Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


unknown process attached to port 25

Posted on 2009-04-13
Medium Priority
Last Modified: 2013-12-06
have a process that is attaching itself to port 25, can't seem to track down the process. tried by pid but showing up 0, not seeing anything besides the system idle process.
used active ports, i can kill the process but it comes right back. used msconfig and not seeing it in the start up. in the code is a hjthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:56 PM, on 4/13/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal
Running processes:
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\Program Files\CA\SharedComponents\ThirdParty\Tomcat\5.5\Bin\Tomcat5.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoNmSrv.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\eTrustITM\inoweb.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Marshal\MailMarshal\MMArrayManager.exe
C:\Program Files\Marshal\MailMarshal\MMController.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MARSHALL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\CA\eTrustITM\Apache\Bin\Apache.exe
C:\Program Files\Marshal\MailMarshal\MMSender.exe
C:\Program Files\CA\eTrustITM\Apache\Bin\Apache.exe
C:\Program Files\Marshal\MailMarshal\MMEngine.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Marshal\MailMarshal\MMReceiver.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\CA\SharedComponents\JRE\1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1507247843-1684385094-2021572992-1164\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'QBDataServiceUser')
O4 - HKUS\S-1-5-21-1507247843-1684385094-2021572992-1169\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Server Management.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://ardownload.adobe.com
O15 - ESC Trusted Zone: http://www.adobe.com
O15 - ESC Trusted Zone: http://www.dnsreport.com
O15 - ESC Trusted Zone: http://www.dnsstuff.com
O15 - ESC Trusted Zone: http://h20000.www2.hp.com
O15 - ESC Trusted Zone: http://welcome.hp.com
O15 - ESC Trusted Zone: *.hp.com
O15 - ESC Trusted Zone: http://*.java.com
O15 - ESC Trusted Zone: http://login.live.com
O15 - ESC Trusted Zone: http://www.marshal.com
O15 - ESC Trusted Zone: http://rad.msn.com
O15 - ESC Trusted Zone: http://www.msn.com
O15 - ESC Trusted Zone: http://admin.mvpnetworking.com
O15 - ESC Trusted Zone: http://www.mvpworks.com
O15 - ESC Trusted Zone: http://*.mvpworks.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range:
O15 - ESC Trusted IP range:
O15 - ESC Trusted IP range:
O15 - ESC Trusted IP range:
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} (WebCacheCleaner Class) - https://vpn.mvpworks.com/MLWebCacheCleaner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEAGroup.local
O17 - HKLM\Software\..\Telephony: DomainName = BEAGroup.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F6151A0-AE19-4D69-99AD-1126F0BA6F07}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEAGroup.local
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Alert Notification Server - CA, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: Apache Content Server (ApacheContentServer) - Apache Software Foundation - C:\Program Files\CA\eTrustITM\Apache\Bin\Apache.exe
O23 - Service: Apache Tomcat Application Server (ApacheTomcatApplicationServer) - Apache Software Foundation - C:\Program Files\CA\SharedComponents\ThirdParty\Tomcat\5.5\Bin\Tomcat5.exe
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\cpqrcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM Server Service (InoNmSrv) - CA - C:\Program Files\CA\eTrustITM\InoNmSrv.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: eTrust ITM Web Access Service (InoWeb) - CA - C:\Program Files\CA\eTrustITM\inoweb.exe
O23 - Service: eEye Iris Engine (irissvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Iris\IrisSvc.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: MailMarshal Array Manager (MMArrayManager) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMArrayManager.exe
O23 - Service: MailMarshal Controller (MMController) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMController.exe
O23 - Service: MailMarshal Engine (MMEngine) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMEngine.exe
O23 - Service: MailMarshal Receiver (MMReceiver) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMReceiver.exe
O23 - Service: MailMarshal Sender (MMSender) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMSender.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
End of file - 10830 bytes

Open in new window

Question by:vincello1
1 Comment
LVL 27

Accepted Solution

David-Howard earned 2000 total points
ID: 24133310
The following entries are listed as unknown and can be removed if you do not know their source.
C:\Program Files\Marshal\MailMarshal\MMArrayManager.exe
C:\Program Files\Marshal\MailMarshal\MMSender.exe
C:\Program Files\Marshal\MailMarshal\MMReceiver.exe
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe

This is listed in your IE Trusted Zone.
O15 - ESC Trusted Zone: *.hp.com

Unknown Active X entry.
WebCacheCleaner Class) - https://vpn.mvpworks.com/MLWebCacheCleaner.cab

Unknown Services:
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32

O23 - Service: MailMarshal Array Manager (MMArrayManager) - Marshal Ltd - C:\Program

O23 - Service: MailMarshal Receiver (MMReceiver) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMReceiver.exe

O23 - Service: MailMarshal Sender (MMSender) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMSender.exe

O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe

You might also want to try logging in to Safe Mode and running your antivirus/antimalware programs.

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question