Help - Search - Members - Calendar
Full Version: Possible infection
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
BGRTech
Apr 19 2004, 04:46 PM
I regularly run Adaware and Spybot S&D. Lately I have not been able to run Spybot even after uninstall and reinstall. This is on a file and email server running Windows Server 2003 and Echange 2003. I have been having a problem with someone trying to relay spam through me. Here is a copy of my Hijackthis log. Any help is greatly appreciated.


Logfile of HijackThis v1.97.7
Scan saved at 12:40:11 PM, on 4/19/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Trend\SProtect\SpntSvc.exe
C:\Program Files\Trend\SProtect\StWatchDog.exe
C:\Program Files\Trend\SProtect\StOPP.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\WINNT\system32\cpqmgmt\cpqwmi.exe
C:\WINNT\System32\cqimdsvc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\ntfrs.exe
C:\shares\public\PCCSRV\web\service\ofcservice.exe
C:\Program Files\Trend\Smex\InstMon.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\Program Files\Trend\Smex\RMonitor.exe
C:\WINNT\System32\wins.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\SUS\wusync\WUSyncSvc.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\Program Files\Trend\Smex\RMonUI.exe
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\system32\tcpsvcs.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Trend\Smex\InstRTS.exe
C:\Program Files\Trend\Smex\SmexVS.exe
C:\WINNT\system32\sysdown.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\Program Files\Trend\Smex\SMEXMA.exe
C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Trend\Smex\WebRoot\SmexHS.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\dmadmin.exe
C:\WINNT\Explorer.EXE
c:\winnt\system32\inetsrv\w3wp.exe
C:\Download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:3128
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {19366A96-A776-11D3-81E6-00105A97FB7D} (MonitorIT Live Control) - http://monitor:81/controls/MonitorITLive.cab
O16 - DPF: {6BD4FB43-470E-11D2-B99D-00104B02C956} (AtDownloadIE Class) - http://mssupport.webex.com/client/support/atbootie.cab
O16 - DPF: {7B5FD235-0160-11D3-9C28-204C4F4F5020} (MonitorIT File Control) - http://monitor:81/controls/RPMFile.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...B?38075.8184375
O16 - DPF: {A30A19F6-2BDC-11D2-BF56-00104B2D6F80} (MonitorIT Outlook Control) - http://monitor:81/Controls/RpmOutlook.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D88C2358-FC83-11D1-BF49-00104B2D6F80} (MonitorIT Comm Control) - http://monitorit:81/controls/RPMComm.cab
O16 - DPF: {F8796CA5-2AFF-11D2-A4D0-EF6465889131} (MonitorIT Tree Control) - http://monitor:81/Controls/RpmTree.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bgrcompanies.com
O17 - HKLM\Software\..\Telephony: DomainName = bgrcompanies.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{424B20D0-766C-410E-94C9-248145C91E98}: NameServer = 192.168.1.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BC127DD-C388-4FF8-9531-16B5E266FAB1}: NameServer = 192.168.1.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bgrcompanies.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bgrcompanies.com
LoPhatPhuud
Apr 20 2004, 06:56 PM
Great news, your system is clean at last.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:
SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
SpywareGuard: http://www.wilderssecurity.net/spywareguard.html


IE/Spyad places over 4000 websites and domains in the IE Restricted list which will several impair attempts to infect your system. It is free.

More info and download is available at:
IE/Spyad:
http://www.staff.uiuc.edu/~ehowes/resource.htm


Good luck, and thanks for coming to Gladiator Security Forums.
BGRTech
Apr 20 2004, 08:36 PM
Thanks for your help.
LoPhatPhuud
Apr 20 2004, 08:45 PM
You're very welcome; glad we were able to help.

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.