Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Deleting A Service


  • Please log in to reply
30 replies to this topic

#1 jammydodger

jammydodger

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 23 February 2008 - 09:32 PM

HI ALL,

I had a virus which i think i have managed to get rid of. Well so i thought then i had an issue with internet explorer where it kept opening muliple windows by itself. Again i think i fixed it but time will tell me this for sure.
One of the virus's created a file called perfs.exe. I deleted it along with a few other things with the help of stopzilla (spyware removal application)
What i have now noticed is a service (in admin tools) called perfmons which was set to start automatically so i have disabled it. (i believe this is related to perfs.exe)
What i would like to know is am i okay to delete this service in the registry? I have located it in hkey_local_machines\system\currentcontrolset\services, or would it be better to do this with some kind of application that does this for you (i dont know any that do)
Any help or advice appreciated

Also in the hkey_local_machines\system\currentcontrolset\services there are a few folders with odd names called ql1080, ql10wnt, ql12160, ql1240, ql1280. They all say group - SCSI miniport and also a couple of folders called {4A142745-BEF1-4296-B1CE-A161804C5437} and {91C9E52C-EAED-4548-9953-A17825B355E4} with no group. Is this anything to worry about?

Lastly i had a file in C:\Program Files\Internet Explorer called svchost which said for company "a". This looked dodgy so i deleted it. Was i right to do so?

Thanks

BC AdBot (Login to Remove)

 


#2 jammydodger

jammydodger
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 24 February 2008 - 02:16 PM

anyone??

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:56 AM

Posted 24 February 2008 - 02:54 PM

One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?" and "Reformatting the computer or troubleshooting; which is best?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 jammydodger

jammydodger
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 24 February 2008 - 04:23 PM

Thanks for taking the time to reply :flowers:

Well i don't really have any sensitive data on my comp, and i don't use online banking so i would like to try to remove any further infections from my computer and see what happens. As a last resort if all else fails i would do a reformat and reinstall windows.
Also by trying to troubleshoot i may learn something which is always good :thumbsup:
Currently i have downloaded stopzilla and AVG and they are not finding anything so i may have already fixed it, i'm not sure.
Like mentioned in my earlier post Internet explorer was behaving a bit funny and at one point kept opening new windows as fast as i could close them. I have a feeling this was related to a file called svchost i found in C:\Program Files\Internet Explorer, it had a company name of "a". Normally svchost is found in the system32 folder and would have a company name of microsoft corporation???
I have also done a seach on my computer for svchost and found a file called SVCHOST.EXE-3530F672.pf in c:\windows\prefetch. From searching google i think this is okay but not 100 percent sure.
At the moment Internet explorer seems to be okay although when i try to open another window from an existing window, it does so but puts the new window in the background. Not sure why, maybe this is an Internet explorer setting??
I have just noticed a Internet Explorer add-on called iifebbx.dll which i am sure i have seen on a spyware forum before and so have disabled it. I cannot find anything on google about it though. Any ideas about this?
The biggest thing i would like to know at the moment is about the service in admin tools called perfmons (i believe is related to perfs.exe). it was set to automatic so i changed it to disabled. Can i remove this in the registry hkey_local_machines\system\currentcontrolset\services and if so is this the best thing to do? I don't like the thought of the service on my computer even if it is disabled when i could just delete it??

Again any help would be much appreciated

Thanks

Edited by jammydodger, 24 February 2008 - 06:17 PM.


#5 jammydodger

jammydodger
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 24 February 2008 - 08:36 PM

I have now got rid of perfmons from admin tools/services by typing "sc delete perfmons" in the run box from the start menu

Internet explorer is still doing my head in though, when i choose to open a page in a different window sometimes the page will be in the background and sometimes it will be in the foreground like it should be. I have no idea why its doing this, im sure somthing is still wrong.
I did notice an entry in my hosts file that shouldn't have been there. I had to go into safe mode to remove it as it wouldn't let me save the hosts file after i deleted it. This hasn't fixed the above problem with IE though

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:56 AM

Posted 24 February 2008 - 10:36 PM

I was going to have you delete the service with a batch file but what you do is ok too.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jammydodger

jammydodger
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 25 February 2008 - 12:49 PM

Hi and thanks for taking the time to reply :flowers:

I downloaded SDFix and followed the instructions to run the program.
The log is attached below
The only thing is stopzilla (spyware program) picked up 22 infections when my computer restarted, all of them had the name "catchme". I take it this is to do with SDFix and they are okay to leave? I wasn't sure so i removed them just in case. Let me know if i was wrong to do this.

Anyway heres the log, i have tried to make sense of it but i think i best leave that to the experts :thumbsup:
Thanks again for trying to help me


SDFix: Version 1.147

Run by Administrator on 25/02/2008 at 17:08

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\comsa32.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

http://www.gmer.net
Rootkit scan 2008-02-25 17:21:05
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90

D04]
"h0"=dword:00000000
"ujdew"=hex:76,a8,ff,d2,6c,19,4d,4e,92,11,45,95,b8,e3,24,5c,9f,53,61,ce,73,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:76,a8,ff,d2,6c,19,4d,4e,92,11,45,95,b8,e3,24,5c,9f,53,61,ce,73,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy

\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network

Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2re

s.dll,-22019"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common

Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft

Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft

Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft

Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows

Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows

Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy

\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network

Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-

22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows

Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows

Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 23 Feb 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sat 23 Feb 2008 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Sat 23 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All

Users\DRM\Cache\Indiv01.tmp"

Finished!

#8 jammydodger

jammydodger
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 25 February 2008 - 01:21 PM

getting a little worried now cos i have restarted my comp and done another scan with stopzilla and it has found 2 vundo.F files, one is located c:\sdfix\dummy.sys and the other c:\sdfix\apps\dummy.sys
It also found a registry key trojan and a restore point trojan

Edited by jammydodger, 25 February 2008 - 01:43 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:56 AM

Posted 25 February 2008 - 01:57 PM

The only thing is stopzilla (spyware program) picked up 22 infections when my computer restarted, all of them had the name "catchme". I take it this is to do with SDFix...

Yes. I have seen this before with Stopzilla.

Certain embedded files that are part of SDFix such as are detected by some anti-virus programs as "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. Anti-virus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others.

Stopzilla is also flagging your C:\sdfix folder. SDfix did its job so you can delete the entire folder to avoid any more alerts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 jammydodger

jammydodger
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 25 February 2008 - 03:24 PM

ok thanks quietman for making that clear
From the log file sdfix generated do i have any more problems that you are aware of?
My internet explorer is still opening new pages in the background, do you know if this is a internet explorer setting or something more sinister?

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:56 AM

Posted 25 February 2008 - 03:30 PM

SDFix is not a cure all and is limited in the types of malware it detects.

What kind of new pages are being opened? Do they open on their own or do they open when you do something on your pc?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 jammydodger

jammydodger
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 25 February 2008 - 03:35 PM

its something i do myself, i have a webpage open and right click on a link and select open in new window. It opens the window in the background though and i am not sure why, it has never done this to me before (it always opened new pages in the foreground) and i wondered if this is something to do with the virus i picked up or simply something to do with my internet exploerer settings

#13 jammydodger

jammydodger
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 26 February 2008 - 11:17 AM

stopzilla found more stuff when i restarted my computer today :thumbsup:
is there anything else you can suggest i can do or would you say a format of my hard drive is the way to go?

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:56 AM

Posted 26 February 2008 - 11:44 AM

I'm not all that familiar with the effectiveness of Stopzilla. I know its not in BC's List of Virus & Malware Resources or on the list of Trustworthy Anti-Spyware Products. Those I have assisted who were using this program seem to encounter a lot of false positives. You did identify and remove some dangerous malware and SDFix found more but Stopzilla also detected some things that were not malware.

I don't know what Stopzilla is finding now but your decision to reformat should be based on what has been confirmed as bad, whether it was removed and by asking yourself the questions presented in the "When should I re-format?" link. Reformatting and doing a clean install of the OS is the safest action but I cannot make that decision for you.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 jammydodger

jammydodger
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 26 February 2008 - 01:28 PM

thanks for replying again, I appreciate the job you and people like you do, giving up your own time to help other people.
Anyway i'm going to have a think about it and see what any of my spyware programs pick up over the next few days.
The IE problem is still doing my head in though, have you got any idea on that? It makes me think that my computer still isn't 100 percent




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users