Exchange server 2003

I have Exchange server 2003 running and for some reason now. the postmaster is emailing out approx. 100,000 emails a day. Once I stop the the services for exchange it stops and i have no inbound activity so i know its my server. i was wondering if anyone has heard or seen anything like this before.
As far as i know there is nothing else on my system running in the background that would cause this I will get some more information of my running processes in a shortwhile.

 

Sounds like a virus. Have you updated your AV soft and run a scan?

 

yes I updated the virus defs and ran that as well as several other programs.

 

just if anyone wants to know these are the processes that are running



Logfile of HijackThis v1.97.7
Scan saved at 2:53:27 PM, on 4/22/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\WINDOWS\System32\ismserv.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
D:\Exchsrvr\bin\exmgmt.exe
D:\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
D:\Exchsrvr\bin\store.exe
D:\Exchsrvr\bin\emsmta.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SAV\vptray.exe
C:\WINDOWS\system32\mmc.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37927.5192361111
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = treppel.com
O17 - HKLM\Software\..\Telephony: DomainName = treppel.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FB804BD-90D1-415F-8D59-B65E526AE207}: NameServer = 192.168.0.70,142.165.21.5,142.165.5.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = treppel.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{2FB804BD-90D1-415F-8D59-B65E526AE207}: NameServer = 192.168.0.70,142.165.21.5,142.165.5.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = treppel.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{2FB804BD-90D1-415F-8D59-B65E526AE207}: NameServer = 192.168.0.70,142.165.21.5,142.165.5.2