Microsoft Server 2003 Hacked AGAIN - Is being used for spamming - Hijackthis log file included

Posted on 2007-09-27
Last Modified: 2012-06-21

Our windows 2003 server has been hacked AGAIN. We just went through this 2 mopnths ago. I have done 2 virus scans and cleaned what it could find and also disabled and deleted suspicions looking files.

However, we are still being flagged as "Spammers" on

so something is still not right. (it may not come up if you check the link as i am going to request a de-listing again.. but it will no doubt happen again until i figure out what is going on)

One questoion i have first is... SHOULD WE BLOCK PORT 25?

and if the answer is yes... how do we do that??

Here is our hijack this log..

Logfile of HijackThis v1.99.1
Scan saved at 10:53:55 PM, on 9/27/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\Program Files\3ware\3DM\3dmd.exe
C:\Program Files\AMCC\3DM2\3dm2.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe
C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\dns\bin\named.exe
C:\Program Files\nagios\Win_2k_XP_Bin\pNSClient.exe
C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe
C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe
C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe
C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
C:\Program Files\3ware\3DM\3dm.exe
C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
C:\downloaded files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [METray] C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\METray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 3DM.lnk = ?
O4 - Global Startup: Plesk Services Monitor.lnk = C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinAVAlarm Startup Item.lnk = C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -,2,0,4948/
O17 - HKLM\System\CCS\Services\Tcpip\..\{D729357B-F14A-4E47-8F33-0315B253E217}: NameServer =,
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: 3DM - Unknown owner - C:\Program Files\3ware\3DM\3dmd.exe
O23 - Service: AMCC 3DM2 (3DM2) - Unknown owner - C:\Program Files\AMCC\3DM2/3dm2.exe
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINDOWS\System32\clipsvr.exe (file missing)
O23 - Service: Directory Index Manager (DirIndex) - Unknown owner - C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\RP00\\TaskDaemon.exe
O23 - Service: Galaxy Communications Service (ControlSet001) (GxCVD(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe" -vm ControlSet001 (file missing)
O23 - Service: Galaxy Client Event Manager (ControlSet001) (GxEvMgrC(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe" -vm ControlSet001 (file missing)
O23 - Service: KasperskyTM Anti-Virus (kavsvc) - Unknown owner - C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
O23 - Service: MailEnable HTTPMail Service (MEHTTPS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEHTTPS.EXE
O23 - Service: MailEnable IMAP Service (MEIMAPS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\Bin\MEIMAPS.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEPOC.EXE
O23 - Service: MailEnable POP Connector (MEPOPCS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEPOPC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEPOPS.EXE
O23 - Service: MailEnable Management Service (MERADMS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\Bin\MERADMS.exe
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MESMTPC.EXE
O23 - Service: MySQL Server (MySQL) - Unknown owner - C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\Databases\MySQL\Data\my.ini" MySQL (file missing)
O23 - Service: Plesk Name Server (named) - Unknown owner - C:\Program Files\SWsoft\Plesk\dns\bin\named.exe" -n1 (file missing)
O23 - Service: Network Security Protocol Service (NetSecManager) - Unknown owner - C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\rp00\NetSec.exe (file missing)
O23 - Service: Nagios Agent (NSClient) - ClearCentral Software Inc - C:\Program Files\nagios\Win_2k_XP_Bin\pNSClient.exe
O23 - Service: PleskControlPanel - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Plesk Miscellaneous Service (pleskmiscsrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
O23 - Service: Plesk SQL Server (PleskSQLServer) - Unknown owner - C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\MySQL\Data\my.ini" PleskSQLServer (file missing)
O23 - Service: Plesk Management Service (plesksrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe" -run (file missing)
O23 - Service: Plesk PopPass Service (PopPassD) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe" -run (file missing)
O23 - Service: Profile Manager (ProfileMgr) - Unknown owner - C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\RP00\\TaskDaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SWsoft SiteBuilder (SiteBuilder) - Unknown owner - C:\Program Files\SWsoft\Plesk\WinSiteBuilder\docroot\sitebuilder.exe" -x (file missing)
O23 - Service: Plesk SpamAssassin Service (SpamAssassinService) -   - C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
O23 - Service: Plesk SSL Wrapper Service (stunnel) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\stunnel.exe" -service (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe" //RS//Tomcat5 (file missing)



Question by:electricink
    LVL 3

    Expert Comment

    You should be blocking port 25 from every machine but your mail server.  There is generally no real need for other machines to send out SMTP traffic independantly than through your mail server.  so block port 25 outbound for all clients except your mail server.
    LVL 3

    Expert Comment

    You can try and get delisted, but the easier solution is change the IP address your mail server is sending out on.  If you have a pool of IP's I would highly recommend this, as trying to get off blacklists are a pain!  What type of firewall are you using?
    LVL 9

    Expert Comment

    If you block port 25 this will block mail in the direction you block and therefore will not be able to send and or recieve.  is that what you want?  most likely not if you host your mail.
    LVL 9

    Expert Comment

    sorry noodles answered a little late.  
    LVL 3

    Expert Comment

    If you do that, make sure to change your DNS to the corected IP address, and also contact your service provider to ask them to update your PTR record.

    LVL 8

    Expert Comment

    you will also need your domain MX record updated if you do this....
    LVL 3

    Expert Comment

    Thought I added that in my comment, but I guess I forgot to, thank you static.  The MX record as he stated will also need to be updated.
    LVL 18

    Expert Comment

    I am curious. What piece of MalWare got into your server to send out these spams?


    Author Comment

    We STILL do not know... we are continuing to batle this problem :(
    LVL 18

    Expert Comment

    Have you run microsoft's malicious software removal tool, mrt.exe?

    And download and see what all is running using MS process Explorer


    see if you have been hacked via a rootkit, download and install

    Just a couple of thoughts if you haven't tried them

    LVL 3

    Expert Comment

    The malware didn't neccesarily have to have been on the server.  Any client attached to the network can become infected and send out unsolicited SMTP traffic, without going through the server.  Were you previously blocking port 25 outbound for all traffic other than your mail server on your firewall, or did you have port 25 outbound open for any client to send out on?

    Author Comment

    We still have port 25 open.

    I would welcome instruction on how to close it, but still allow email from domains hosted on our server? If that is possible?
    LVL 3

    Expert Comment

    What type of firewall are you using, an ISA server, a PIX, etc?  We can help show you how to tighten the firewall up so to dissallow OUTBOUND SMTP traffic from all nodes on your network except your lagitamte mail server(s).

    IE) a workstation generally should not be sending SMTP traffic out to the world, thats the responsibility of the mail server.  Clients such as Outlook will communicate directly with the mail server, and the server sends/receives SMTP mail to and from the outside world.  

    If a workstation is sending SMTP traffic directly to the Internet without going through your mail server.  It is a good probablitility that the machine is compromised and sending out unsolicited SPAM.

    LVL 3

    Accepted Solution

    If you dont block SMTP traffic outbound for simple nodes, no matter how many Blacklists or RBL's you try and get yourself taken off of, or how many times you change your mail server's external IP, your going to be right back on those lists, because the potential of an infected node is still out there tarnishing your WAN IP as a SPAMMER.  By blocking this port you can resolve the issue quickly.

    after doing that, change your WAN IP for your mail server and update the appropriate A, MX, and PTR records as mentioned earlier.  After you do this, your problem of being tagged as a SPAMMER will stop, but you will then have to go and thuroughly inspect your workstations and do virus/malware scans.

    This is why I dont allow personal laptops to attach to our network.  Any joe shmo can hook up to the network, be infected and send out this type of SPAM, and never even know it!  But by blocking SMTP outbound, your insuring, that this type of traffic wont get out, and potentially flag your WAN IP as SPAM

    Author Comment

    We are using Windows Firewall

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now