asked on

Hijack this spyware

HI folks:

I'm running an 2003 SBS server. The server was banned by spamhaus.org for too much outgoing mail. We have a trojan, I'm pretty sure, as I went into Exchange System Manager, disabled Outgoing mail, and messages are still popping up on Trend Micro's mail monitor. Also, the ISP for the DSL circuit is seeing 67% of our traffic as outbound. That's a lot. There are approximately 50 messages a minute coming into /going out of the server and there are 3 people in the shop. None of them are prodigious typists. :) Spybot found nothing. TrendMicro's AntiVirus found nothing. But it IS showing all this mail going through with Exchange's Outgoing mail disabled.

Okay, we digress. Here's my HijackThis.log

Any input would be appreciated

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:29:23 PM, on 1/28/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Messaging Security Agent\EUQ\EUQMonitor.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\program files\syslogd\syslogd_service.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
D:\MYSQL\bin\mysqld-max.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\PVSW\BIN\NTDBSMGR.EXE
C:\Program Files\Trend Micro\Security Server\PCCSRV\Web\Service\DbServer.exe
C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
C:\Program Files\Trend Micro\Messaging Security Agent\SMEX_Master.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Trend Micro\Messaging Security Agent\SMEX_SystemWatcher.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Microsoft Windows Small Business Server\monitoring\WbLogSvc.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\WINDOWS\TEMP\AM3076.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Broadcom\BACS\bacstray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Broadcom\BACS\bacstray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Install Disks\HijackThis\HiJackThis_v2.exe
C:\Program Files\Microsoft Windows Small Business Server\Backup\bkprunner.exe
C:\WINDOWS\system32\ntbackup.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\bacstray.exe
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [!teamcfg] %SystemRoot%\..\dell\nicteaming\intel\nicteamconfig.bat (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4261390227-2094736615-378955725-1128\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SBS Backup User')
O4 - HKUS\S-1-5-21-4261390227-2094736615-378955725-1428\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SMX_BCNSV01')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Server Management.lnk = ?
O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: *.bcndev.local
O15 - Trusted Zone: *.cnn.com
O15 - Trusted Zone: *.dslreports.com
O15 - Trusted Zone: *.kayhome.com
O15 - Trusted Zone: *.qwest.net
O15 - Trusted IP range: 192.168.99.*
O15 - ESC Trusted Zone: *.4dv.net
O15 - ESC Trusted Zone: *.adobe.com
O15 - ESC Trusted Zone: *.apc.com
O15 - ESC Trusted Zone: *.apcc.com
O15 - ESC Trusted Zone: *.bcndevelopment.com
O15 - ESC Trusted Zone: *.cnn.com
O15 - ESC Trusted Zone: *.dell.com
O15 - ESC Trusted Zone: *.dslreports.com
O15 - ESC Trusted Zone: *.grc.com
O15 - ESC Trusted Zone: *.java.com
O15 - ESC Trusted Zone: *.kayconsultingservices.com
O15 - ESC Trusted Zone: *.kayhome.com
O15 - ESC Trusted Zone: *.lewan.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: *.pantelsystems.com
O15 - ESC Trusted Zone: *.pantelsystems.net
O15 - ESC Trusted Zone: *.sharp.com
O15 - ESC Trusted Zone: *.sharpusa.com
O15 - ESC Trusted Zone: *.symantec.com
O15 - ESC Trusted Zone: *.whatismyip.com
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://bcnsv01.bcndev.local:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122153376792
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://bcnsv01.bcndev.local:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} (Security Server Management Console) - https://bcnsv01.bcndev.local:4343/SMB/console/html/root/AtxConsole.cab
O16 - DPF: {E78DE03F-DC83-40DB-B590-8FD80BE5F7C8} (Security Server Management Console) - https://bcnsv01.bcndev.local:4343/SMB/console/html/root/AtxConsole.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bcndev.local
O17 - HKLM\Software\..\Telephony: DomainName = bcndev.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{56E97715-39BC-4AFC-8050-8E7D11CFEAEB}: NameServer = 192.168.99.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF9CA13F-68D0-4721-B43C-5799F4FEA3CB}: NameServer = 192.168.99.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bcndev.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{56E97715-39BC-4AFC-8050-8E7D11CFEAEB}: NameServer = 192.168.99.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bcndev.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{56E97715-39BC-4AFC-8050-8E7D11CFEAEB}: NameServer = 192.168.99.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: EUQ_Monitor - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\EUQ\EUQMonitor.exe
O23 - Service: EUQ_Setup - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\EUQ\setupInstExchangeRule.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kiwi Syslog Daemon - Kiwi Enterprises - c:\program files\syslogd\syslogd_service.exe
O23 - Service: MySql - Unknown owner - D:\MYSQL\bin\mysqld-max.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Security Server Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe
O23 - Service: Pervasive.SQL (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE
O23 - Service: Trend Micro Messaging Security Agent Master Service (ScanMail_Master) - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: Trend Micro Messaging Security Agent Remote Configuration Server (ScanMail_RemoteConfig) - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: Trend Micro Messaging Security Agent System Watcher (ScanMail_SystemWatcher) - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

ASKER CERTIFIED SOLUTION

Bill Bach

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

Chrisedebo

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Dana Friedman

ASKER

Hi Chris:

Yes, afterI posted that log, I did a comprehensive network scan, only to find I hadn't gotten to all the junk, and that it's on at least two other stations. I must now go back, put every machine in safe mode, clean `em, and hope the problem goes away.
Thanks!
Dana

SOLUTION

Chrisedebo

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Dana Friedman

ASKER

The Network Analyzer got me pointed in a different direction, which was great. Of course, getting to the rest of the stations is a whole 'nother thing. I hope y'all consider this an appopriate division.

Dana Friedman

ASKER

Turns out that this server's the victim of a rootkit, and..I'm not even sure HijackThis picked up on it. If HijackThis nailed it, I missed the entry. I'm learning about the new crop of tools from Microsoft and others to deal with rootkits, though. What FUN.

Chrisedebo

Which tools are these? share the wealth ;o)

Dana Friedman

ASKER

I'm guessing that Microsoft acquired this company (the developers of the SysInternals Suite).
http://tinyurl.com/2cwwuy

(Tinyurl.com ROCKS, by the way).

If you look at the descriptions of the tools in here, it's..both fascinating and frightening as to what kind of ills are out there for this suite of tools to fix.