leeviker

We have cleaned a few pieces of malware off our webserver. However, we are experiencing some weird issues and I am afraid there is still somehting hidden in here. Here is the Hijackthis logfile. Would someone please let me know if something is of conceren in here? Thank you... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:15:08 AM, on 4/29/2009 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\termsrv.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Symantec\pcAnywhere\awhost32.exe C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\System32\llssrv.exe C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\WINNT\system32\mfevtps.exe F:\Program Files\Microsoft Operations Manager 2005\MOMService.exe C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe C:\Program Files\Dell\SysMgt\RAC3\racsrvc.exe C:\Program Files\Dell\SysMgt\RAC3\RACWinVNC.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe C:\WINNT\System32\snmp.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe C:\WINNT\system32\Dfssvc.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe C:\WINNT\System32\msdtc.exe C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\svchost.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINNT\system32\BacsTray.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\McAfee\Common Framework\udaterui.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe C:\rootkit\Sysinternals\RootkitRevealer.exe C:\WINNT\system32\mmc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [bacstray] BacsTray.exe O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKUS\S-1-5-21-436374069-1303643608-725345543-1005\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'ASPNET') O4 - HKUS\S-1-5-21-436374069-1303643608-725345543-1017\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NetShowServices') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1144775094750 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171799478500 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emsed.com O17 - HKLM\System\CCS\Services\Tcpip\..\{355DDF29-1409-4179-B2B2-22D76E22ACBE}: NameServer = 12.191.238.49,12.191.238.7 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emsed.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emsed.com O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\system32\dmadmin.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Mailing System - Unknown owner - C:\PROGRA~1\Windows Media Player\services.exe (file missing) O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINNT\system32\mfevtps.exe O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe O23 - Service: Remote Access Controller (RAC) Service (racsrvc) - Dell Computer Corporation - C:\Program Files\Dell\SysMgt\RAC3\racsrvc.exe O23 - Service: RAC Win VNC (RACWinVNC) - Dell Computer Corporation - C:\Program Files\Dell\SysMgt\RAC3\RACWinVNC.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe O23 - Service: UOMWMMZL - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UOMWMMZL.exe -- End of file - 7738 bytes