troubleshooting Question

Grey Pigeon trojan removal

Avatar of OAC Technology
OAC TechnologyFlag for United States of America asked on
SecurityAnti-Virus Apps
8 Comments3 Solutions2421 ViewsLast Modified:
The Grey Pigeon trojan has been installed on one of our systems. It was opening random ports and listening for connections from remote IP's.  There's a downloader on the computer disguising itself as notepad.exe.  If I kill it, it comes back 3 seconds later.  

Does anyone know of a utility to get rid of this virus?  We've tried spybot, adaware, symantec, trend micro, hijack this, and counterspy.  These have picked up a few trojans and removed them, but there's still something listening for connections  on random ports and something keeps trying to change registry entries on startup.  We've blocked these IP's and all traffic to that server, so it can no longer connect, but we want to make sure that it's clean.  

Antivirus isn't picking anything up, but there's still something there.  The Hijack This log and results from netstat -a and -b are below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:06 PM, on 10/29/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
C:\Program Files\CA\BrightStor ARCserve Backup\casmrtbk.exe
C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caloggerd.exe
C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe
C:\Program Files\CA\BrightStor ARCserve Backup\RDS.EXE
C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\dbasqlr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caauthd.exe
C:\Program Files\Trend Micro\Security Server\PCCSRV\Web\Service\DbServer.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wins.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\sysdown.exe
C:\Program Files\CA\BrightStor ARCserve Backup\LQServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\BX6BEE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\BrightStor ARCserve Backup\LDBServer.exe
C:\Program Files\CA\BrightStor ARCserve Backup\asalert.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Mediasvr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sunbelt Software\CounterSpy\CounterSpy.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Documents and Settings\Administrator.NOLANWIN1\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_1] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mswmdm.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_2] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msscp.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_3] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mspmsp.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_4] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdmps.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_5] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdmlog.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_6] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\cewmdm.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_7] regsvr32.exe /s C:\WINDOWS\system32\mspmsnsv.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_10] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\audiodev.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_11] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmaspdtx.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_1] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmstream.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_2] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmnetmgr.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_3] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmidx.ocx"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_4] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_5] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvdmoe2.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_6] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmadmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_7] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmadmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_8] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_9] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_10] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmoe2.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_11] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\laprxy.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_12] "C:\WINDOWS\system32\logagent.exe" /RegServer
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_13] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvcore.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_14] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_15] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mpg4dmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_16] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_17] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_18] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\qasf.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_19] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvadvd.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_20] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvadve.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_22] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mp43dmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_23] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mp4sdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_24] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdrmnet.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_25] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdrmdev.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_ivf] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\ivfsrc.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmvax] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvds32.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_msscrnax] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msscds32.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmv8ax] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8ds32.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmv8dmo] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8dmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_0] C:\WINDOWS\INF\unregmp2.exe /MigrateLibrary
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_1] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmp.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_3] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmclien.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_4] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmstor.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_6] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmv2clt.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_7] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\blackbox.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_8] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpshell.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_9] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpasf.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_10] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpdxm.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_11] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpencen.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_12] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpsrcwp.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_13] C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\mpvis.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_14] C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\wmpband.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_15] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\audiodev.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_19] "C:\Program Files\Windows Media Player\WMPEnc.exe" /RegServer
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_20] C:\WINDOWS\INF\unregmp2.exe /Shortcuts /RegExts
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_21] "C:\Program Files\Windows Media Player\migrate.exe" /s
O4 - HKLM\..\RunOnce: [OE_WMPWPD_Install_2] C:\WINDOWS\system32\regsvr32.exe /s "C:\WINDOWS\system32\wpdsp.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_1] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmstor.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_2] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmclien.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_4] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmv2clt.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_5] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\blackbox.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_6] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msnetobj.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_7] C:\WINDOWS\system32\drmupgds.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193697858296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193697953140
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://nolanwin1.nolanwin.local:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} (Security Server Management Console) - https://nolanwin1.nolanwin.local:4343/SMB/console/html/root/AtxConsole.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nolanwin.local
O17 - HKLM\Software\..\Telephony: DomainName = nolanwin.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{00766CB6-4E3B-459E-BE74-35283EB262CE}: NameServer = 192.168.0.250
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nolanwin.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{00766CB6-4E3B-459E-BE74-35283EB262CE}: NameServer = 192.168.0.250
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\hpadu\Bin\hpapp.dll
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: CA BrightStor Database Engine (CASDBEngine) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
O23 - Service: CA BrightStor Discovery Service (CASDiscoverySvc) - CA - C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
O23 - Service: CA BrightStor Job Engine (CASJobEngine) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
O23 - Service: CA BrightStor Message Engine (CASMsgEngine) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
O23 - Service: CA BrightStor Service Controller (CASSvcControlSvr) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
O23 - Service: CA BrightStor Tape Engine (CASTapeEngine) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
O23 - Service: CA BrightStor Domain Server (CASUnivDomainSvr) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
O23 - Service: CA Remote Procedure Call Server (CATIRPC) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: CA BrightStor Backup Agent RPC Server (DbaRpcService) - CA - C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Security Server Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe
O23 - Service: CA BrightStor Backup Agent Remote Service (RemoteDbagent) - CA - C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\dbasqlr.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

--
End of file - 17199 bytes

60.249.



Netstat -a:
TCP      win1:3774      60-249-202-48.hinet-ip.hinet.net:http      TIME_WAIT
TCP      win1:3790      60-249-202-48.hinet-ip.hinet.net:http      TIME_WAIT

netstat -b:
TCP      win:3858      57.124.39.59.broad.yj.gd.dynamic.163data.com.cn:7686      SYN_SENT      1852
dmdmin      [svchost.exe]
TCP      win1:3821      60-249-202-48.hinet-ip.hinet.net:http      TIME_WAIT      0
TCP      win1:3843      60-249-202-48.hinet-ip.hinet.net:http      TIME_WAIT      0
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 3 Answers and 8 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 3 Answers and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros