Virus på servern HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08:30, on 2008-02-26
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\Backup Exec\beremote.exe
C:\WINDOWS\system32\NTBTRV.EXE
C:\WINDOWS\system32\ras\DbgSvc.exe
C:\WINDOWS\system32\NTDBSMGR.EXE
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\EDI\Indy\bin\indy.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe
C:\Program Files\Rasterex\License Server\lmgrd.exe
C:\WINDOWS\system32\NTSSQL.EXE
C:\Program Files\eCopy\ShareScan OP\Agent\Bin\ShareScanOPAgent.exe
C:\Program Files\Trend Micro\Security Server\PCCSRV\Web\Service\DbServer.exe
C:\Program Files\Rasterex\License Server\rasterex.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\TREND MICRO\CLIENT SERVER SECURITY AGENT\0FCD0G.EXE
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\eCopy\ShareScan OP\ShareScanOPManager\Bin\ShareScanOPManager.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\EDI\twim\bin\twim.exe
D:\EDI\twim\bin\twengine.exe
D:\EDI\twim\bin\twlog.exe
D:\EDI\twim\bin\twwatch.exe
D:\EDI\twim\bin\twcodex.exe
D:\EDI\twim\bin\twcomlog.exe
C:\Program Files\DIP\ODEX\ODEX32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\RootkitBuster.exe
C:\Program Files\Exchsrvr\bin\store.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {141D6F85-7E1B-487B-AE54-EB7498E7C732} - (no file)
O2 - BHO: (no name) - {1D3F0AD6-070F-46F2-8699-50B6E5D7500B} - (no file)
O2 - BHO: (no name) - {358A0DCD-2336-4382-BF73-F65BE6FC701B} - (no file)
O2 - BHO: (no name) - {AEBF6926-DBA6-4100-A838-1CED0169AB78} - (no file)
O2 - BHO: (no name) - {BB92B680-CE37-4617-9D75-1CB2FB5D0CBB} - (no file)
O2 - BHO: {f61e0b8e-e436-2afa-70b4-df8b26c8f9dd} - {dd9f8c62-b8fd-4b07-afa2-634ee8b0e16f} - (no

file)
O2 - BHO: (no name) - {E481C03E-E219-4BE2-A176-0FF8E80D21C6} - (no file)
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security

Agent\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-21-1153534407-4100349474-350309144-1200\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default

user')
O4 - Startup: ODEX Professional.lnk = C:\Program Files\DIP\ODEX\ODEX32.exe
O4 - Startup: Twim.lnk = twim\bin\twim.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL

Server\80\Tools\Binn\sqlmangr.exe
O15 - ESC Trusted Zone: http://software.canon-europe.com
O15 - ESC Trusted Zone: http://www.canon.com
O15 - ESC Trusted Zone: http://www.canon.se
O15 - ESC Trusted Zone: http://www.fujitsu-siemens.se
O15 - ESC Trusted Zone: http://www.infocare.se
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) -
O16 - DPF: {004DF9D9-566D-11D7-B77D-00E018901A05} (Iqeye Control) -

http://192.168.1.51/iqeye.ocx.gz
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -

http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment

ObjRemoveCtrl Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/wind....cab?119730875

3484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/micr...te.cab?1197371

734828
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) -
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} (Security Server Management Console) -
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) -

http://eu.ntrsupport.com/inquiero/mo...ivex118_28.cab
O20 - Winlogon Notify: awtuvwv - awtuvwv.dll (file missing)
O23 - Service: Application Layer (ALGsvc) - Unknown owner - C:\WINDOWS\debug\WPA\Isass.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) -

Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation -

C:\Program Files\Symantec\Backup Exec\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec

Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program

Files\Symantec\Backup Exec\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program

Files\Symantec\Backup Exec\beserver.exe
O23 - Service: Btrieve v7.0 for Windows NT (Server Edition) - Unknown owner -

C:\WINDOWS\system32\NTBTRV.EXE
O23 - Service: Backup Exec DLO Administration Service (DLOAdminSvcu) - Symantec Corporation -

C:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe
O23 - Service: Backup Exec DLO Maintenance Service (DLOMaintenanceSvc) - Symantec Corporation -

C:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The

Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird

Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Indy Application Server - Unknown owner - D:\EDI\Indy\bin\indy.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro

Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend

Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Security Server Master Service (ofcservice) - Trend Micro Inc. -

C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe
O23 - Service: Windows Registery (RegSys) - Unknown owner - C:\WINDOWS\system32\registery.exe

(file missing)
O23 - Service: RxView - Macrovision Corporation - C:\Program Files\Rasterex\License

Server\lmgrd.exe
O23 - Service: Scalable SQL v4.0 for NT (Server Edition) - Pervasive Software Inc. -

C:\WINDOWS\system32\NTSSQL.EXE
O23 - Service: eCopy ShareScan OP Agent (ShareScanOPAgent) - eCopy, Inc. - C:\Program

Files\eCopy\ShareScan OP\Agent\Bin\ShareScanOPAgent.exe
O23 - Service: eCopy ShareScan OP Manager (ShareScanOPManager) - eCopy, Inc. - C:\Program

Files\eCopy\ShareScan OP\ShareScanOPManager\Bin\ShareScanOPManager.exe
O23 - Service: Java Win SSl (svchst) - Unknown owner - C:\Program Files\Java\jre1.4.8\javaws.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. -

C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Unknown owner - VundoFixSVC.exe (file missing)
O23 - Service: Microsoft NET 3.0 (WINSYS) - Unknown owner - c:\windows\system32\Isass.exe

--
End of file - 12213 bytes

Scan type : Complete Scan
Total Scan Time : 00:51:10

Memory items scanned : 1041
Memory threats detected : 0
Registry items scanned : 5596
Registry threats detected : 27
File items scanned : 49326
File threats detected : 7

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Ty pe
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#St art
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Er rorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Im agePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Di splayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Se curity
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Se curity#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\En um
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\En um#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\En um#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\En um#NextInstance