[Duplicate Post] Strange connections from domain server and my laptop [server]

  • 0 Replies
  • 1678 Views
*

Offline Laudano

  • Bronze Member
  • 3
Good Morning,
analyzing the firewall's logs I found some strange connections (aborted) and I would like to know if there's any major problem. The same connections also come from my laptop.

I place here server's log

--------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15.45.46, on 31/10/2011
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Trend Micro\AMSP\coreServiceShell.exe
C:\Programmi\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Programmi\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Programmi\HP\Cissesrv\cissesrv.exe
C:\WINDOWS\system32\cpqrcmc.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Trend Micro\InterScan VirusWall 6\main\isvw-main.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Trend Micro\InterScan VirusWall 6\scan\isvw-scan.exe
C:\Programmi\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
c:\Programmi\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Programmi\Trend Micro\Messaging Security Agent\svcGenericHost.exe
C:\Programmi\Trend Micro\Messaging Security Agent\SMEX_Master.exe
C:\Programmi\Trend Micro\Messaging Security Agent\svcGenericHost.exe
C:\Programmi\Trend Micro\Messaging Security Agent\SMEX_SystemWatcher.exe
C:\Programmi\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
c:\Programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\sysdown.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\UPHClean\uphclean.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\Programmi\BackupAssist v4\BackupAssistService.exe
C:\Programmi\Trend Micro\InterScan VirusWall 6\webui\isvw-webui.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Programmi\Exchsrvr\bin\exmgmt.exe
C:\Programmi\Trend Micro\InterScan VirusWall 6\smtp\isvw-smtp.exe
C:\Programmi\Exchsrvr\bin\mad.exe
C:\Programmi\File comuni\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Exchsrvr\bin\store.exe
C:\Programmi\Trend Micro\InterScan VirusWall 6\http\isvw-http.exe
C:\Programmi\Trend Micro\InterScan VirusWall 6\services\isvw-svr.exe
C:\Programmi\Trend Micro\InterScan VirusWall 6\cmagent\isvw-agent.exe
C:\Programmi\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Programmi\Trend Micro\Client Server Security Agent\tmlisten.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Programmi\Upsmon\Upsag_ap.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programmi\Windows Desktop Search\WindowsSearch.exe
C:\Programmi\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\WINDOWS\system32\proquota.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Trend Micro\HijackThis\HiJackThis.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Microsoft Windows Small Business Server\monitoring\mssbsssr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer fornito da Santa Croce spa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://proxy.santacroce.local:8585
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.1.*;*.santacroce.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Programmi\Trend Micro\AMSP\Module\20004\1.6.1165\6.6.1081\TmIEPlg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\FILECO~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Upsag_ap] "C:\Programmi\Upsmon\Upsag_ap.exe" -nt
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Trend Micro Client Framework] "C:\Programmi\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -update activex
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Gestione servizi.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Search.lnk = C:\Programmi\Windows Desktop Search\WindowsSearch.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://view.atdmt.com
O15 - ESC Trusted Zone: http://www.google.it
O15 - ESC Trusted Zone: http://pagead2.googlesyndication.com
O15 - ESC Trusted Zone: http://www.inovatec.com
O15 - ESC Trusted Zone: http://www.merijn.org
O15 - ESC Trusted Zone: http://www.mm-one.com
O15 - ESC Trusted Zone: http://www.monclick.it
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://sea.search.msn.it
O15 - ESC Trusted Zone: http://www.myip.dk
O15 - ESC Trusted Zone: http://mail.netoffice.it
O15 - ESC Trusted Zone: http://www.realvnc.com
O15 - ESC Trusted Zone: http://www.trendmicro.com
O15 - ESC Trusted Zone: http://www.ups-technet.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - https://servernt.santacroce.local:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260865751484
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SantaCroce.local
O17 - HKLM\Software\..\Telephony: DomainName = SantaCroce.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B69A9EB-A3AC-4A64-A5F1-EAE5217EAF11}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SantaCroce.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{9B69A9EB-A3AC-4A64-A5F1-EAE5217EAF11}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SantaCroce.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{9B69A9EB-A3AC-4A64-A5F1-EAE5217EAF11}: NameServer = 192.168.1.1
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Programmi\Compaq\hpadu\bin\hpapp.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Programmi\Trend Micro\AMSP\Module\20004\1.6.1165\6.6.1081\TmIEPlg.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Programmi\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: HP Smart Array SAS/SATA Event Notification Service (Cissesrv) - Hewlett-Packard Company - C:\Programmi\HP\Cissesrv\cissesrv.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\cpqrcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: Trend Micro InterScan VirusWall 6 (ISVW) - Trend Micro Inc. - C:\Programmi\Trend Micro\InterScan VirusWall 6\main\isvw-main.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Master Service di Trend Micro Messaging Security Agent (ScanMail_Master) - Trend Micro Inc. - C:\Programmi\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: System Watcher di Trend Micro Messaging Security Agent (ScanMail_SystemWatcher) - Trend Micro Inc. - C:\Programmi\Trend Micro\Messaging Security Agent\svcGenericHost.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Hewlett-Packard Company - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
O23 - Service: Trend Micro Security Agent Communicator (TmListen) - Trend Micro Inc. - C:\Programmi\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: User Profile Hive Cleanup (UPHClean) - Windows (R) Codename Longhorn DDK provider - C:\Programmi\UPHClean\uphclean.exe
O23 - Service: Upsagent - UPS Monitor (Upsagent) - RPS S.p.a. - C:\Programmi\Upsmon\Upsag_nt.exe
O23 - Service: BackupAssist Service (zBackupAssistService) - Cortex I.T. - C:\Programmi\BackupAssist v4\BackupAssistService.exe

--
End of file - 11383 bytes