Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • Please log in to reply
1 reply to this topic

#1 Uhlsport

Uhlsport

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 16 March 2005 - 12:45 PM

I am trying to figure out if I have a malware is running on my email server because somehow I believe that it has became an Open Relay.

Here's the log that I ran today. Also I have have been reading all kinds of posting in regard the CSRSS.EXE process beause I noticed that I have 3 of them running.

Any help will be appreciated so I can really clean up for work.

Logfile of HijackThis v1.99.1
Scan saved at 10:49:09 AM, on 3/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP4 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Merak\calendar.exe
C:\Program Files\Merak\control.exe
C:\Program Files\Merak\im.exe
C:\Program Files\Merak\pop3.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Merak\smtp.exe
C:\WINNT\system32\logon.scr
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\tkanoya\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Paraquad
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = paraquad.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{E304F411-3144-4028-BB32-CC3821575DBE}: NameServer = *i took out the ip address*
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = paraquad.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = paraquad.org
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Merak Calendaring Server (MerakCalendar) - IceWarp Software - C:\Program Files\Merak\calendar.exe
O23 - Service: Merak Mail Server Control (MerakControl) - IceWarp Software - C:\Program Files\Merak\control.exe
O23 - Service: Merak Instant Messaging Server (MerakIM) - IceWarp Software - C:\Program Files\Merak\im.exe
O23 - Service: Merak Mail Server POP3/IMAP (MerakPOP3) - IceWarp Software - C:\Program Files\Merak\pop3.exe
O23 - Service: Merak Mail Server SMTP (MerakSMTP) - IceWarp Software - C:\Program Files\Merak\smtp.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:08 AM

Posted 16 March 2005 - 11:19 PM

Fix this:

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)

Reboot and post a new log. If you have an open relay its prob due to something configured incorrectly on the mail server running on this machine




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users