Solved

unknown process attached to port 25

Posted on 2009-04-13
1
1,240 Views
Last Modified: 2013-12-06
have a process that is attaching itself to port 25, can't seem to track down the process. tried by pid but showing up 0, not seeing anything besides the system idle process.
used active ports, i can kill the process but it comes right back. used msconfig and not seeing it in the start up. in the code is a hjthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:56 PM, on 4/13/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\Program Files\CA\SharedComponents\ThirdParty\Tomcat\5.5\Bin\Tomcat5.exe
C:\WINDOWS\system32\cpqrcmc.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrustITM\InoNmSrv.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\eTrustITM\inoweb.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Marshal\MailMarshal\MMArrayManager.exe
C:\Program Files\Marshal\MailMarshal\MMController.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MARSHALL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\CA\eTrustITM\Apache\Bin\Apache.exe
C:\Program Files\Marshal\MailMarshal\MMSender.exe
C:\Program Files\CA\eTrustITM\Apache\Bin\Apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Marshal\MailMarshal\MMEngine.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Marshal\MailMarshal\MMReceiver.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\CA\SharedComponents\JRE\1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1507247843-1684385094-2021572992-1164\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'QBDataServiceUser')
O4 - HKUS\S-1-5-21-1507247843-1684385094-2021572992-1169\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Server Management.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://ardownload.adobe.com
O15 - ESC Trusted Zone: http://www.adobe.com
O15 - ESC Trusted Zone: http://www.dnsreport.com
O15 - ESC Trusted Zone: http://www.dnsstuff.com
O15 - ESC Trusted Zone: http://h20000.www2.hp.com
O15 - ESC Trusted Zone: http://welcome.hp.com
O15 - ESC Trusted Zone: *.hp.com
O15 - ESC Trusted Zone: http://*.java.com
O15 - ESC Trusted Zone: http://login.live.com
O15 - ESC Trusted Zone: http://www.marshal.com
O15 - ESC Trusted Zone: http://rad.msn.com
O15 - ESC Trusted Zone: http://www.msn.com
O15 - ESC Trusted Zone: http://admin.mvpnetworking.com
O15 - ESC Trusted Zone: http://www.mvpworks.com
O15 - ESC Trusted Zone: http://*.mvpworks.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://192.168.1.1
O15 - ESC Trusted IP range: http://192.168.10.254
O15 - ESC Trusted IP range: http://192.168.10.2
O15 - ESC Trusted IP range: http://192.168.10.253
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} (WebCacheCleaner Class) - https://vpn.mvpworks.com/MLWebCacheCleaner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEAGroup.local
O17 - HKLM\Software\..\Telephony: DomainName = BEAGroup.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F6151A0-AE19-4D69-99AD-1126F0BA6F07}: NameServer = 192.168.10.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEAGroup.local
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Alert Notification Server - CA, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: Apache Content Server (ApacheContentServer) - Apache Software Foundation - C:\Program Files\CA\eTrustITM\Apache\Bin\Apache.exe
O23 - Service: Apache Tomcat Application Server (ApacheTomcatApplicationServer) - Apache Software Foundation - C:\Program Files\CA\SharedComponents\ThirdParty\Tomcat\5.5\Bin\Tomcat5.exe
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\cpqrcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM Server Service (InoNmSrv) - CA - C:\Program Files\CA\eTrustITM\InoNmSrv.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: eTrust ITM Web Access Service (InoWeb) - CA - C:\Program Files\CA\eTrustITM\inoweb.exe
O23 - Service: eEye Iris Engine (irissvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Iris\IrisSvc.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: MailMarshal Array Manager (MMArrayManager) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMArrayManager.exe
O23 - Service: MailMarshal Controller (MMController) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMController.exe
O23 - Service: MailMarshal Engine (MMEngine) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMEngine.exe
O23 - Service: MailMarshal Receiver (MMReceiver) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMReceiver.exe
O23 - Service: MailMarshal Sender (MMSender) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMSender.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
 
--
End of file - 10830 bytes

Open in new window

0
Comment
Question by:vincello1
1 Comment
 
LVL 27

Accepted Solution

by:
David-Howard earned 500 total points
ID: 24133310
The following entries are listed as unknown and can be removed if you do not know their source.
C:\Program Files\Marshal\MailMarshal\MMArrayManager.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\Program Files\Marshal\MailMarshal\MMSender.exe
C:\Program Files\Marshal\MailMarshal\MMReceiver.exe
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe

This is listed in your IE Trusted Zone.
O15 - ESC Trusted Zone: *.hp.com

Unknown Active X entry.
WebCacheCleaner Class) - https://vpn.mvpworks.com/MLWebCacheCleaner.cab

Unknown Services:
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32

O23 - Service: MailMarshal Array Manager (MMArrayManager) - Marshal Ltd - C:\Program

O23 - Service: MailMarshal Receiver (MMReceiver) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMReceiver.exe

O23 - Service: MailMarshal Sender (MMSender) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMSender.exe

O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe

You might also want to try logging in to Safe Mode and running your antivirus/antimalware programs.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question