Announcement

Collapse
No announcement yet.

Odd service running on computer

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    I know it might seem like a basic idea, and you said S&D returned nothing, but in the advanced mode of Spybot under the System Startup panel, it should list everything that is running or starts up and you can check/uncheck each one, if it's in there, it should no longer be a threat right?
    Answering easy questions since 1987
    Si Dieu est pour moi, qui peut ĂȘtre contre moi?

    Comment


    • #17
      I find that when FTP daemons run on windows machines, hacker defender is not very far behind and the task manager becomes very suspect indeed.

      My usual solution involves using the command line tools and booting into single user mode, errr, "Safe Mode" ;-). Especially interesting are files that are hidden/read-only/system in a CMD window, usually in \Windows\System32. Even better is an hidden directory in \Windows\System32\config.

      Windows command-line tools: http://www.ss64.com/nt/

      Comment


      • #18
        Thanks for the advice!

        Appreciate all of the responses. Maybe I'll see some of you all at the DefCon.......I'll probably be a prime target for "Spot the Fed."

        Comment


        • #19
          HiKakThis Log

          Appreciate a look, see anything obvious?



          C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
          C:\WINDOWS\system32\RUNDLL32.EXE
          C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
          C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
          C:\Program Files\iTunes\iTunesHelper.exe
          C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
          C:\WINDOWS\system32\tbctray.exe
          C:\WINDOWS\system32\ctfmon.exe
          C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
          C:\Program Files\ISS\BlackICE\blackice.exe
          C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
          C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
          C:\Program Files\iPod\bin\iPodService.exe
          C:\PROGRA~1\INCRED~1\bin\IMApp.exe
          C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
          C:\WINDOWS\system32\HPZipm12.exe
          C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
          C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
          C:\DOCUME~1\skubinna\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

          R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
          O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
          O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
          O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
          O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
          O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
          O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
          O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
          O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
          O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
          O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
          O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
          O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
          O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
          O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
          O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
          O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
          O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
          O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
          O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
          O4 - Global Startup: hp psc 1000 series.lnk = ?
          O4 - Global Startup: hpoddt01.exe.lnk = ?
          O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
          O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
          O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
          O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
          O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
          O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
          O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
          O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
          O15 - Trusted Zone: http://www.xmradio.com
          O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdcc...d/tgctlins.cab
          O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
          O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100146904468
          O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
          O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
          O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
          O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
          O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
          O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
          O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
          O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
          O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
          O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
          O23 - Service: Steganos Live Encryption Engine 8.1 [Service] (SLEE_81_SERVICE) - Unknown owner - C:\WINDOWS\system32\SLEE81.exe
          O23 - Service: Tenable NeWT - Unknown owner - C:\Program Files\Tenable\NeWT\newtd.exe

          Comment


          • #20
            Have you tried this and pasted in your report? It has a nifty "click on the filename" feature to find more information. How did I find that? google. They even colorcode with RED and use BOLD to highlight things for you.

            Check out what it reports in RED and BOLD.

            [more below]

            Originally posted by skubinnada
            Appreciate a look, see anything obvious?
            ...
            O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
            Running a remote packet capture daemon on you machine? heh. Unless this was part of something you installed that is supposed to be there, it seems a risk.


            O23 - Service: Steganos Live Encryption Engine 8.1 [Service] (SLEE_81_SERVICE) - Unknown owner - C:\WINDOWS\system32\SLEE81.exe
            Did you install this?

            Did you actually inspect the paths to the files listed to make sure there are files there?
            Did you at least remove the items from the list you know you installed and then more intensively look at the other that remain?

            When you did the
            Code:
            C:> netstat -anO
            Did you track down the PID of the process that opened the port, then find that PID in the process manager, and then see if you were able to right click terminate it? (Make sure you try to kill the correct process by PID not name.)

            Back in the days of NT, there was the NT 4.0 Server Resource Kit which came with other tools. One of which allowed you to use the command line as admin to kill things that the process manager would not let you kill. Perhaps someone else knows about something like this for XP.
            Last edited by TheCotMan; April 18, 2005, 21:46. Reason: fix 2 typos

            Comment


            • #21
              Originally posted by skubinnada
              Appreciate all of the responses. Maybe I'll see some of you all at the DefCon.......I'll probably be a prime target for "Spot the Fed."
              So, you are admitting to being a fed?

              Why did I help you? :-P
              (heh-heh)

              pview.exe was the name of the tool from the resource kit for NT. That page offers other suggestions though for killing processes that the process manager won't let you kill as admin.

              Comment


              • #22
                Military, not sure if you all consider that a "Fed", but I'm sure you do. Military appearance would stick out., short hair and all........

                Comment


                • #23
                  Originally posted by skubinnada
                  Military, not sure if you all consider that a "Fed", but I'm sure you do. Military appearance would stick out., short hair and all........
                  By itself, military service is usually not enough. People who have been in military computer security or offensive computer attacks have about the same chance as non-federal cybercrime LEO-- some have received "I'm the Fed" shirts, but chances for these awards are pretty slim for these professionals at DefCon now.

                  Comment

                  Working...
                  X