Hijack this spyware

HI folks:

I'm running an 2003 SBS server. The server was banned by spamhaus.org for too much outgoing mail. We have a trojan, I'm pretty sure, as I went into Exchange System Manager, disabled Outgoing mail, and messages are still popping up on Trend Micro's mail monitor. Also, the ISP for the DSL circuit is seeing 67% of our traffic as outbound. That's a lot. There are approximately 50 messages a minute coming into /going out of the server and there are 3 people in the shop. None of them are prodigious typists. :) Spybot found nothing. TrendMicro's AntiVirus found nothing. But it IS showing all this mail going through with Exchange's Outgoing mail disabled.

Okay, we digress.  Here's my HijackThis.log

Any input would be appreciated

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:29:23 PM, on 1/28/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Messaging Security Agent\EUQ\EUQMonitor.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\program files\syslogd\syslogd_service.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
D:\MYSQL\bin\mysqld-max.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\PVSW\BIN\NTDBSMGR.EXE
C:\Program Files\Trend Micro\Security Server\PCCSRV\Web\Service\DbServer.exe
C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
C:\Program Files\Trend Micro\Messaging Security Agent\SMEX_Master.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Trend Micro\Messaging Security Agent\SMEX_SystemWatcher.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Microsoft Windows Small Business Server\monitoring\WbLogSvc.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\WINDOWS\TEMP\AM3076.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Broadcom\BACS\bacstray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Broadcom\BACS\bacstray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Install Disks\HijackThis\HiJackThis_v2.exe
C:\Program Files\Microsoft Windows Small Business Server\Backup\bkprunner.exe
C:\WINDOWS\system32\ntbackup.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\bacstray.exe
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [!teamcfg] %SystemRoot%\..\dell\nicteaming\intel\nicteamconfig.bat (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4261390227-2094736615-378955725-1128\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SBS Backup User')
O4 - HKUS\S-1-5-21-4261390227-2094736615-378955725-1428\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SMX_BCNSV01')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Server Management.lnk = ?
O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: *.bcndev.local
O15 - Trusted Zone: *.cnn.com
O15 - Trusted Zone: *.dslreports.com
O15 - Trusted Zone: *.kayhome.com
O15 - Trusted Zone: *.qwest.net
O15 - Trusted IP range: 192.168.99.*
O15 - ESC Trusted Zone: *.4dv.net
O15 - ESC Trusted Zone: *.adobe.com
O15 - ESC Trusted Zone: *.apc.com
O15 - ESC Trusted Zone: *.apcc.com
O15 - ESC Trusted Zone: *.bcndevelopment.com
O15 - ESC Trusted Zone: *.cnn.com
O15 - ESC Trusted Zone: *.dell.com
O15 - ESC Trusted Zone: *.dslreports.com
O15 - ESC Trusted Zone: *.grc.com
O15 - ESC Trusted Zone: *.java.com
O15 - ESC Trusted Zone: *.kayconsultingservices.com
O15 - ESC Trusted Zone: *.kayhome.com
O15 - ESC Trusted Zone: *.lewan.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: *.pantelsystems.com
O15 - ESC Trusted Zone: *.pantelsystems.net
O15 - ESC Trusted Zone: *.sharp.com
O15 - ESC Trusted Zone: *.sharpusa.com
O15 - ESC Trusted Zone: *.symantec.com
O15 - ESC Trusted Zone: *.whatismyip.com
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://bcnsv01.bcndev.local:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122153376792
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://bcnsv01.bcndev.local:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} (Security Server Management Console) - https://bcnsv01.bcndev.local:4343/SMB/console/html/root/AtxConsole.cab
O16 - DPF: {E78DE03F-DC83-40DB-B590-8FD80BE5F7C8} (Security Server Management Console) - https://bcnsv01.bcndev.local:4343/SMB/console/html/root/AtxConsole.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bcndev.local
O17 - HKLM\Software\..\Telephony: DomainName = bcndev.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{56E97715-39BC-4AFC-8050-8E7D11CFEAEB}: NameServer = 192.168.99.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF9CA13F-68D0-4721-B43C-5799F4FEA3CB}: NameServer = 192.168.99.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bcndev.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{56E97715-39BC-4AFC-8050-8E7D11CFEAEB}: NameServer = 192.168.99.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bcndev.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{56E97715-39BC-4AFC-8050-8E7D11CFEAEB}: NameServer = 192.168.99.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: EUQ_Monitor - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\EUQ\EUQMonitor.exe
O23 - Service: EUQ_Setup - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\EUQ\setupInstExchangeRule.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kiwi Syslog Daemon - Kiwi Enterprises - c:\program files\syslogd\syslogd_service.exe
O23 - Service: MySql - Unknown owner - D:\MYSQL\bin\mysqld-max.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Security Server Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe
O23 - Service: Pervasive.SQL (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE
O23 - Service: Trend Micro Messaging Security Agent Master Service (ScanMail_Master) - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: Trend Micro Messaging Security Agent Remote Configuration Server (ScanMail_RemoteConfig) - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: Trend Micro Messaging Security Agent System Watcher (ScanMail_SystemWatcher) - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
Dana FriedmanCEOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bill BachPresident and Btrieve GuruCommented:
You cold use a network analyzer (such as Microsoft's Network Monitor -- see Windows Setup to install it, if it's not installed already), or an open-source tool like WireShark (www.wireshark.org) to view the network traffic.  This would allow you to see the outbound Email and see what it contains.  You can then watch for INBOUND traffic as well (i.e. SMTP mail relay traffic) that might be coming from a workstation somewhere on the LAN.

Of course, don't rely on only one AV scanner -- always check with another, such as Panda, many of which are available as "free" scans on the 'Net.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChrisedeboCommented:
Hi there,

I can't seen anything untoward about the log file above. There is a chance that the problem isn't located on the server. It could be a trojan horse running on one of the three client machines. Have you performed a full virus scan and spybot search on those machines?

Cheers

Chris
0
Dana FriedmanCEOAuthor Commented:
Hi Chris:

Yes, afterI posted that log, I did a comprehensive network scan, only to find I hadn't gotten to all the junk, and that it's on at least two other stations. I must now go back, put every machine in safe mode, clean `em, and hope the problem goes away.
Thanks!
Dana
0
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

ChrisedeboCommented:
Good work :o)

I hadn't seen BillBach's comment before I posted mine so I think he deserves the points.
0
Dana FriedmanCEOAuthor Commented:
The Network Analyzer got me pointed in a different direction, which was great. Of course, getting to the rest of the stations is a whole 'nother thing. I hope y'all consider this an appopriate division.
0
Dana FriedmanCEOAuthor Commented:
Turns out that this server's the victim of a rootkit, and..I'm not even sure HijackThis picked up on it. If HijackThis nailed it, I missed the entry. I'm learning about the new crop of tools from Microsoft and others to deal with rootkits, though. What FUN.
0
ChrisedeboCommented:
Which tools are these? share the wealth ;o)
0
Dana FriedmanCEOAuthor Commented:
I'm guessing that Microsoft acquired this company (the developers of the SysInternals Suite).
http://tinyurl.com/2cwwuy 

(Tinyurl.com ROCKS, by the way).

If you look at the descriptions of the tools in here, it's..both fascinating and frightening as to what kind of ills are out there for this suite of tools to fix.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.