troubleshooting Question

Windows 2003 Server Hacked - Suspect it is being used for spamming - Hijackthis log file included

Avatar of electricink
electricinkFlag for Canada asked on
Anti-Virus AppsOS Security
13 Comments4 Solutions8860 ViewsLast Modified:
Hello,

Our windows 2003 server has been hacked. I have done 2 virus scans and cleaned what it could find (used AVG and Microsoft Malicious Software removal.

However, we are still being flagged as "Spammers" so something is still not right.

Here is our HijackThis Log File...

Logfile of HijackThis v1.99.1
Scan saved at 10:53:02 AM, on 7/21/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\3ware\3DM\3dmd.exe
C:\Program Files\AMCC\3DM2\3dm2.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\dns\bin\named.exe
C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe
C:\WINDOWS\system32\logon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe
C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3ware\3DM\3dm.exe
C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe
C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
C:\PROGRA~1\SWsoft\Plesk\ADDITI~1\Perl\bin\perl.exe
C:\PROGRA~1\SWsoft\Plesk\ADDITI~1\Perl\bin\perl.exe
C:\Program Files\SWsoft\Plesk\admin\bin\stunnel.exe
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MELSC.EXE
C:\downloaded files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.electricink.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
O4 - Global Startup: 3DM.lnk = ?
O4 - Global Startup: Plesk Services Monitor.lnk = C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinAVAlarm Startup Item.lnk = C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147544667130
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158013453546
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4948/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D729357B-F14A-4E47-8F33-0315B253E217}: NameServer = 64.34.24.23,64.34.24.24
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: 3DM - Unknown owner - C:\Program Files\3ware\3DM\3dmd.exe
O23 - Service: AMCC 3DM2 (3DM2) - Unknown owner - C:\Program Files\AMCC\3DM2/3dm2.exe
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Alerter - Unknown owner - C:\WINDOWS\system32\drivers\alerter.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINDOWS\System32\clipsvr.exe (file missing)
O23 - Service: Galaxy Communications Service (ControlSet001) (GxCVD(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe" -vm ControlSet001 (file missing)
O23 - Service: Galaxy Client Event Manager (ControlSet001) (GxEvMgrC(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe" -vm ControlSet001 (file missing)
O23 - Service: IIS Administrator (iisadm) - Unknown owner - C:\WINDOWS\system32\inetinfo.exe (file missing)
O23 - Service: KasperskyTM Anti-Virus (kavsvc) - Unknown owner - C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: MySQL Server (MySQL) - Unknown owner - C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\Databases\MySQL\Data\my.ini" MySQL (file missing)
O23 - Service: Plesk Name Server (named) - Unknown owner - C:\Program Files\SWsoft\Plesk\dns\bin\named.exe" -n1 (file missing)
O23 - Service: PleskControlPanel - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Plesk Miscellaneous Service (pleskmiscsrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
O23 - Service: Plesk SQL Server (PleskSQLServer) - Unknown owner - C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\MySQL\Data\my.ini" PleskSQLServer (file missing)
O23 - Service: Plesk Management Service (plesksrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe" -run (file missing)
O23 - Service: Plesk PopPass Service (PopPassD) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe" -run (file missing)
O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\drivers\isplog.exe" /service (file missing)
O23 - Service: SWsoft SiteBuilder (SiteBuilder) - Unknown owner - C:\Program Files\SWsoft\Plesk\WinSiteBuilder\docroot\sitebuilder.exe" -x (file missing)
O23 - Service: Plesk SpamAssassin Service (SpamAssassinService) -   - C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
O23 - Service: Plesk SSL Wrapper Service (stunnel) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\stunnel.exe" -service (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe" //RS//Tomcat5 (file missing)




Thank you

Kirk

ASKER CERTIFIED SOLUTION
r-k

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 4 Answers and 13 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 4 Answers and 13 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros