Link to home
Start Free TrialLog in
Avatar of leoncot
leoncot

asked on

virus creating lots of smtp traffic, AVG & Symantec blue screen on scan (Win 2K Server)

Hi,

Something is generating hammering our internet connectiion, using all the abndwidth.  After a bit of checking I managed to stop the problem by stoppping the SMTP service.  Unfortunatley I need this service as the machine runs our Exchange Server.

Pretty sure it's not an open relay problem - the problem persists even if I srop all the exchange services.

Please help - below if the Hijack This log.

Thanks,

Leon

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:27:49, on 10/03/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Documents and Settings\leon\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\SterlingCommerce\SI\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft BackOffice\Connectivity\POP3 Connector\vmimb.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\SterlingCommerce\SI\bin\ops.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\SterlingCommerce\SI\bin\Noapp.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe
C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe
C:\Program Files\BackupDirect\CBSysTray.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\winlogon.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\SterlingCommerce\SI\bin\webdav.exe
C:\SterlingCommerce\SI\bin\vslisten.exe
C:\SterlingCommerce\SI\bin\cla2client.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe
O4 - HKUS\S-1-5-21-1659004503-1645522239-839522115-1274\..\Run: [internat.exe] internat.exe (User 'sonix')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1659004503-1645522239-839522115-1274 Startup: BackupDirect TaskBar Icon.LNK = C:\Program Files\BackupDirect\OLSysTray.exe (User 'sonix')
O4 - .DEFAULT User Startup: BackupDirect TaskBar Icon.LNK = C:\Program Files\BackupDirect\OLSysTray.exe (User 'Default user')
O4 - Global Startup: Backup Direct TaskBar Icon.LNK = C:\Program Files\BackupDirect\CBSysTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\leon\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\leon\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\leon\windows\system32\rnr20.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.gameknot.com
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://stercomm.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O16 - DPF: {E82ED244-76EF-4D34-BDB3-AB21A522F38E} (webhelper Class) - http://www.btconnect.com/public/home/download/btbconnectwebcontrol015.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = filtagroup.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{06A81355-34F5-4790-B49B-5D58A86D3981}: NameServer = 193.113.209.14,193.113.209.46
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B046527-DA36-4D5C-87D8-4295BFE82E6D}: NameServer = 193.113.209.14,193.113.209.46
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4888521-5C89-4266-9087-65DAC3B7E17C}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = filtagroup.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{06A81355-34F5-4790-B49B-5D58A86D3981}: NameServer = 193.113.209.14,193.113.209.46
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = filtagroup.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{06A81355-34F5-4790-B49B-5D58A86D3981}: NameServer = 193.113.209.14,193.113.209.46
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\BackupDirect\AgentSrv.EXE
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINNT\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Gentran Integration Suite at port 5000 - Alexandria Software Consulting - C:\SterlingCommerce\SI\bin\si.exe
O23 - Service: Gentran Integration Suite CmdLine2Adapter at port 5000 - Alexandria Software Consulting - C:\SterlingCommerce\SI\bin\cla2client.exe
O23 - Service: Gentran Integration Suite EventListeners at port 5000 - Alexandria Software Consulting - C:\SterlingCommerce\SI\bin\vslisten.exe
O23 - Service: Gentran Integration Suite Noapps at port 5000 - Alexandria Software Consulting - C:\SterlingCommerce\SI\bin\Noapp.exe
O23 - Service: Gentran Integration Suite Opsserver at port 5000 - Alexandria Software Consulting - C:\SterlingCommerce\SI\bin\ops.exe
O23 - Service: Gentran Integration Suite WebDav at port 5000 - Alexandria Software Consulting - C:\SterlingCommerce\SI\bin\webdav.exe
O23 - Service: Gentran_Integration_Suite_MySql_at_port_5000 - Unknown owner - C:\SterlingCommerce\SI\mysql\bin\mysqld-nt.exe
O23 - Service: Microsoft H.323 Gatekeeper (GKSVC) - Unknown owner - svchost.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySql - Unknown owner - C:\SterlingCommerce\SI\mysql\bin\mysqld-nt (file missing)
O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe

--
End of file - 9102 bytes

Avatar of jvuz
jvuz
Flag of Belgium image

Do a check with an updated version of www.superantispyware.com and Spybot (http://www.safer-networking.org/en/index.html)
Avatar of MasterArtisan
MasterArtisan

Check with trenmicro housecall.trendmicro.com. Great utility to identify and clean infections.
ASKER CERTIFIED SOLUTION
Avatar of leoncot
leoncot

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial