Dana Friedman
asked on
Hijack this spyware
HI folks:
I'm running an 2003 SBS server. The server was banned by spamhaus.org for too much outgoing mail. We have a trojan, I'm pretty sure, as I went into Exchange System Manager, disabled Outgoing mail, and messages are still popping up on Trend Micro's mail monitor. Also, the ISP for the DSL circuit is seeing 67% of our traffic as outbound. That's a lot. There are approximately 50 messages a minute coming into /going out of the server and there are 3 people in the shop. None of them are prodigious typists. :) Spybot found nothing. TrendMicro's AntiVirus found nothing. But it IS showing all this mail going through with Exchange's Outgoing mail disabled.
Okay, we digress. Here's my HijackThis.log
Any input would be appreciated
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:29:23 PM, on 1/28/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\SYSTEM32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\PROGRA~1\APC\POWERC~1\s erver\PBES ER~1.EXE
C:\WINDOWS\system32\Dfssvc .exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Trend Micro\Messaging Security Agent\EUQ\EUQMonitor.exe
C:\WINDOWS\system32\inetsr v\inetinfo .exe
c:\program files\syslogd\syslogd_serv ice.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING \Binn\sqls ervr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Bi nn\sqlserv r.exe
D:\MYSQL\bin\mysqld-max.ex e
C:\WINDOWS\system32\ntfrs. exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\ ofcservice .exe
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\PVSW\BIN\NTDBSMGR.EXE
C:\Program Files\Trend Micro\Security Server\PCCSRV\Web\Service\ DbServer.e xe
C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
C:\Program Files\Trend Micro\Messaging Security Agent\SMEX_Master.exe
C:\WINDOWS\System32\snmp.e xe
C:\Program Files\Trend Micro\Messaging Security Agent\SMEX_SystemWatcher.e xe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING \Binn\sqla gent.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Microsoft Windows Small Business Server\monitoring\WbLogSvc .exe
C:\WINDOWS\System32\wins.e xe
C:\Program Files\Exchsrvr\bin\exmgmt. exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\ mssearch.e xe
C:\WINDOWS\System32\svchos t.exe
c:\windows\system32\inetsr v\w3wp.exe
C:\Program Files\Exchsrvr\bin\store.e xe
C:\WINDOWS\TEMP\AM3076.EXE
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
c:\windows\system32\inetsr v\w3wp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Broadcom\BACS\bacstr ay.exe
C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\WINDOWS\system32\taskmg r.exe
C:\WINDOWS\system32\mmc.ex e
C:\WINDOWS\SYSTEM32\winlog on.exe
C:\WINDOWS\SYSTEM32\rdpcli p.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Broadcom\BACS\bacstr ay.exe
C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\WINDOWS\System32\dns.ex e
C:\WINDOWS\system32\tcpsvc s.exe
C:\WINDOWS\system32\notepa d.exe
C:\WINDOWS\system32\mmc.ex e
C:\WINDOWS\system32\taskmg r.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Install Disks\HijackThis\HiJackThi s_v2.exe
C:\Program Files\Microsoft Windows Small Business Server\Backup\bkprunner.ex e
C:\WINDOWS\system32\ntback up.exe
C:\WINDOWS\System32\vssvc. exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = res://shdoclc.dll/softAdmi n.htm
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\2 .0.301.716 4\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 2.dll
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\bacstr ay.exe
O4 - HKLM\..\Run: [DWPersistentQueuedReporti ng] C:\PROGRA~1\COMMON~1\MICRO S~1\DW\DWT RIG20.EXE -a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dump rep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [!teamcfg] %SystemRoot%\..\dell\nicte aming\inte l\nicteamc onfig.bat (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4261390227-2 094736615- 378955725- 1128\..\Ru nOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'SBS Backup User')
O4 - HKUS\S-1-5-21-4261390227-2 094736615- 378955725- 1428\..\Ru nOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'SMX_BCNSV01')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'Default user')
O4 - Startup: Server Management.lnk = ?
O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmg r.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: *.bcndev.local
O15 - Trusted Zone: *.cnn.com
O15 - Trusted Zone: *.dslreports.com
O15 - Trusted Zone: *.kayhome.com
O15 - Trusted Zone: *.qwest.net
O15 - Trusted IP range: 192.168.99.*
O15 - ESC Trusted Zone: *.4dv.net
O15 - ESC Trusted Zone: *.adobe.com
O15 - ESC Trusted Zone: *.apc.com
O15 - ESC Trusted Zone: *.apcc.com
O15 - ESC Trusted Zone: *.bcndevelopment.com
O15 - ESC Trusted Zone: *.cnn.com
O15 - ESC Trusted Zone: *.dell.com
O15 - ESC Trusted Zone: *.dslreports.com
O15 - ESC Trusted Zone: *.grc.com
O15 - ESC Trusted Zone: *.java.com
O15 - ESC Trusted Zone: *.kayconsultingservices.co m
O15 - ESC Trusted Zone: *.kayhome.com
O15 - ESC Trusted Zone: *.lewan.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: *.pantelsystems.com
O15 - ESC Trusted Zone: *.pantelsystems.net
O15 - ESC Trusted Zone: *.sharp.com
O15 - ESC Trusted Zone: *.sharpusa.com
O15 - ESC Trusted Zone: *.symantec.com
O15 - ESC Trusted Zone: *.whatismyip.com
O16 - DPF: {35C3D91E-401A-4E45-88A5-F 3B32CD72DF 4} (Encrypt Class) - https://bcnsv01.bcndev.local:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122153376792
O16 - DPF: {9BBB3919-F518-4D06-8209-2 99FC243FC3 0} (Encrypt Class) - https://bcnsv01.bcndev.local:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8 CA843FBED4 0} (Security Server Management Console) - https://bcnsv01.bcndev.local:4343/SMB/console/html/root/AtxConsole.cab
O16 - DPF: {E78DE03F-DC83-40DB-B590-8 FD80BE5F7C 8} (Security Server Management Console) - https://bcnsv01.bcndev.local:4343/SMB/console/html/root/AtxConsole.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = bcndev.local
O17 - HKLM\Software\..\Telephony : DomainName = bcndev.local
O17 - HKLM\System\CCS\Services\T cpip\..\{5 6E97715-39 BC-4AFC-80 50-8E7D11C FEAEB}: NameServer = 192.168.99.1
O17 - HKLM\System\CCS\Services\T cpip\..\{D F9CA13F-68 D0-4721-B4 3C-5799F4F EA3CB}: NameServer = 192.168.99.1
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = bcndev.local
O17 - HKLM\System\CS1\Services\T cpip\..\{5 6E97715-39 BC-4AFC-80 50-8E7D11C FEAEB}: NameServer = 192.168.99.1
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = bcndev.local
O17 - HKLM\System\CS2\Services\T cpip\..\{5 6E97715-39 BC-4AFC-80 50-8E7D11C FEAEB}: NameServer = 192.168.99.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0 0A0C90312E 1} - C:\WINDOWS\system32\browse ui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3 078302C203 0} - C:\WINDOWS\system32\browse ui.dll
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\s erver\PBES ER~1.EXE
O23 - Service: EUQ_Monitor - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\EUQ\EUQMonitor.exe
O23 - Service: EUQ_Setup - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\EUQ\setupInstExchang eRule.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: Kiwi Syslog Daemon - Kiwi Enterprises - c:\program files\syslogd\syslogd_serv ice.exe
O23 - Service: MySql - Unknown owner - D:\MYSQL\bin\mysqld-max.ex e
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Security Server Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\ ofcservice .exe
O23 - Service: Pervasive.SQL (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE
O23 - Service: Trend Micro Messaging Security Agent Master Service (ScanMail_Master) - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: Trend Micro Messaging Security Agent Remote Configuration Server (ScanMail_RemoteConfig) - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: Trend Micro Messaging Security Agent System Watcher (ScanMail_SystemWatcher) - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
I'm running an 2003 SBS server. The server was banned by spamhaus.org for too much outgoing mail. We have a trojan, I'm pretty sure, as I went into Exchange System Manager, disabled Outgoing mail, and messages are still popping up on Trend Micro's mail monitor. Also, the ISP for the DSL circuit is seeing 67% of our traffic as outbound. That's a lot. There are approximately 50 messages a minute coming into /going out of the server and there are 3 people in the shop. None of them are prodigious typists. :) Spybot found nothing. TrendMicro's AntiVirus found nothing. But it IS showing all this mail going through with Exchange's Outgoing mail disabled.
Okay, we digress. Here's my HijackThis.log
Any input would be appreciated
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:29:23 PM, on 1/28/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\SYSTEM32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\PROGRA~1\APC\POWERC~1\s
C:\WINDOWS\system32\Dfssvc
C:\WINDOWS\System32\svchos
C:\Program Files\Trend Micro\Messaging Security Agent\EUQ\EUQMonitor.exe
C:\WINDOWS\system32\inetsr
c:\program files\syslogd\syslogd_serv
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Bi
D:\MYSQL\bin\mysqld-max.ex
C:\WINDOWS\system32\ntfrs.
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\PVSW\BIN\NTDBSMGR.EXE
C:\Program Files\Trend Micro\Security Server\PCCSRV\Web\Service\
C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
C:\Program Files\Trend Micro\Messaging Security Agent\SMEX_Master.exe
C:\WINDOWS\System32\snmp.e
C:\Program Files\Trend Micro\Messaging Security Agent\SMEX_SystemWatcher.e
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Microsoft Windows Small Business Server\monitoring\WbLogSvc
C:\WINDOWS\System32\wins.e
C:\Program Files\Exchsrvr\bin\exmgmt.
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\
C:\WINDOWS\System32\svchos
c:\windows\system32\inetsr
C:\Program Files\Exchsrvr\bin\store.e
C:\WINDOWS\TEMP\AM3076.EXE
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
c:\windows\system32\inetsr
C:\WINDOWS\Explorer.EXE
C:\Program Files\Broadcom\BACS\bacstr
C:\Program Files\Java\jre1.6.0_03\bin
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Google\GoogleToolbar
C:\WINDOWS\system32\taskmg
C:\WINDOWS\system32\mmc.ex
C:\WINDOWS\SYSTEM32\winlog
C:\WINDOWS\SYSTEM32\rdpcli
C:\WINDOWS\Explorer.EXE
C:\Program Files\Broadcom\BACS\bacstr
C:\Program Files\Java\jre1.6.0_03\bin
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Google\GoogleToolbar
C:\WINDOWS\System32\dns.ex
C:\WINDOWS\system32\tcpsvc
C:\WINDOWS\system32\notepa
C:\WINDOWS\system32\mmc.ex
C:\WINDOWS\system32\taskmg
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Install Disks\HijackThis\HiJackThi
C:\Program Files\Microsoft Windows Small Business Server\Backup\bkprunner.ex
C:\WINDOWS\system32\ntback
C:\WINDOWS\System32\vssvc.
C:\WINDOWS\System32\svchos
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\bacstr
O4 - HKLM\..\Run: [DWPersistentQueuedReporti
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dump
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\S-1-5-19\..\RunOnce: [!teamcfg] %SystemRoot%\..\dell\nicte
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\S-1-5-21-4261390227-2
O4 - HKUS\S-1-5-21-4261390227-2
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - Startup: Server Management.lnk = ?
O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmg
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: *.bcndev.local
O15 - Trusted Zone: *.cnn.com
O15 - Trusted Zone: *.dslreports.com
O15 - Trusted Zone: *.kayhome.com
O15 - Trusted Zone: *.qwest.net
O15 - Trusted IP range: 192.168.99.*
O15 - ESC Trusted Zone: *.4dv.net
O15 - ESC Trusted Zone: *.adobe.com
O15 - ESC Trusted Zone: *.apc.com
O15 - ESC Trusted Zone: *.apcc.com
O15 - ESC Trusted Zone: *.bcndevelopment.com
O15 - ESC Trusted Zone: *.cnn.com
O15 - ESC Trusted Zone: *.dell.com
O15 - ESC Trusted Zone: *.dslreports.com
O15 - ESC Trusted Zone: *.grc.com
O15 - ESC Trusted Zone: *.java.com
O15 - ESC Trusted Zone: *.kayconsultingservices.co
O15 - ESC Trusted Zone: *.kayhome.com
O15 - ESC Trusted Zone: *.lewan.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: *.pantelsystems.com
O15 - ESC Trusted Zone: *.pantelsystems.net
O15 - ESC Trusted Zone: *.sharp.com
O15 - ESC Trusted Zone: *.sharpusa.com
O15 - ESC Trusted Zone: *.symantec.com
O15 - ESC Trusted Zone: *.whatismyip.com
O16 - DPF: {35C3D91E-401A-4E45-88A5-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {9BBB3919-F518-4D06-8209-2
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8
O16 - DPF: {E78DE03F-DC83-40DB-B590-8
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS2\Services\T
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\s
O23 - Service: EUQ_Monitor - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\EUQ\EUQMonitor.exe
O23 - Service: EUQ_Setup - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\EUQ\setupInstExchang
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: Kiwi Syslog Daemon - Kiwi Enterprises - c:\program files\syslogd\syslogd_serv
O23 - Service: MySql - Unknown owner - D:\MYSQL\bin\mysqld-max.ex
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Security Server Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\
O23 - Service: Pervasive.SQL (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE
O23 - Service: Trend Micro Messaging Security Agent Master Service (ScanMail_Master) - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: Trend Micro Messaging Security Agent Remote Configuration Server (ScanMail_RemoteConfig) - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: Trend Micro Messaging Security Agent System Watcher (ScanMail_SystemWatcher) - Trend Micro Inc. - C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The Network Analyzer got me pointed in a different direction, which was great. Of course, getting to the rest of the stations is a whole 'nother thing. I hope y'all consider this an appopriate division.
ASKER
Turns out that this server's the victim of a rootkit, and..I'm not even sure HijackThis picked up on it. If HijackThis nailed it, I missed the entry. I'm learning about the new crop of tools from Microsoft and others to deal with rootkits, though. What FUN.
Which tools are these? share the wealth ;o)
ASKER
I'm guessing that Microsoft acquired this company (the developers of the SysInternals Suite).
http://tinyurl.com/2cwwuy
(Tinyurl.com ROCKS, by the way).
If you look at the descriptions of the tools in here, it's..both fascinating and frightening as to what kind of ills are out there for this suite of tools to fix.
http://tinyurl.com/2cwwuy
(Tinyurl.com ROCKS, by the way).
If you look at the descriptions of the tools in here, it's..both fascinating and frightening as to what kind of ills are out there for this suite of tools to fix.
ASKER
Yes, afterI posted that log, I did a comprehensive network scan, only to find I hadn't gotten to all the junk, and that it's on at least two other stations. I must now go back, put every machine in safe mode, clean `em, and hope the problem goes away.
Thanks!
Dana