Trojan

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance



Hi

Firstly, sorry for the long post, but I wanted to show you guys copies of
logs.

Recently we have been hit with a trojan on our SBS2003 Premium machine.
Config is dual NIC, running ISA.

We are having constant hits to two specific IP addresses, originating from
the server. Here is a copy-paste from webext log in isalogs

127.0.0.1 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
..NET CLR 1.1.2022) 2021-04-15 08:00:24 SERVER01 - 195.225.176.3 - 80 - 264
332 http GET http://195.225.176.3/slp2/dll2_0001.bin - 403
127.0.0.1 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
..NET CLR 1.1.2022) 2021-04-15 08:00:24 SERVER01 - 195.225.177.14 - 80 - 266
332 http GET http://195.225.177.14/slp2/dll2_0001.bin - 403

We are running symantec corporate, completely up to date, but it detects
nothing. I've even booted into safe mode and ran it. Makes no difference -
it detects nothing.

Below is a copy-paste of a Hijackthis log. I can see nothing that shouldn't
be there:

Logfile of HijackThis v1.99.1
Scan saved at 09:04:00, on 15/04/2021
Platform: Windows 2003 (WinNT 5.02.2022)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
C:\Program Files\CA\BrightStor ARCserve Backup\RDS.EXE
C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\casmrtbk.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Mediasvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caloggerd.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\CA\BrightStor Backup Agent for Open Files\Ofant.exe
C:\Program Files\CA\BrightStor ARCserve Backup Agent for SQL\dbasqlr.exe
C:\Program Files\Symantec\SAVFMSE\SMSESrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\Symantec\SAVFMSE\SMSECtrl.EXE
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caauthd.exe
C:\Program Files\Symantec\SAVFMSE\SMSEUI.EXE
C:\Program Files\Symantec\SAVFMSE\SMSESp.exe
C:\Program Files\Symantec\SAVFMSE\SMSESp.exe
C:\Program Files\Symantec\SAVFMSE\SMSESp.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Symantec\SAVFMSE\SMSELog.EXE
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Symantec\SAVFMSE\SMSESJM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\Program Files\CA\BrightStor ARCserve Backup\LQServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Symantec\SAVFMSE\SMSETask.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\Program Files\CA\BrightStor ARCserve Backup\LDBServer.exe
C:\Program Files\CA\BrightStor ARCserve Backup\asalert.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SAV\vptray.exe
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\WINDOWS\system32\HPJETDSC.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\3cshtdwn.exe
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPJETDSC.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://companyweb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = SERVER01:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [DWPersistentQueuedReporting]
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices
\Device\3cpipe-3c1807pd
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Server Management.lnk = ?
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR
Utility\okilpr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL
Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {C74190B6-8589-11D1-B16A-00C0F0283628} (Microsoft TreeView
Control 6.0 (SP4)) - http://server01:9999/mscomctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mckeefry.local
O17 - HKLM\Software\..\Telephony: DomainName = mckeefry.local
O17 -
HKLM\System\CCS\Services\Tcpip\..\{1B256C74-BB46-4593-BAF7-D8C32298E5C0}:
NameServer = 10.0.0.4
O17 -
HKLM\System\CCS\Services\Tcpip\..\{E882B144-DB20-434E-BB94-D07F30B03D77}:
NameServer = 10.0.0.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mckeefry.local
O17 -
HKLM\System\CS1\Services\Tcpip\..\{1B256C74-BB46-4593-BAF7-D8C32298E5C0}:
NameServer = 10.0.0.4
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mckeefry.local
O17 -
HKLM\System\CS2\Services\Tcpip\..\{1B256C74-BB46-4593-BAF7-D8C32298E5C0}:
NameServer = 10.0.0.4
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\\NavLogon.dll
O23 - Service: Alert Notification Server - Computer Associates
International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: CA BrightStor Database Engine (CASDBEngine) - Computer
Associates - C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
O23 - Service: CA BrightStor Discovery Service (CASDiscoverySvc) - Computer
Associates - C:\Program
Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
O23 - Service: CA BrightStor Job Engine (CASJobEngine) - Computer
Associates - C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
O23 - Service: CA BrightStor Message Engine (CASMsgEngine) - Computer
Associates - C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
O23 - Service: CA BrightStor Service Controller (CASSvcControlSvr) -
Computer Associates - C:\Program Files\CA\BrightStor ARCserve
Backup\caserved.exe
O23 - Service: CA BrightStor Tape Engine (CASTapeEngine) - Computer
Associates - C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
O23 - Service: CA BrightStor Domain Server (CASUnivDomainSvr) - Computer
Associates - C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
O23 - Service: CA Remote Procedure Call Server (CATIRPC) - Computer
Associates - C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates
International Inc. - C:\Program
Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates
International Inc. - C:\Program
Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: CA BrightStor Backup Agent RPC Server (DbaRpcService) -
Computer Associates - C:\Program
Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe
O23 - Service: DefWatch - Symantec Corporation -
C:\PROGRA~1\SAV\DefWatch.exe
O23 - Service: iTechnology iGateway 2.1 (iGateway) - Computer Associates -
C:\Program Files\CA\iGateway\igateway.exe
O23 - Service: Intel Alert Handler - Intel® Corporation -
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel File Transfer - Intel® Corporation -
C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation -
C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program
Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) -
Symantec Corporation - C:\PROGRA~1\SAV\Rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec
Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: CA Backup Agent for Open Files (OpenFileAgent) - Computer
Associates - C:\Program Files\CA\BrightStor Backup Agent for Open
Files\Ofant.exe
O23 - Service: CA BrightStor Backup Agent Remote Service (RemoteDbagent) -
Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup Agent
for SQL\dbasqlr.exe
O23 - Service: Symantec AntiVirus/Filtering for Microsoft Exchange 2000
(SAVFMSE) - Symantec Corporation - C:\Program
Files\Symantec\SAVFMSE\SMSESrv.exe

I am completely stuck here. I don't know where to turn.

Best Regards

Robbie Niblock


.


Quantcast