Re: Trojan

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance



Sorry, wrong group. I've posted in the correct one.


"Robbie Niblock" <robbie@xxxxxxxxxx> wrote in message
news:eCfs1LZQFHA.2356@xxxxxxxxxxxxxxxxxxxxxxx
> Hi
>
> Firstly, sorry for the long post, but I wanted to show you guys copies of
> logs.
>
> Recently we have been hit with a trojan on our SBS2003 Premium machine.
> Config is dual NIC, running ISA.
>
> We are having constant hits to two specific IP addresses, originating from
> the server. Here is a copy-paste from webext log in isalogs
>
> 127.0.0.1 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
> SV1; .NET CLR 1.1.2022) 2021-04-15 08:00:24 SERVER01 - 195.225.176.3 -
> 80 - 264 332 http GET http://195.225.176.3/slp2/dll2_0001.bin - 403
> 127.0.0.1 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
> SV1; .NET CLR 1.1.2022) 2021-04-15 08:00:24 SERVER01 - 195.225.177.14 -
> 80 - 266 332 http GET http://195.225.177.14/slp2/dll2_0001.bin - 403
>
> We are running symantec corporate, completely up to date, but it detects
> nothing. I've even booted into safe mode and ran it. Makes no difference -
> it detects nothing.
>
> Below is a copy-paste of a Hijackthis log. I can see nothing that
> shouldn't be there:
>
> Logfile of HijackThis v1.99.1
> Scan saved at 09:04:00, on 15/04/2021
> Platform: Windows 2003 (WinNT 5.02.2022)
> MSIE: Internet Explorer v6.00 (6.00.3790.0000)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
> C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
> C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
> C:\Program Files\CA\BrightStor ARCserve Backup\RDS.EXE
> C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
> C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
> C:\Program Files\CA\BrightStor ARCserve Backup\casmrtbk.exe
> C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
> C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
> C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
> C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
> C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
> C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe
> C:\PROGRA~1\SAV\DefWatch.exe
> C:\WINDOWS\system32\Dfssvc.exe
> C:\WINDOWS\System32\dns.exe
> C:\Program Files\CA\BrightStor ARCserve Backup\Mediasvr.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\inetsrv\inetinfo.exe
> C:\WINDOWS\system32\cba\pds.exe
> C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
> C:\Program Files\CA\BrightStor ARCserve Backup\caloggerd.exe
> C:\Program Files\Microsoft SQL
> Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
> C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
> C:\PROGRA~1\SAV\Rtvscan.exe
> C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
> C:\WINDOWS\system32\ntfrs.exe
> C:\Program Files\CA\BrightStor Backup Agent for Open Files\Ofant.exe
> C:\Program Files\CA\BrightStor ARCserve Backup Agent for SQL\dbasqlr.exe
> C:\Program Files\Symantec\SAVFMSE\SMSESrv.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\System32\wins.exe
> C:\WINDOWS\system32\tcpsvcs.exe
> C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
> C:\WINDOWS\system32\MsgSys.EXE
> C:\WINDOWS\system32\cba\xfr.exe
> C:\Program Files\Symantec\SAVFMSE\SMSECtrl.EXE
> C:\Program Files\Exchsrvr\bin\exmgmt.exe
> C:\Program Files\CA\BrightStor ARCserve Backup\caauthd.exe
> C:\Program Files\Symantec\SAVFMSE\SMSEUI.EXE
> C:\Program Files\Symantec\SAVFMSE\SMSESp.exe
> C:\Program Files\Symantec\SAVFMSE\SMSESp.exe
> C:\Program Files\Symantec\SAVFMSE\SMSESp.exe
> C:\Program Files\Exchsrvr\bin\mad.exe
> C:\Program Files\Symantec\SAVFMSE\SMSELog.EXE
> C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
> C:\Program Files\Symantec\SAVFMSE\SMSESJM.EXE
> C:\Program Files\Microsoft SQL
> Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
> C:\Program Files\CA\BrightStor ARCserve Backup\LQServer.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Microsoft ISA Server\mspadmin.exe
> C:\Program Files\Symantec\SAVFMSE\SMSETask.exe
> C:\Program Files\Microsoft ISA Server\wspsrv.exe
> C:\Program Files\Exchsrvr\bin\store.exe
> C:\Program Files\Microsoft ISA Server\w3proxy.exe
> C:\Program Files\Microsoft ISA Server\W3Prefch.exe
> C:\Program Files\CA\BrightStor ARCserve Backup\LDBServer.exe
> C:\Program Files\CA\BrightStor ARCserve Backup\asalert.exe
> C:\WINDOWS\Explorer.EXE
> C:\PROGRA~1\SAV\vptray.exe
> C:\WINDOWS\SYSTEM32\3cmlink.exe
> C:\WINDOWS\system32\HPJETDSC.EXE
> C:\WINDOWS\system32\ctfmon.exe
> C:\WINDOWS\SYSTEM32\3cshtdwn.exe
> C:\WINDOWS\SYSTEM32\3cmlink.exe
> C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
> C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
> C:\WINDOWS\system32\mmc.exe
> C:\WINDOWS\system32\wuauclt.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\rdpclip.exe
> C:\WINDOWS\Explorer.EXE
> C:\WINDOWS\system32\HPJETDSC.EXE
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
> C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
> C:\WINDOWS\system32\NOTEPAD.EXE
> C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> res://shdoclc.dll/hardAdmin.htm
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://www.google.co.uk/
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> http://companyweb
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings,ProxyServer = SERVER01:8080
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
> C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
> O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
> {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
> O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
> O4 - HKLM\..\Run: [DWPersistentQueuedReporting]
> C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
> O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices
> \Device\3cpipe-3c1807pd
> O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
> O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
> O4 - Startup: Server Management.lnk = ?
> O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI
> LPR Utility\okilpr.exe
> O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL
> Server\80\Tools\Binn\sqlmangr.exe
> O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
> C:\WINDOWS\web\related.htm
> O9 - Extra 'Tools' menuitem: Show &Related Links -
> {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
> O12 - Plugin for .spop: C:\Program Files\Internet
> Explorer\Plugins\NPDocBox.dll
> O14 - IERESET.INF: START_PAGE_URL=http://companyweb
> O16 - DPF: {C74190B6-8589-11D1-B16A-00C0F0283628} (Microsoft TreeView
> Control 6.0 (SP4)) - http://server01:9999/mscomctl.cab
> O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mckeefry.local
> O17 - HKLM\Software\..\Telephony: DomainName = mckeefry.local
> O17 -
> HKLM\System\CCS\Services\Tcpip\..\{1B256C74-BB46-4593-BAF7-D8C32298E5C0}:
> NameServer = 10.0.0.4
> O17 -
> HKLM\System\CCS\Services\Tcpip\..\{E882B144-DB20-434E-BB94-D07F30B03D77}:
> NameServer = 10.0.0.4
> O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mckeefry.local
> O17 -
> HKLM\System\CS1\Services\Tcpip\..\{1B256C74-BB46-4593-BAF7-D8C32298E5C0}:
> NameServer = 10.0.0.4
> O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mckeefry.local
> O17 -
> HKLM\System\CS2\Services\Tcpip\..\{1B256C74-BB46-4593-BAF7-D8C32298E5C0}:
> NameServer = 10.0.0.4
> O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\\NavLogon.dll
> O23 - Service: Alert Notification Server - Computer Associates
> International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
> O23 - Service: CA BrightStor Database Engine (CASDBEngine) - Computer
> Associates - C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
> O23 - Service: CA BrightStor Discovery Service (CASDiscoverySvc) -
> Computer Associates - C:\Program
> Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
> O23 - Service: CA BrightStor Job Engine (CASJobEngine) - Computer
> Associates - C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
> O23 - Service: CA BrightStor Message Engine (CASMsgEngine) - Computer
> Associates - C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
> O23 - Service: CA BrightStor Service Controller (CASSvcControlSvr) -
> Computer Associates - C:\Program Files\CA\BrightStor ARCserve
> Backup\caserved.exe
> O23 - Service: CA BrightStor Tape Engine (CASTapeEngine) - Computer
> Associates - C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
> O23 - Service: CA BrightStor Domain Server (CASUnivDomainSvr) - Computer
> Associates - C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
> O23 - Service: CA Remote Procedure Call Server (CATIRPC) - Computer
> Associates - C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
> O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates
> International Inc. - C:\Program
> Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
> O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates
> International Inc. - C:\Program
> Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
> O23 - Service: CA BrightStor Backup Agent RPC Server (DbaRpcService) -
> Computer Associates - C:\Program
> Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe
> O23 - Service: DefWatch - Symantec Corporation -
> C:\PROGRA~1\SAV\DefWatch.exe
> O23 - Service: iTechnology iGateway 2.1 (iGateway) - Computer Associates -
> C:\Program Files\CA\iGateway\igateway.exe
> O23 - Service: Intel Alert Handler - Intel® Corporation -
> C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
> O23 - Service: Intel File Transfer - Intel® Corporation -
> C:\WINDOWS\system32\cba\xfr.exe
> O23 - Service: Intel PDS - Intel® Corporation -
> C:\WINDOWS\system32\cba\pds.exe
> O23 - Service: Event Log Watch (LogWatch) - Computer Associates -
> C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
> O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) -
> Symantec Corporation - C:\PROGRA~1\SAV\Rtvscan.exe
> O23 - Service: Symantec System Center Discovery Service (NSCTOP) -
> Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
> O23 - Service: CA Backup Agent for Open Files (OpenFileAgent) - Computer
> Associates - C:\Program Files\CA\BrightStor Backup Agent for Open
> Files\Ofant.exe
> O23 - Service: CA BrightStor Backup Agent Remote Service (RemoteDbagent) -
> Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup Agent
> for SQL\dbasqlr.exe
> O23 - Service: Symantec AntiVirus/Filtering for Microsoft Exchange 2000
> (SAVFMSE) - Symantec Corporation - C:\Program
> Files\Symantec\SAVFMSE\SMSESrv.exe
>
> I am completely stuck here. I don't know where to turn.
>
> Best Regards
>
> Robbie Niblock
>


.


Quantcast