Hey Vadar how you doing - ok i hope-
day off again for me - snow!
here below are all the things you requested -
i still have to go through search dom to get to the interenet - and norton detected but deleted spybot worm twice while i was using the tds scan.
But it found some things - there are also some new things in the hjtlog. will this ever end?????
Also sometimes when i connect and get to techforum i get a message from sygate firewall saying that an aplication has been hijacked??????
im very greatful for all that you and tech support are doing though. hope to hear from you again real soon
regards
steve
10:00:15 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
10:00:15 [Init] Started 03-03-05 10:00:15 GMT Standard Time (UTC: 0), Internet Time @458.51
10:00:15 [Init] Loading TDS-3 Systems ...
10:00:15 [Init] Token successfully adjusted.
10:00:15 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
10:00:16 [Init] • Plugins : OK. Loaded 13
10:00:16 [Init] • Exec Protection : Not Installed
10:00:16 [Init] WARNING: Your Radius.TD3 database needs to be updated!
10:00:16 [Init] Please download the latest from
http://tds.diamondcs.com.au/radius.td3
10:00:16 [Init] Licensed users can use the Update facility from the TDS menu
10:00:16 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
10:00:19 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
10:00:19 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
10:00:19 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
10:00:19 [Init] TDS-3 Ready. <Steve@127.0.0.1 - United Kingdom>
10:00:19 [Tip Of The Day] DiamondCS have, and continue to develop a wide range of software, including the world's original and still the strongest BO2K scanner. Visit
http://www.diamondcs.com.au for free downloads!
10:00:19 [TDS] Good morning Steve.
10:00:22 [Mutex Memory Scan] Started...
10:00:24 [Mutex Memory Scan] Finished (no trojan mutexes found).
10:00:24 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
10:00:59 [CRC32] Started - verifying 29 files ...
10:01:00 [CRC32] File doesn't exist: C:\autoexec.bat
10:01:03 [CRC32] Test finished.
10:02:00 [Memory Scan] Memory scan started, please wait a moment ...
10:02:01 [Memory Scan] Memory scan complete.
10:02:01 [Mutex Memory Scan] Started...
10:02:03 [Mutex Memory Scan] Finished (no trojan mutexes found).
10:02:03 [Trace Scan] Started...
10:02:07 [Trace Scan] Finished.
10:02:07 [ServiceScan] Scanning for services and drivers ...
10:02:11 [ServiceScan] Scanned 338 services and drivers.
10:02:11 [File Scan] Scanning in A:\ ...
10:02:12 [File Scan] Scanned 0 files: 0 alarms in 1.03125 seconds (Avg 1. files/sec)
10:02:12 [File Scan] Scanning in C:\ ...
10:25:47 [File Scan] Scanned 33628 files: 8 alarms in 1414.844 seconds (Avg 24.77 files/sec)
10:25:47 [File Scan] Scanning in D:\ ...
10:25:47 [File Scan] Scanned 0 files: 8 alarms in 0 seconds (Avg -1.#IND files/sec)
10:25:47 [File Scan] Scanning in E:\ ...
10:25:47 [File Scan] Scanned 0 files: 8 alarms in 0 seconds (Avg -1.#IND files/sec)
10:25:47 [File Scan] Scanning in F:\ ...
10:25:47 [File Scan] Scanned 0 files: 8 alarms in 0 seconds (Avg -1.#IND files/sec)
10:25:47 [Scan] Finished.
Scan Control Dumped @ 10:29:25 03-03-05
Positive identification: Trojan.Win32.Septic.a Dropper
File: c:\sepinst.exe
Suspicious Filename: Dual extensions
File: c:\windows\cxtpls_loader.sfx.exe
Positive identification <Adv>: Possible WebDownloader
File: c:\windows\pi1_25.exe
Positive variant identification: Juntador Beta.f (Variant)
File: c:\windows\system32\msfwe1.exe
Positive variant identification: Juntador Beta.f (Variant)
File: c:\windows\system32\navupdts.exe
Positive identification: Trojan.Win32.VB.kq Dropper
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\4ooec3mu\mw_4s_stub[1].exe
Positive identification (DLL): Adware.Toolbar.SideFind.a BHO (dll)
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\4ooec3mu\sfbho13[1].dll
Positive identification <Adv>: Possible WebDownloader
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\k9841ul0\pi1_25[1].exe
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at
http://www.greyknight17.com/download.htm#programs
***Security Programs Detected***
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of HijackThis v1.99.1
Scan saved at 10:31:33, on 03/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\atwtusb.exe
C:\unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.searchdom.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.searchdom.net/?re= (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://www.searchdom.net/?re= (obfuscated)
O1 - Hosts: 64.91.255.87
www.dcsresearch.com
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - Startup: Resume Windows Update Installation.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O13 - DefaultPrefix:
http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re=
O13 - WWW Prefix:
http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re=
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
End of KRC HijackThis Analyzer Log.
====================================================================
StartDreck (build 2.1.7 public stable) - 2005-03-03 @ 10:43:05 (GMT +00:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Steve at HOME
»Registry
»Run Keys
»Current User
»Run
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*RemoteCenter=C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
*Steam=
*ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe
»RunOnce
»Default User
»Run
*NAV Auto Updates=csrssp.exe
*rant=rant.exe
*runs=run.exe
»RunOnce
»Local Machine
»Run
*ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
*CARPService=carpserv.exe
*CTSysVol=C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
*CTDVDDET=C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
*CTHelper=CTHELPER.EXE
*AsioReg=REGSVR32.EXE /S CTASIO.DLL
*SBDrvDet=C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
*UpdReg=C:\WINDOWS\UpdReg.EXE
*PinnacleDriverCheck=C:\WINDOWS\System32\PSDrvCheck.exe
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
*Advanced Tools Check=C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
*atwtusb=atwtusb.exe beta
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*SpeedTouch USB Diagnostics="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe
*SmcService=C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
*SSC_UserPrompt=C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Steve\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\Steve\Start Menu\Programs\Startup\Resume Windows Update Installation.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
*C:\WINDOWS\wininit.ini
*C:\WINDOWS\System32\drivers\etc\hosts
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+404=\SystemRoot\System32\smss.exe
+664=\??\C:\WINDOWS\system32\csrss.exe
+696=\??\C:\WINDOWS\system32\winlogon.exe
+740=C:\WINDOWS\system32\services.exe
+752=C:\WINDOWS\system32\lsass.exe
+900=C:\WINDOWS\System32\Ati2evxx.exe
+924=C:\WINDOWS\system32\svchost.exe
+964=C:\WINDOWS\System32\svchost.exe
+1004=C:\Program Files\Sygate\SPF\smc.exe
+1168=C:\WINDOWS\System32\svchost.exe
+1232=C:\WINDOWS\System32\svchost.exe
+1432=C:\WINDOWS\system32\spoolsv.exe
+1460=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
+1620=C:\WINDOWS\System32\alg.exe
+1644=C:\WINDOWS\System32\CTsvcCDA.exe
+1668=C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
+1700=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
+1736=C:\Program Files\Norton AntiVirus\navapsvc.exe
+1788=C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
+1960=C:\WINDOWS\System32\svchost.exe
+168=C:\WINDOWS\System32\MsPMSPSv.exe
+548=C:\WINDOWS\Explorer.EXE
+560=C:\WINDOWS\System32\wbem\wmiprvse.exe
+1100=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
+1096=C:\WINDOWS\System32\carpserv.exe
+1108=C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
+1196=C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
+1140=C:\WINDOWS\System32\CTHELPER.EXE
+1188=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
+1388=C:\WINDOWS\System32\atwtusb.exe
+1552=C:\Program Files\QuickTime\qttask.exe
+1592=C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
+1952=C:\Program Files\Messenger\msmsgs.exe
+2068=C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
+2084=C:\WINDOWS\System32\ctfmon.exe
+2124=C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
+2904=C:\WINDOWS\System32\wuauclt.exe
+2496=C:\Program Files\Internet Explorer\iexplore.exe
+2632=C:\WINDOWS\system32\NOTEPAD.EXE
+2108=C:\Windows\System32\Notepad.exe
+2696=C:\startdrek\StartDreck.exe
»NT Services
*Alerter Alerter running auto
*Application Layer Gateway Service ALG running on demand
*Application Management AppMgmt - on demand
*ASP.NET State Service aspnet_state - on demand
*Ati HotKey Poller Ati HotKey Poller running auto
*ATI Smart ATI Smart - auto
*Windows Audio AudioSrv running auto
*Background Intelligent Transfer Service BITS - on demand
*Computer Browser Browser running auto
*Symantec Event Manager ccEvtMgr running auto
*Symantec Password Validation Service ccPwdSvc - on demand
*Indexing Service cisvc - on demand
*ClipBook ClipSrv - on demand
*COM+ System Application COMSysApp - on demand
*Creative Service for CDROM Access Creative Service for running auto
*Cryptographic Services CryptSvc running auto
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver - on demand
*DNS Client Dnscache running auto
*EPSON Printer Status Agent2 EPSONStatusAgent2 running auto
*Error Reporting Service ERSvc running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*Fast User Switching Compatibility FastUserSwitchingCom running on demand
*Help and Support helpsvc running auto
*Human Interface Device Access HidServ - disabled
*IMAPI CD-Burning COM Service ImapiService - on demand
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*TCP/IP NetBIOS Helper LmHosts running auto
*Machine Debug Manager MDM running auto
*Messenger Messenger running auto
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Norton AntiVirus Auto Protect Service navapsvc running auto
*Network DDE NetDDE - on demand
*Network DDE DSDM NetDDEdsdm - on demand
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*Network Location Awareness (NLA) Nla running on demand
*Norton Unerase Protection NProtectService running auto
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc - on demand
*Plug and Play PlugPlay running auto
*IPSEC Services PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Remote Desktop Help Session Manager RDSessMgr - on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*ScriptBlocking Service SBService - auto
*Smart Card Helper SCardDrv - on demand
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*Secondary Logon seclogon running auto
*System Event Notification SENS running auto
*Internet Connection Firewall (ICF) / Internet C SharedAccess running auto
`onnection Sharing (ICS)
*Shell Hardware Detection ShellHWDetection running auto
*Sygate Personal Firewall SmcService running auto
*Symantec Network Drivers Service SNDSrvc - on demand
*Print Spooler Spooler running auto
*System Restore Service srservice - auto
*SSDP Discovery Service SSDPSRV running on demand
*Windows Image Acquisition (WIA) stisvc running auto
*MS Software Shadow Copy Provider SwPrv - on demand
*SymWMI Service SymWSC - auto
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Terminal Services TermService running on demand
*Themes Themes running auto
*Distributed Link Tracking Client TrkWks running auto
*Upload Manager uploadmgr running auto
*Universal Plug and Play Device Host upnphost - on demand
*Uninterruptible Power Supply UPS - on demand
*Volume Shadow Copy VSS - on demand
*Windows Time W32Time running auto
*WebClient WebClient running auto
*Windows Management Instrumentation winmgmt running auto
*WMDM PMSP Service WMDM PMSP Service running auto
*Portable Media Serial Number WmdmPmSp running auto
*WMI Performance Adapter WmiApSrv - on demand
*Automatic Updates wuauserv running auto
*Wireless Zero Configuration WZCSVC running auto
»Application specific