Exchange server 2003

[zerobug]

I have Exchange server 2003 running and for some reason now. the postmaster is emailing out approx. 100,000 emails a day. Once I stop the the services for exchange it stops and i have no inbound activity so i know its my server. i was wondering if anyone has heard or seen anything like this before.
As far as i know there is nothing else on my system running in the background that would cause this I will get some more information of my running processes in a shortwhile.

 

[roban]

Sounds like a virus. Have you updated your AV soft and run a scan?

 

[zerobug]

yes I updated the virus defs and ran that as well as several other programs.

 

[zerobug]

just if anyone wants to know these are the processes that are running



Logfile of HijackThis v1.97.7
Scan saved at 2:53:27 PM, on 4/22/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\WINDOWS\System32\ismserv.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
D:\Exchsrvr\bin\exmgmt.exe
D:\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
D:\Exchsrvr\bin\store.exe
D:\Exchsrvr\bin\emsmta.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SAV\vptray.exe
C:\WINDOWS\system32\mmc.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37927.5192361111
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = treppel.com
O17 - HKLM\Software\..\Telephony: DomainName = treppel.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FB804BD-90D1-415F-8D59-B65E526AE207}: NameServer = 192.168.0.70,142.165.21.5,142.165.5.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = treppel.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{2FB804BD-90D1-415F-8D59-B65E526AE207}: NameServer = 192.168.0.70,142.165.21.5,142.165.5.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = treppel.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{2FB804BD-90D1-415F-8D59-B65E526AE207}: NameServer = 192.168.0.70,142.165.21.5,142.165.5.2