.old
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1177331844256
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = munzingnj.munzingus.com
O17 - HKLM\Software\..\Telephony: DomainName = munzingnj.munzingus.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5A57666-7260-41CD-BC66-FA3BB35781AA}: NameServer = 192.168.1.10,192.168.1.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = munzingnj.munzingus.com
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - D:\Program Files\Symantec\Backup Exec\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - D:\Program Files\Symantec\Backup Exec\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - D:\Program Files\Symantec\Backup Exec\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - D:\Program Files\Symantec\Backup Exec\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - D:\Program Files\Symantec\Backup Exec\beserver.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Windows Management Instrumentation Player Drivers (CCProxy) - Unknown owner - C:\WINDOWS\system\svchost.exe" -service (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SQL Server (BKUPEXEC) (MSSQL$BKUPEXEC) - Unknown owner - D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sBKUPEXEC (file missing)
O23 - Service: Reporting Agents (Reporting) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
O23 - Service: Security-Services (secure) - Secure Soft - C:\WINDOWS\system32\wins\winback.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHP) - Hewlett-Packard Company - C:\hp\hpsmh/bin/smhstart.exe
O23 - Service: VNC (WinVNC) - Unknown owner - C:\WINDOWS\system32\rc\winvnc4.exe" -service (file missing)
O23 - Service: WMI Adapter Services (Wmi) - Unknown owner - C:\WINDOWS\system32\wmiapsrv.exe" /service (file missing)
