Tech Support Forum - View Single Post

Desmodus · 04-13-2005, 08:28 AM

First one is the HJT Analyser log, second is the TDS-3.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:41:37 PM, on 13/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE
C:\Microsoft AntiSpyware\gcasServ.exe
C:\RAM Idle\RAM_XP.exe
C:\ZoneAlarm\zlclient.exe
C:\QuickTime\qttask.exe
C:\Spybot\TeaTimer.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Main User\Desktop\Security Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.linkt.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SDHelper.dll
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_0616.dll
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0616.dll"
O4 - HKLM\..\Run: [gcasServ] "C:\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RAM Idle Professional] C:\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0616.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot\TeaTimer.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099831942755
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C40FDD8-7D2A-4A3D-8389-A2B557C903EE}: NameServer = 203.194.27.57,203.194.56.150
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

End of KRC HijackThis Analyzer Log.
====================================================================

23:46:02 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
23:46:02 [Init] Started 13-04-05 23:46:02 E. Australia Standard Time (UTC: -10), Internet Time @615.30
23:46:02 [Init] Loading TDS-3 Systems ...
23:46:02 [Init] Token successfully adjusted.
23:46:02 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
23:46:02 [Init] • Plugins : OK. Loaded 13
23:46:02 [Init] • Exec Protection : Not Installed
23:46:02 [Init] WARNING: Your Radius.TD3 database needs to be updated!
23:46:02 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
23:46:02 [Init] Licensed users can use the Update facility from the TDS menu
23:46:02 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
23:46:10 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
23:46:10 [Init] • Systems Initialised [52187 references - 26562 primaries/13408 traces/12217 variants/other]
23:46:10 [Init] Radius Systems loaded. <Databases updated 13-04-2005>
23:46:10 [Init] TDS-3 Ready. <Main user@192.168.1.2, 127.0.0.1 - Australia>
23:46:10 [Tip Of The Day] Rest your eyes often. (And don't underestimate the value of this tip!)
23:46:10 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry
23:46:10 [TDS] Good evening Main user.
23:46:16 [Mutex Memory Scan] Started...
23:46:18 [Mutex Memory Scan] Finished (no trojan mutexes found).
23:46:18 [TDS-3] NOTICE - TDS-3 was not properly shut down.
23:46:18 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
23:46:23 [CRC32] Started - verifying 29 files ...
23:46:24 [CRC32] Test finished.
23:48:15 [Memory Scan] Memory scan started, please wait a moment ...
23:48:18 [Memory Scan] Memory scan complete.
23:48:18 [Mutex Memory Scan] Started...
23:48:20 [Mutex Memory Scan] Finished (no trojan mutexes found).
23:48:20 [Trace Scan] Started...
23:48:27 [Trace Scan] Finished.
23:48:27 [ServiceScan] Scanning for services and drivers ...
23:48:32 [ServiceScan] Scanned 294 services and drivers.
23:48:32 [File Scan] Scanning in C:\ ...
00:25:32 [File Scan] Scanned 39791 files: 2 alarms in -84179.94 seconds (Avg .53 files/sec)
00:25:32 [File Scan] Scanning in D:\ ...
00:25:52 [File Scan] Scanned 98 files: 2 alarms in 20.48901 seconds (Avg 5.78 files/sec)
00:25:52 [Scan] Finished.

The 2 alarms found were:
c:\gendel32.exe
c:\windows\downloaded program files\popcaploader.dll

04-13-2005, 08:28 AM	#5 (permalink)
Desmodus Registered User Join Date: Nov 2004 Posts: 125 OS: Vista(64)	the 2 logs First one is the HJT Analyser log, second is the TDS-3. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 11:41:37 PM, on 13/04/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE C:\Microsoft AntiSpyware\gcasServ.exe C:\RAM Idle\RAM_XP.exe C:\ZoneAlarm\zlclient.exe C:\QuickTime\qttask.exe C:\Spybot\TeaTimer.exe C:\WINDOWS\system32\CAP3RSK.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE C:\Microsoft AntiSpyware\gcasDtServ.exe C:\Documents and Settings\Main User\Desktop\Security Programs\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.linkt.com.au R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/ O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SDHelper.dll O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_0616.dll O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0616.dll" O4 - HKLM\..\Run: [gcasServ] "C:\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [RAM Idle Professional] C:\RAM Idle\RAM_XP.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0616.dll" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot\TeaTimer.exe O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099831942755 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8C40FDD8-7D2A-4A3D-8389-A2B557C903EE}: NameServer = 203.194.27.57,203.194.56.150 O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe End of KRC HijackThis Analyzer Log. ==================================================================== 23:46:02 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 23:46:02 [Init] Started 13-04-05 23:46:02 E. Australia Standard Time (UTC: -10), Internet Time @615.30 23:46:02 [Init] Loading TDS-3 Systems ... 23:46:02 [Init] Token successfully adjusted. 23:46:02 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 23:46:02 [Init] • Plugins : OK. Loaded 13 23:46:02 [Init] • Exec Protection : Not Installed 23:46:02 [Init] WARNING: Your Radius.TD3 database needs to be updated! 23:46:02 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 23:46:02 [Init] Licensed users can use the Update facility from the TDS menu 23:46:02 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 23:46:10 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 23:46:10 [Init] • Systems Initialised [52187 references - 26562 primaries/13408 traces/12217 variants/other] 23:46:10 [Init] Radius Systems loaded. <Databases updated 13-04-2005> 23:46:10 [Init] TDS-3 Ready. <Main user@192.168.1.2, 127.0.0.1 - Australia> 23:46:10 [Tip Of The Day] Rest your eyes often. (And don't underestimate the value of this tip!) 23:46:10 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry 23:46:10 [TDS] Good evening Main user. 23:46:16 [Mutex Memory Scan] Started... 23:46:18 [Mutex Memory Scan] Finished (no trojan mutexes found). 23:46:18 [TDS-3] NOTICE - TDS-3 was not properly shut down. 23:46:18 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 23:46:23 [CRC32] Started - verifying 29 files ... 23:46:24 [CRC32] Test finished. 23:48:15 [Memory Scan] Memory scan started, please wait a moment ... 23:48:18 [Memory Scan] Memory scan complete. 23:48:18 [Mutex Memory Scan] Started... 23:48:20 [Mutex Memory Scan] Finished (no trojan mutexes found). 23:48:20 [Trace Scan] Started... 23:48:27 [Trace Scan] Finished. 23:48:27 [ServiceScan] Scanning for services and drivers ... 23:48:32 [ServiceScan] Scanned 294 services and drivers. 23:48:32 [File Scan] Scanning in C:\ ... 00:25:32 [File Scan] Scanned 39791 files: 2 alarms in -84179.94 seconds (Avg .53 files/sec) 00:25:32 [File Scan] Scanning in D:\ ... 00:25:52 [File Scan] Scanned 98 files: 2 alarms in 20.48901 seconds (Avg 5.78 files/sec) 00:25:52 [Scan] Finished. The 2 alarms found were: c:\gendel32.exe c:\windows\downloaded program files\popcaploader.dll