Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smtp/exchange Servers Flooded With Outgoing Spam, Hjt Attached


  • Please log in to reply
1 reply to this topic

#1 sabresfan198

sabresfan198

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Haven, CT
  • Local time:07:04 AM

Posted 16 November 2005 - 11:34 AM

hey all, ive been getting killed here with outgoing spam, im going to attach HJT from both our SMTP and Exchange servers, SMTP first follwed by Exchange

SMTP:

Logfile of HijackThis v1.99.1
Scan saved at 10:52:46 AM, on 11/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
e:\SMSSMTP.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\DOCUME~1\ydynkin\LOCALS~1\Temp\JobMonitor\JobMonitor.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\Explorer.EXE
C:\DOCUME~1\ydynkin\LOCALS~1\Temp\JobMonitor\JobMonitor.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [EFI Job Monitor] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\spool\DRIVERS\W32X86\3\efjm.dll,run
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://64.51.153.229/ACCPAC/cabs/ActiveXViewer.cab
O16 - DPF: {41226E39-3413-459D-8F28-137A8DC5A4F4} (AccpacAP5101.AccpacAP5101UICtrl) - http://64.51.153.229/ACCPAC/AP51A/ACCPACAP5101.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...b?1124289819828
O16 - DPF: {846C0AB0-0A09-4DCF-8C42-2737EFF47CF4} (AccpacAS3000.ACCPACAS3000UICtrl) - http://64.51.153.229/ACCPAC/AS53A/ACCPACAS3000.CAB
O16 - DPF: {B6B35894-DD6F-11D3-84AC-00C04F0E1B46} (ACCPAC Signon Manager) - http://64.51.153.229/ACCPAC/cabs/a4wcomex.cab
O16 - DPF: {BF705556-DC61-4E53-8A1E-A6748AD4863B} (AccpacCS1000.AccpacCS1000UICtrl) - http://64.51.153.229/ACCPAC/CS53A/ACCPACCS1000.CAB
O16 - DPF: {D44555E4-2447-41C4-9B66-ED4653EC925D} (ACCPAC Web Session Manager) - http://64.51.153.229/ACCPAC/cabs/a4wWebSessionMgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = plansponsor.pscom
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BFA4234-1417-4CCF-800B-BD6C776D456A}: NameServer = 192.168.1.25,192.168.1.27
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = plansponsor.pscom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = plansponsor.pscom
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Mail Security for SMTP (SMSSMTP) - Symantec Corporation - e:\SMSSMTP.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Exchange:

Logfile of HijackThis v1.99.1
Scan saved at 11:12:47 AM, on 11/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
D:\program files\sav\DefWatch.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\cba\pds.exe
d:\Program Files\NAVMSE\NAVESRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
d:\Program Files\NAVMSE\NAVECTRL.EXE
d:\Program Files\NAVMSE\navesp.exe
d:\Program Files\NAVMSE\navesp.exe
d:\Program Files\NAVMSE\navesp.exe
d:\Program Files\NAVMSE\NAVELOG.EXE
D:\program files\sav\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\msdtc.exe
D:\exchsrvr\bin\mad.exe
d:\Program Files\NAVMSE\NAVEAP.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
D:\PROGRA~1\sav\VPTray.exe
D:\exchsrvr\bin\ADMIN.EXE
C:\WINNT\system32\mmc.exe
D:\EXCHSRVR\connect\msexcimc\bin\msexcimc.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\net.exe
D:\exchsrvr\bin\ADMIN.EXE
C:\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\sav\VPTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = plansponsor.pscom
O17 - HKLM\System\CCS\Services\Tcpip\..\{CACEAD8D-C249-4141-B94A-FDE45838B73A}: NameServer = 192.168.1.25,209.87.79.232,209.87.64.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = plansponsor.pscom
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = plansponsor.pscom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = plansponsor.pscom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = plansponsor.pscom
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = plansponsor.pscom
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\program files\sav\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: NAV for Microsoft Exchange (NavExchange) - Symantec Corporation - d:\Program Files\NAVMSE\NAVESRV.EXE
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINNT\system32\snmptrap.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\program files\sav\Rtvscan.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,613 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:04 AM

Posted 21 November 2005 - 11:49 AM

Sorry for the delay. If you are still having problems, please post a brand new hijackthis log as a reply to this topic.

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users