Solved

unknown process attached to port 25

Posted on 2009-04-13
1
1,226 Views
Last Modified: 2013-12-06
have a process that is attaching itself to port 25, can't seem to track down the process. tried by pid but showing up 0, not seeing anything besides the system idle process.
used active ports, i can kill the process but it comes right back. used msconfig and not seeing it in the start up. in the code is a hjthis log
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:50:56 PM, on 4/13/2009

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE

C:\Program Files\CA\SharedComponents\ThirdParty\Tomcat\5.5\Bin\Tomcat5.exe

C:\WINDOWS\system32\cpqrcmc.exe

C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe

C:\WINDOWS\system32\Dfssvc.exe

C:\WINDOWS\System32\dns.exe

C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\CA\eTrustITM\InoNmSrv.exe

C:\Program Files\CA\eTrustITM\InoRpc.exe

C:\Program Files\CA\eTrustITM\InoRT.exe

C:\Program Files\CA\eTrustITM\InoTask.exe

C:\Program Files\CA\eTrustITM\inoweb.exe

C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Marshal\MailMarshal\MMArrayManager.exe

C:\Program Files\Marshal\MailMarshal\MMController.exe

C:\Program Files\Microsoft SQL Server\MSSQL$MARSHALL\Binn\sqlservr.exe

C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe

C:\WINDOWS\system32\ntfrs.exe

C:\hp\hpsmh\bin\smhstart.exe

C:\WINDOWS\System32\wins.exe

C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe

C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe

C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe

C:\Program Files\Exchsrvr\bin\exmgmt.exe

C:\hp\hpsmh\bin\rotatelogs.exe

C:\hp\hpsmh\bin\rotatelogs.exe

C:\Program Files\Exchsrvr\bin\mad.exe

C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe

C:\hp\hpsmh\bin\rotatelogs.exe

C:\hp\hpsmh\bin\rotatelogs.exe

C:\WINDOWS\system32\sysdown.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe

C:\Program Files\Exchsrvr\bin\store.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\dmadmin.exe

C:\Program Files\CA\eTrustITM\Apache\Bin\Apache.exe

C:\Program Files\Marshal\MailMarshal\MMSender.exe

C:\Program Files\CA\eTrustITM\Apache\Bin\Apache.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Marshal\MailMarshal\MMEngine.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\rdpclip.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\cpqteam.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CA\eTrustITM\realmon.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Marshal\MailMarshal\MMReceiver.exe

c:\windows\system32\inetsrv\w3wp.exe

c:\windows\system32\inetsrv\w3wp.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s

O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\CA\SharedComponents\JRE\1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-1507247843-1684385094-2021572992-1164\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'QBDataServiceUser')

O4 - HKUS\S-1-5-21-1507247843-1684385094-2021572992-1169\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Startup: Server Management.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O14 - IERESET.INF: START_PAGE_URL=http://companyweb

O15 - ESC Trusted Zone: http://ardownload.adobe.com

O15 - ESC Trusted Zone: http://www.adobe.com

O15 - ESC Trusted Zone: http://www.dnsreport.com

O15 - ESC Trusted Zone: http://www.dnsstuff.com

O15 - ESC Trusted Zone: http://h20000.www2.hp.com

O15 - ESC Trusted Zone: http://welcome.hp.com

O15 - ESC Trusted Zone: *.hp.com

O15 - ESC Trusted Zone: http://*.java.com

O15 - ESC Trusted Zone: http://login.live.com

O15 - ESC Trusted Zone: http://www.marshal.com

O15 - ESC Trusted Zone: http://rad.msn.com

O15 - ESC Trusted Zone: http://www.msn.com

O15 - ESC Trusted Zone: http://admin.mvpnetworking.com

O15 - ESC Trusted Zone: http://www.mvpworks.com

O15 - ESC Trusted Zone: http://*.mvpworks.com

O15 - ESC Trusted Zone: http://*.windowsupdate.com

O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)

O15 - ESC Trusted IP range: http://192.168.1.1

O15 - ESC Trusted IP range: http://192.168.10.254

O15 - ESC Trusted IP range: http://192.168.10.2

O15 - ESC Trusted IP range: http://192.168.10.253

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} (WebCacheCleaner Class) - https://vpn.mvpworks.com/MLWebCacheCleaner.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEAGroup.local

O17 - HKLM\Software\..\Telephony: DomainName = BEAGroup.local

O17 - HKLM\System\CCS\Services\Tcpip\..\{4F6151A0-AE19-4D69-99AD-1126F0BA6F07}: NameServer = 192.168.10.5

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEAGroup.local

O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Alert Notification Server - CA, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE

O23 - Service: Apache Content Server (ApacheContentServer) - Apache Software Foundation - C:\Program Files\CA\eTrustITM\Apache\Bin\Apache.exe

O23 - Service: Apache Tomcat Application Server (ApacheTomcatApplicationServer) - Apache Software Foundation - C:\Program Files\CA\SharedComponents\ThirdParty\Tomcat\5.5\Bin\Tomcat5.exe

O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe

O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\cpqrcmc.exe

O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe

O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe

O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe

O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe

O23 - Service: eTrust ITM Server Service (InoNmSrv) - CA - C:\Program Files\CA\eTrustITM\InoNmSrv.exe

O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe

O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe

O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe

O23 - Service: eTrust ITM Web Access Service (InoWeb) - CA - C:\Program Files\CA\eTrustITM\inoweb.exe

O23 - Service: eEye Iris Engine (irissvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Iris\IrisSvc.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe

O23 - Service: MailMarshal Array Manager (MMArrayManager) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMArrayManager.exe

O23 - Service: MailMarshal Controller (MMController) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMController.exe

O23 - Service: MailMarshal Engine (MMEngine) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMEngine.exe

O23 - Service: MailMarshal Receiver (MMReceiver) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMReceiver.exe

O23 - Service: MailMarshal Sender (MMSender) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMSender.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe

O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
 

--

End of file - 10830 bytes

Open in new window

0
Comment
Question by:vincello1
1 Comment
 
LVL 27

Accepted Solution

by:
David-Howard earned 500 total points
ID: 24133310
The following entries are listed as unknown and can be removed if you do not know their source.
C:\Program Files\Marshal\MailMarshal\MMArrayManager.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\Program Files\Marshal\MailMarshal\MMSender.exe
C:\Program Files\Marshal\MailMarshal\MMReceiver.exe
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe

This is listed in your IE Trusted Zone.
O15 - ESC Trusted Zone: *.hp.com

Unknown Active X entry.
WebCacheCleaner Class) - https://vpn.mvpworks.com/MLWebCacheCleaner.cab

Unknown Services:
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32

O23 - Service: MailMarshal Array Manager (MMArrayManager) - Marshal Ltd - C:\Program

O23 - Service: MailMarshal Receiver (MMReceiver) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMReceiver.exe

O23 - Service: MailMarshal Sender (MMSender) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMSender.exe

O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe

You might also want to try logging in to Safe Mode and running your antivirus/antimalware programs.
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now