Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus-infected Services.exe File...


  • This topic is locked This topic is locked
2 replies to this topic

#1 thaipo

thaipo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 06 February 2008 - 01:25 AM

The problem:
Services.exe continually attempts to connect to an outside source (one of these four)
208.72.168.151
mailin-01.mx.aol.com
uniontrade.biz
cluster-club.info

After an attempted repair-installation from the xp pro sp2 cd, updates fail to install.

Previous Problems(be warned, for this seems a bit convoluted):
At some point or another, I managed to get a virus on my computer(possibly from a shut-down/disabled nod32/outpost firewall), although it didn't seem to actually be able to do anything or give any noticeable symptoms.
Said symptoms showed themselves in full, however, when I uninstalled IIS (this was to fix a problem had in that I wasn't able to right-click and view the properties of any folder).
On uninstallation of IIS, computer went to hell. Five property windows popped up, and all of a sudden Firefox had a new spam/spyware-tastic toolbar. Eventually IIS was reinstalled.

After a few manual uninstalls, system scans with nod32, and blocked applications with outpost(as my firewall), everything seemed to be running smoothly.

Checking my threat logs, this is what nod32 had found during its scans;
Time Module Object Name Threat Action User Information
1/31/2008 10:18:52 AM AMON file C:\System Volume Information\_restore{939223E0-39DE-4E81-BA1F-941FB9B98940}\RP42\A0020324.exe probably a variant of Win32/TrojanProxy.Dlena trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.

1/31/2008 10:18:46 AM AMON file C:\System Volume Information\_restore{939223E0-39DE-4E81-BA1F-941FB9B98940}\RP42\A0020323.dll probably a variant of Win32/Genetik trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.

1/30/2008 23:57:37 PM AMON file C:\DOCUME~1\Aeonix\LOCALS~1\Temp\Upxwezatkbf probably unknown NewHeur_PE virus quarantined - deleted HACKEDSUNFLOWER\Aeonix Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 5.0\TrojanHunter.exe. The file was moved to quarantine. You may close this window.

1/30/2008 23:57:22 PM AMON file C:\Documents and Settings\Aeonix\Local Settings\Temp\build_dol.exe Win32/TrojanDownloader.Small.BUY trojan deleted HACKEDSUNFLOWER\Aeonix Event occurred at an attempt to access the file by the application: C:\Program Files\TrojanHunter 5.0\TrojanHunter.exe.

1/30/2008 23:50:52 PM AMON file C:\.Trash-fedora\oipiy.exe Win32/Rustock.NDH trojan deleted HACKEDSUNFLOWER\Aeonix Event occurred at an attempt to access the file by the application: C:\Program Files\TrojanHunter 5.0\TrojanHunter.exe.

1/30/2008 22:44:29 PM Kernel file c:\windows\media\fuwarxyus.dll probably a variant of Win32/Genetik trojan

ATTEMPTS MADE(thus far):
After all the hoopla with scanning with both Nod32 and TrojanHunter, I eventually tried a repair installation with the windows pro sp2 cd. No luck.
After that, I also tried manually replacing the services.exe file from the original installation cd. No luck
And then... I tried replacing all the associated .dlls found with command prompts nifty little tasklist command, and double checked it with ProcMon from SysInternals, with those on the original installation cd. You guess it, no luck.

*O20 - Winlogon Notify: crypt32set - C:\WINDOWS\ Noticed this in the HijackThis log below, checked it out, and 'fixed' it through HJT.

Other than a full format and reinstall (which... i'd rather not do, and am more interested in fixing the problem than just starting from scratch again), I'm sort of at a loss.
Although it doesn't appear to actually be doing anything (recent scans have shown nothing of particular alarm), it's still a fairly consistent drain on resources. Let alone, the application seems to be more than able to build back up if outpost is ever disabled (safe-mode with networking anyone?)

Any help in the matter would be greatly appreciated.


Oh, and here's a copy of the HijackThis log... the edits to the hosts file were done by me, as well as the proxy for IE.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:20 AM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\aim\aim.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ytmnd.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.144:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 24.21.135.99 204.13.11.27
O1 - Hosts: 24.21.135.99 www.audio-surf.com
O1 - Hosts: 24.21.135.99 audio-surf.com
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1196046591468
O17 - HKLM\System\CCS\Services\Tcpip\..\{D39255D6-AF95-4751-B294-F4153FCA7EFA}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

--
End of file - 4753 bytes

Edited by thaipo, 06 February 2008 - 01:40 AM.


BC AdBot (Login to Remove)

 


#2 thaipo

thaipo
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 07 February 2008 - 10:19 PM

Hi folks,

Looks like I managed to resolve the issue. Managed to get into an older windows partition lying around, and scanned the infected partition with Nod32.

It found a fak32.sys file, and removing it seemed to fix the problem entirely.

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 15 February 2008 - 03:38 PM

Hello thaipo,

Thanks for letting us know :thumbsup:.

I am closing this topic now. If any other problems arise, please create a new topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users