[Desmodus]

I have an application spoolsv.exe trying to access the internet, and on advice from MicroBell here is a HJT log in case it is a trojan.

Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:45:35 PM, on 25/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\CAP3RSK.EXE
C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE
C:\QuickTime\qttask.exe
C:\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Documents and Settings\Main User\Desktop\Security Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.linkt.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_2
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099831942755
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4409/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C40FDD8-7D2A-4A3D-8389-A2B557C903EE}: NameServer = 203.194.27.57,203.194.56.150
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of KRC HijackThis Analyzer Log.

 

[MicroBell]

Hi and Welcome to TSF

I don't see anything bad in the log..but we are going to look deeper. I do suspect that one of the cannon programs is using the spoolsv.exe file and trying to connect.


Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

• Ad-Aware® SE Personal Edition
• Spybot Search & Destroy
• CWShredder

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Once it has finished save the activescan log. Then post that log in your next post.


Download Silent runners.Vbs http://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.

 

[Desmodus]

Ad-aware, CWShredder and Spybot returned clean scans, but the panda activescan turned up three entries:

Incident Status Location

Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET
Dialer:dialer.akd No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ
Adware:adware/popupdefence No disinfected Windows Registry


Silent Runner came up with this log:
"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"updateMgr" = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_2" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"PmProxy" = "C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" ["adi"]
"00THotkey" = "C:\WINDOWS\System32\00THotkey.exe" ["TOSHIBA Corp."]
"000StTHK" = "000StTHK.exe" [null data]
"TouchED" = "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" ["TOSHIBA Corporation"]
"TFNF5" = "TFNF5.exe" ["Toshiba Corp."]
"Tpwrtray" = "TPWRTRAY.EXE" ["TOSHIBA Corporation"]
"ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."]
"Drag'n Drop CD+DVD" = "C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp" [empty string]
"LtMoh" = "C:\Program Files\ltmoh\Ltmoh.exe" ["Agere Systems"]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"CAP3ON" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE" ["CANON INC."]
"LWBMOUSE" = "C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE" [empty string]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [null data]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"QuickTime Task" = ""C:\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Zone Labs Client" = "C:\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Main User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\FIELDL~1.SCR" (FieldLines.scr) [null data]


Startup items in "Main User" & "All Users" startup folders:
-----------------------------------------------------------

C:\Documents and Settings\Main User\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Canon LASER SHOT LBP-1120 Status Window" -> shortcut to: "C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE !N" ["CANON INC."]
"RAMASST" -> shortcut to: "C:\WINDOWS\system32\RAMASST.exe" ["Matsushita Electric Industrial Co., Ltd."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
DVD-RAM_Service, DVD-RAM_Service, "C:\WINDOWS\System32\DVDRAMSV.exe" ["Matsushita Electric Industrial Co., Ltd."]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 12 seconds)

 

[MicroBell]

As I suspected I see no malware running. If you want to confirm that one of the cannon programs is causing this..disable them in the startup tab in msconfig. I't a good bet one of them is your cause.

*Note* The Panda scan results are a false positive.

 

[Desmodus]

thanks MicroBell. just so we're clear, it is save for me to allow the program to access the internet next time it pops up?

 

[MicroBell]

Well..I don't see any malware running so I would say yes. I would however monitor it...when it asks for permissions. Since you have ZoneAlarm installed..check it's log and make sure it's not trying to access some obscure IP. Next time it asks for access..open up ZA..click 'Alerts and Logs' and locate the newest spoolsv.exe access attempt and highlight it. In the window on the bottom you should see it's Source IP and Destination IP. Research the IP listed.

I need you to try this also...

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible. Then do a search for spoolsv.exe and post all directorys you find it in.

 

[Desmodus]

I assume this is what you mean.....
5 entries found:
C:\WINDOWS\$NtServicePackUninstall$
C:\WINDOWS\$NtUninstallKB896423$
C:\WINDOWS\system32
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\$hf_mig$\KB896423\SP2QFE

 

[MicroBell]

Yes that's fine. I justed wanted to make sure there wasn't a "Rouge" spoolsv.exe file running from a location it should not be in. What you posted are all LEGIT locations.