Announcement

Collapse
No announcement yet.

Odd service running on computer

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • TheCotMan
    replied
    Originally posted by skubinnada
    Military, not sure if you all consider that a "Fed", but I'm sure you do. Military appearance would stick out., short hair and all........
    By itself, military service is usually not enough. People who have been in military computer security or offensive computer attacks have about the same chance as non-federal cybercrime LEO-- some have received "I'm the Fed" shirts, but chances for these awards are pretty slim for these professionals at DefCon now.

    Leave a comment:


  • skubinnada
    replied
    Military, not sure if you all consider that a "Fed", but I'm sure you do. Military appearance would stick out., short hair and all........

    Leave a comment:


  • TheCotMan
    replied
    Originally posted by skubinnada
    Appreciate all of the responses. Maybe I'll see some of you all at the DefCon.......I'll probably be a prime target for "Spot the Fed."
    So, you are admitting to being a fed?

    Why did I help you? :-P
    (heh-heh)

    pview.exe was the name of the tool from the resource kit for NT. That page offers other suggestions though for killing processes that the process manager won't let you kill as admin.

    Leave a comment:


  • TheCotMan
    replied
    Have you tried this and pasted in your report? It has a nifty "click on the filename" feature to find more information. How did I find that? google. They even colorcode with RED and use BOLD to highlight things for you.

    Check out what it reports in RED and BOLD.

    [more below]

    Originally posted by skubinnada
    Appreciate a look, see anything obvious?
    ...
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    Running a remote packet capture daemon on you machine? heh. Unless this was part of something you installed that is supposed to be there, it seems a risk.


    O23 - Service: Steganos Live Encryption Engine 8.1 [Service] (SLEE_81_SERVICE) - Unknown owner - C:\WINDOWS\system32\SLEE81.exe
    Did you install this?

    Did you actually inspect the paths to the files listed to make sure there are files there?
    Did you at least remove the items from the list you know you installed and then more intensively look at the other that remain?

    When you did the
    Code:
    C:> netstat -anO
    Did you track down the PID of the process that opened the port, then find that PID in the process manager, and then see if you were able to right click terminate it? (Make sure you try to kill the correct process by PID not name.)

    Back in the days of NT, there was the NT 4.0 Server Resource Kit which came with other tools. One of which allowed you to use the command line as admin to kill things that the process manager would not let you kill. Perhaps someone else knows about something like this for XP.
    Last edited by TheCotMan; April 18, 2005, 21:46. Reason: fix 2 typos

    Leave a comment:


  • skubinnada
    replied
    HiKakThis Log

    Appreciate a look, see anything obvious?



    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\system32\tbctray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\ISS\BlackICE\blackice.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\DOCUME~1\skubinna\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.xmradio.com
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdcc...d/tgctlins.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100146904468
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
    O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Steganos Live Encryption Engine 8.1 [Service] (SLEE_81_SERVICE) - Unknown owner - C:\WINDOWS\system32\SLEE81.exe
    O23 - Service: Tenable NeWT - Unknown owner - C:\Program Files\Tenable\NeWT\newtd.exe

    Leave a comment:


  • skubinnada
    replied
    Thanks for the advice!

    Appreciate all of the responses. Maybe I'll see some of you all at the DefCon.......I'll probably be a prime target for "Spot the Fed."

    Leave a comment:


  • AlexCV
    replied
    I find that when FTP daemons run on windows machines, hacker defender is not very far behind and the task manager becomes very suspect indeed.

    My usual solution involves using the command line tools and booting into single user mode, errr, "Safe Mode" ;-). Especially interesting are files that are hidden/read-only/system in a CMD window, usually in \Windows\System32. Even better is an hidden directory in \Windows\System32\config.

    Windows command-line tools: http://www.ss64.com/nt/

    Leave a comment:


  • Second
    replied
    I know it might seem like a basic idea, and you said S&D returned nothing, but in the advanced mode of Spybot under the System Startup panel, it should list everything that is running or starts up and you can check/uncheck each one, if it's in there, it should no longer be a threat right?

    Leave a comment:


  • theprez98
    replied
    HijackThis appears to have successfully eliminated the two offending programs from the computer.

    Leave a comment:


  • theprez98
    replied
    Originally posted by TheCotMan
    In your other posts, you demonstrated knowledge, so I am reluctant to suggest the obvious, but
    Have you told the OS to show all files including hidden ones?
    Well first off, thanks for the compliment. And yes, I searched all files included hidden and found nothing. Interestingly, Microsoft's Anti-spyware scan specifically lists it as being in the system32 directory along with the other standard files it searches.

    Originally posted by TheCotMan
    A google search shows discussion of one of those filenames in an adware/spyware/malware forum and the other does not show up in google searches.
    My continued searches finds a little bit on the MSAOL32.EXE which suggests it is malware but haven't been able to find any program yet which can delete it. Tomorrow hopefully I can find the websites they are trying to connect to, and perhaps that can shed more light on what these processes might be.

    Leave a comment:


  • TheCotMan
    replied
    Originally posted by theprez98
    Any ideas?
    In your other posts, you demonstrated knowledge, so I am reluctant to suggest the obvious, but
    Have you told the OS to show all files including hidden ones?

    Next, I have found some bits of malware to be annoying enough to be called to startup as one name, which is a wrapper to copy itself to a new name in the system folder, fork/exec a new process from the new location, and delete the copied file or rename it.

    With some of these, I have found creation of a file (assuming NTFS) in the same location where no file appears to exist where it should be (according to the process listings) and then setting it to be protected with permissions to help identify a source. Some wrappers will produce an error which will be logged and give you a clue on what was actually the real cause.

    Of course, coders of malware get smarter and more malicious to detection techniques, and attempts to break them may lead to triggering an undesired event.

    A google search shows discussion of one of those filenames in an adware/spyware/malware forum and the other does not show up in google searches.
    Last edited by TheCotMan; April 11, 2005, 21:25.

    Leave a comment:


  • theprez98
    replied
    some other suspicious applications...

    Here are a few other suspicious applications running on a computer I have been working on:

    MSAOL32.EXE (No such thing as Microsoft AOL Instant Messenger?)
    SVCHOSETS16.EXE (maybe CoolWebSearch?)

    The computer is a Gateway 1.2 ghz running Windows XP SP2 and I am 99.9% sure these are not Microsoft-related services or programs.

    Both are said to be located in C:\Windows\System32 yet neither file can be found there or anywhere else on the system. Microsoft Antispyware, Adaware and Spybot Search & Destroy find nothing. AVG Antivirus same result. Several online virus/trojan databases did not find anything by these names.

    Neither filename produces many meaningful results on Google. A few threads that suggest one or both of them might be trojans, but nothing concrete. The MSAOL one is sometimes listed as Microsoft AOL Instant Messenger but I am pretty sure there is no such thing. Also, some of the references are French webpages that don't translate too well.

    Sygate Personal Firewall is able to block these services from connecting the Internet, and can terminate the services, but upon reboot they start up again.

    Any ideas?
    Last edited by theprez98; April 11, 2005, 21:22.

    Leave a comment:


  • cristisphoto
    replied
    Try these

    Try the following Spybot
    Microdoze LOL anti spyware
    an make sure they are updated
    then scan
    and why Google when you can Scroogle scraper
    Just Google it and then well,
    rtfm...............
    Peace out !
    Love
    Me HEEHEHEHLOL

    Leave a comment:


  • Demon Furor
    replied
    try running HiJackThis and posting the log here. More than likely, if you have 2 instances of csrss.exe running, one of them is bound to be a virus. The best way you can tell is if one of the processes is not located in the system32 file.

    Leave a comment:


  • skubinnada
    replied
    Thanks for all the advice

    I have pretty much tried all of the ideas so far except for deleting/stopping the csrss.exe file/process. For one, it won't let me stop it, two, it is a system file. I did however see two instances of csrss.exe running in the process list. Wouldn't let me stop either one. I have ran almost every virus scan, adaware program and trojan finder known to man, nothing has showed up to this point. I'm almost to the point where I think I installed an FTP server in the past and have just forgot about it. One other thing, in Computer Management/services, I don't see FTP as one of my services, running or otherwise.
    Thanks again for the ideas. I'll probably just reformat/reload.

    Leave a comment:

Working...
X