Cant detect what malware i have

[okp]

Hi Iam having a lot of trouble with my mail queue filling up, I traced the mail to 1 computer wich doesnt have email configured. The mail is generated to random recipients wich random senders. When i switch off the computer the problem is gone on the mail server.

So iam prety sure i have somekind of malware on this machine. I scanned with S&D but didnt find anything, neither with trendmicro Officescan.

The only suspicious thing i found is:
C:\WINNT\TEMP\BH4794.EXE
but i scanned it with Kaspersky, trendmicro and bitdefender and they didnt find something.

I need some help detecting what this malware is


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 07:43:19 p.m., on 28/05/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Dude\dude.exe
C:\Program Files\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\TEMP\BH4794.EXE
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\COPERN~2\DESKTO~3.EXE
J:\070528 deteccion de virus\HJThis_v2.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server_ibm/intranet/index.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2515.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\PROGRA~1\MOZILL~1\plugins\GetFlash.exe -p
O4 - HKUS\S-1-5-21-1645522239-583907252-1801674531-1001\..\Run: [internat.exe] internat.exe (User 'NetShowServices')
O4 - HKUS\S-1-5-21-1645522239-583907252-1801674531-1001\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NetShowServices')
O4 - HKUS\S-1-5-21-1645522239-583907252-1801674531-1013\..\Run: [internat.exe] internat.exe (User 'ASPNET')
O4 - HKUS\S-1-5-21-1645522239-583907252-1801674531-1013\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'ASPNET')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.1.13:4343/officescan...l/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.1.13:4343/officescan...l/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.1.13:4343/officescan...tall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://192.168.1.13:4343/officescan...tml/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.1.13:4343/officescan...RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1142378676812
O16 - DPF: {65E8E2DC-186A-4AAC-9E56-FDC683055A9E} (CNetOnlineInstall Control) - http://www.download.com/html/dl/bug2...ineInstall.cab
O16 - DPF: {8990AFAD-D352-42AC-A72F-A660BBF6E209} (OfficeScan Management Console) - https://192.168.1.13:4343/officescan...AtxConsole.cab
O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://192.168.1.13:4343/officescan...tml/AtxPie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C35FABF-EE72-474E-BD09-94937DB63FE1}: NameServer = 200.30.144.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{97EA2800-7BD3-4637-BF31-425E94003F70}: NameServer = 192.168.1.1,200.30.144.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C35FABF-EE72-474E-BD09-94937DB63FE1}: NameServer = 200.30.144.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C35FABF-EE72-474E-BD09-94937DB63FE1}: NameServer = 200.30.144.4
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScan Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
O23 - Service: The Dude Server - Unknown owner - C:\Program Files\Dude\dude.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
O23 - Service: VNC Server (winvnc) - AT&T Research Labs Cambridge - C:\Program Files\ORL\VNC\WinVNC.exe

--
End of file - 7973 bytes

[jholland1964]

You need to complete the steps given HERE
and be sure to do them exactly as requested, including the various steps, including removing unknown entries with Add/Remove and some which need to be run in SAFE MODE. This includes the download and running of the ATF-Cleaner(which will remove TEMP files, this is where the offending file resides, be certain to use BOTH the buttons for Internet Explorer AND Firefox since both are on the machine) and the AVG Anti-spy program (be sure you follow the configuration instructions for this one exactly as these instructions will tell you to be certain to have the program set to fix and/or remove the offending items found. Once you have completed the steps given then reboot to normal mode and run a new HJT scan. Save that log AND the AVG log and post both back here.
You also need to TURN OFF Spybot TeaTimer until all is fixed as this can interfere with any attempted fixes.

[pheonix73]

Also since judy did'nt mention it.Please download and use version 1.99.0.1 and not the beta version.This program is still in the making and can sometimes give false readings.