Advertisement

08.22.2007 at 11:14AM PDT, ID: 22780209
[x]
Attachment Details

Analyze hijackthis log - Win2003 exchange server -

Asked by jason6215 in Security Utilities, Miscellaneous Security, Symantec Anti-Virus Software

Tags: Hijackthis log

I believe I may have a server with infected with Mallware, I recently ran Hijackthis on my Win 2003 exchange server. Can anyone point out known entries processes that I should clean?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:35 PM, on 8/21/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\csifcsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL$WSUS\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSESrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSECtrl.EXE
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSEUI.EXE
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSESp.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSELog.EXE
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSESJM.EXE
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSETask.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\ConsoleAppMgr.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\conduit.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\LiveVault Corporation\BackupEngine\LV_Super.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\LiveVault Corporation\BackupEngine\LV_Engine.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Dell SAS RAID Storage
Manager\Framework\VivaldiFramework.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\SMSMSE\5.0\Server\SAVFMSESpamStatsManager.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\PROGRA~1\SYMANT~1\DWHWIZRD.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe
C:\WINDOWS\startup.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\mmc.exe
D:\shared\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DWPersistentQueuedReporting]
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTray.exe
O4 - HKLM\..\Run: [Popup] "C:\Program Files\Dell SAS RAID Storage
Manager\MegaPopup\Popup.exe"
O4 - HKLM\..\Run: [Kav_key] C:\WINDOWS\startup.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil
/RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
/SYNC
O4 - HKLM\..\Run: [PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
/IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall]
%systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall]
%systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-492134541-690652631-890307051-1147\..\RunOnce:
[tscuninstall] %systemroot%\system32\tscupgrd.exe (User
'QBDataServiceUser17')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall]
%systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall]
%systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Server Management.lnk = ?
O4 - Global Startup: QuickBooks Database Server Manager.lnk = C:\Program
Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL
Server\80\Tools\Binn\sqlmangr.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://rmd.atdmt.com
O15 - ESC Trusted Zone: http://view.atdmt.com
O15 - ESC Trusted Zone: http://help.live.com
O15 - ESC Trusted Zone: http://js.shared.live.com
O15 - ESC Trusted Zone: http://onecare.live.com
O15 - ESC Trusted Zone: http://shared.live.com
O15 - ESC Trusted Zone: http://toolbar.live.com
O15 - ESC Trusted Zone: http://ads1.msn.com
O15 - ESC Trusted Zone: http://rad.msn.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.whois.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://192.168.0.1
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187231103527
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mjscpapc.local
O17 - HKLM\Software\..\Telephony: DomainName = mjscpapc.local
O17 -
HKLM\System\CCS\Services\Tcpip\..\{E27A8856-4890-41B8-B296-4390155D7606}:
NameServer = 192.168.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mjscpapc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mjscpapc.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program
Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec
Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FileCabinet Solution Print Service (FCPrintService) -
Creative Solutions - C:\WINDOWS\csifcsvc.exe
O23 - Service: Vorkstation (ianmanworkstawio) - Unknown owner -
C:\WINDOWS\system32\explorer.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel
32\IDriverT.exe
O23 - Service: LiveVault Backup Service (LVBackupService) - Iron Mountain
Digital - C:\Program Files\LiveVault Corporation\BackupEngine\LV_Super.exe
O23 - Service: MRMonitor (MegaMonitorSrv) - Unknown owner - C:\Program
Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
O23 - Service: SSMFramework (MSMFramework) - Unknown owner - C:\Program
Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. -
C:\Program Files\Common
Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. -
D:\srvapps\QUICKB~1\QBDBMgrN.exe
O23 - Service: Symantec Mail Security Spam Statistics
(SAVFMSESpamStatsManager) - Symantec Corporation - C:\Program
Files\Symantec\SMSMSE\5.0\Server\SAVFMSESpamStatsManager.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec
AntiVirus\SavRoam.exe
O23 - Service: Symantec Mail Security for Microsoft Exchange (SMSMSE) -
Symantec Corporation - C:\Program
Files\Symantec\SMSMSE\5.0\Server\SAVFMSESrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10265 bytesStart Free Trial
[+][-]08.22.2007 at 11:19AM PDT, ID: 19748469

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.22.2007 at 11:35AM PDT, ID: 19748582

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.22.2007 at 03:23PM PDT, ID: 19750158

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Security Utilities, Miscellaneous Security, Symantec Anti-Virus Software
Tags: Hijackthis log
Sign Up Now!
Solution Provided By: rpggamergirl
Participating Experts: 3
Solution Grade: B
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628