?
Solved

unknown process attached to port 25

Posted on 2009-04-13
1
Medium Priority
?
1,254 Views
Last Modified: 2013-12-06
have a process that is attaching itself to port 25, can't seem to track down the process. tried by pid but showing up 0, not seeing anything besides the system idle process.
used active ports, i can kill the process but it comes right back. used msconfig and not seeing it in the start up. in the code is a hjthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:56 PM, on 4/13/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\Program Files\CA\SharedComponents\ThirdParty\Tomcat\5.5\Bin\Tomcat5.exe
C:\WINDOWS\system32\cpqrcmc.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrustITM\InoNmSrv.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\eTrustITM\inoweb.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Marshal\MailMarshal\MMArrayManager.exe
C:\Program Files\Marshal\MailMarshal\MMController.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MARSHALL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\CA\eTrustITM\Apache\Bin\Apache.exe
C:\Program Files\Marshal\MailMarshal\MMSender.exe
C:\Program Files\CA\eTrustITM\Apache\Bin\Apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Marshal\MailMarshal\MMEngine.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Marshal\MailMarshal\MMReceiver.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\CA\SharedComponents\JRE\1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1507247843-1684385094-2021572992-1164\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'QBDataServiceUser')
O4 - HKUS\S-1-5-21-1507247843-1684385094-2021572992-1169\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Server Management.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://ardownload.adobe.com
O15 - ESC Trusted Zone: http://www.adobe.com
O15 - ESC Trusted Zone: http://www.dnsreport.com
O15 - ESC Trusted Zone: http://www.dnsstuff.com
O15 - ESC Trusted Zone: http://h20000.www2.hp.com
O15 - ESC Trusted Zone: http://welcome.hp.com
O15 - ESC Trusted Zone: *.hp.com
O15 - ESC Trusted Zone: http://*.java.com
O15 - ESC Trusted Zone: http://login.live.com
O15 - ESC Trusted Zone: http://www.marshal.com
O15 - ESC Trusted Zone: http://rad.msn.com
O15 - ESC Trusted Zone: http://www.msn.com
O15 - ESC Trusted Zone: http://admin.mvpnetworking.com
O15 - ESC Trusted Zone: http://www.mvpworks.com
O15 - ESC Trusted Zone: http://*.mvpworks.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://192.168.1.1
O15 - ESC Trusted IP range: http://192.168.10.254
O15 - ESC Trusted IP range: http://192.168.10.2
O15 - ESC Trusted IP range: http://192.168.10.253
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} (WebCacheCleaner Class) - https://vpn.mvpworks.com/MLWebCacheCleaner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEAGroup.local
O17 - HKLM\Software\..\Telephony: DomainName = BEAGroup.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F6151A0-AE19-4D69-99AD-1126F0BA6F07}: NameServer = 192.168.10.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEAGroup.local
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Alert Notification Server - CA, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: Apache Content Server (ApacheContentServer) - Apache Software Foundation - C:\Program Files\CA\eTrustITM\Apache\Bin\Apache.exe
O23 - Service: Apache Tomcat Application Server (ApacheTomcatApplicationServer) - Apache Software Foundation - C:\Program Files\CA\SharedComponents\ThirdParty\Tomcat\5.5\Bin\Tomcat5.exe
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\cpqrcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM Server Service (InoNmSrv) - CA - C:\Program Files\CA\eTrustITM\InoNmSrv.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: eTrust ITM Web Access Service (InoWeb) - CA - C:\Program Files\CA\eTrustITM\inoweb.exe
O23 - Service: eEye Iris Engine (irissvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Iris\IrisSvc.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: MailMarshal Array Manager (MMArrayManager) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMArrayManager.exe
O23 - Service: MailMarshal Controller (MMController) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMController.exe
O23 - Service: MailMarshal Engine (MMEngine) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMEngine.exe
O23 - Service: MailMarshal Receiver (MMReceiver) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMReceiver.exe
O23 - Service: MailMarshal Sender (MMSender) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMSender.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
 
--
End of file - 10830 bytes

Open in new window

0
Comment
Question by:vincello1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 27

Accepted Solution

by:
David-Howard earned 2000 total points
ID: 24133310
The following entries are listed as unknown and can be removed if you do not know their source.
C:\Program Files\Marshal\MailMarshal\MMArrayManager.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\Program Files\Marshal\MailMarshal\MMSender.exe
C:\Program Files\Marshal\MailMarshal\MMReceiver.exe
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe

This is listed in your IE Trusted Zone.
O15 - ESC Trusted Zone: *.hp.com

Unknown Active X entry.
WebCacheCleaner Class) - https://vpn.mvpworks.com/MLWebCacheCleaner.cab

Unknown Services:
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32

O23 - Service: MailMarshal Array Manager (MMArrayManager) - Marshal Ltd - C:\Program

O23 - Service: MailMarshal Receiver (MMReceiver) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMReceiver.exe

O23 - Service: MailMarshal Sender (MMSender) - Marshal Ltd - C:\Program Files\Marshal\MailMarshal\MMSender.exe

O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe

You might also want to try logging in to Safe Mode and running your antivirus/antimalware programs.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question