Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Services.exe Continuously Accessing Internet


  • This topic is locked This topic is locked
18 replies to this topic

#16 shadowjack55

shadowjack55
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 02 April 2008 - 02:43 AM

Hi - have managed to make some progress on my own - will post details this evening in about 8 hours - have identified zeqwur virus in my registry and used SDFIX to remove - will post log later.

BC AdBot (Login to Remove)

 


#17 shadowjack55

shadowjack55
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 04 April 2008 - 10:32 AM

Hi,

I found zeqwur in the Xp services startup (REGKEY HKLM\SYSTEM\currentconrolset\services) so I looked it up on Startup list tab and followed instructions to remove it. The SDFIX log is copied below. This has seemed to cure the problem. However I am continuing to run the scans recommended in the HJT procedure to identify any malware which may have been downloaded by the above, and in the absence of any interest in my problem I will be posting a HJT log.
Hopefully anyone with the same problem will find this useful.

******************************************************
SDFix: Version 1.165

Run by Administrator on 01/04/2008 at 23:30

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :

Name:
zeqwur

Path:
\??\C:\WINDOWS\Help\zeqwur.chm

zeqwur - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\336991~1 - Deleted
C:\WINDOWS\system32\hi.sfc - Deleted
C:\WINDOWS\system32\winupdate.exe - Deleted
C:\WINDOWS\help\zeqwur.chm - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 23:39:00
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000014f

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe:*:Disabled:Logitech Desktop Messenger"
"C:\\WINDOWS\\System32\\lxdlcoms.exe"="C:\\WINDOWS\\System32\\lxdlcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Lexmark 7500 Series\\lxdlamon.exe"="C:\\Program Files\\Lexmark 7500 Series\\lxdlamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\\Program Files\\Lexmark 7500 Series\\frun.exe"="C:\\Program Files\\Lexmark 7500 Series\\frun.exe:*:Enabled:Lexmark Productivity Studio"
"C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"="C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe:*:Enabled:ABBYY FineReader"
"C:\\Program Files\\Lexmark 7500 Series\\LXDLMON.EXE"="C:\\Program Files\\Lexmark 7500 Series\\LXDLMON.EXE:*:Enabled:Printer Device Monitor"
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\lxdl\\wireless\\ENGLISH\\lxdlwpss.exe"="C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\lxdl\\wireless\\ENGLISH\\lxdlwpss.exe:*:Enabled: "
"C:\\WINDOWS\\System32\\lxdlcfg.exe"="C:\\WINDOWS\\System32\\lxdlcfg.exe:*:Enabled:Printer Communication System"
"C:\\WINDOWS\\System32\\SPOOL\\drivers\\W32X86\\3\\lxdlpswx.exe"="C:\\WINDOWS\\System32\\SPOOL\\drivers\\W32X86\\3\\lxdlpswx.exe:*:Enabled:Printer Status Window Interface"
"C:\\WINDOWS\\System32\\SPOOL\\drivers\\W32X86\\3\\lxdltime.exe"="C:\\WINDOWS\\System32\\SPOOL\\drivers\\W32X86\\3\\lxdltime.exe:*:Enabled:Lexmark Connect Time Executable"
"C:\\Program Files\\Lexmark 7500 Series\\LXDLFax.exe"="C:\\Program Files\\Lexmark 7500 Series\\LXDLFax.exe:*:Enabled:Fax Solutions Software"
"C:\\WINDOWS\\System32\\SPOOL\\drivers\\W32X86\\3\\lxdljswx.exe"="C:\\WINDOWS\\System32\\SPOOL\\drivers\\W32X86\\3\\lxdljswx.exe:*:Enabled:Job Status Window Interface"
"C:\\Program Files\\Lexmark 7500 Series\\Wireless\\lxdlwpss.exe"="C:\\Program Files\\Lexmark 7500 Series\\Wireless\\lxdlwpss.exe:*:Enabled: "
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\winC.exe"="C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\winC.exe:*:Enabled:winC"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 31 Mar 2003 94,784 A.SH. --- "C:\WINDOWS\twain.dll"
Wed 4 Aug 2004 50,688 A.SH. --- "C:\WINDOWS\twain_32.dll"
Wed 4 Aug 2004 1,028,096 A.SH. --- "C:\WINDOWS\system32\mfc42.dll"
Wed 4 Aug 2004 54,784 A.SH. --- "C:\WINDOWS\system32\msvcirt.dll"
Wed 4 Aug 2004 413,696 A.SH. --- "C:\WINDOWS\system32\msvcp60.dll"
Wed 4 Aug 2004 11,776 A.SH. --- "C:\WINDOWS\system32\regsvr32.exe"
Tue 4 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 15 May 2003 43,008 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Fri 21 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT1.tmp"
Thu 11 Mar 2004 0 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Thu 14 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"

Finished!

#18 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 06 April 2008 - 07:47 AM

as you have now posted an HJT log in the log section


http://www.bleepingcomputer.com/forums/ind...mp;#entry786576

the HJT team should now be advising you on that thread , and the mods shoould close this thread to prevent duplication of advise

#19 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:09:56 PM

Posted 06 April 2008 - 09:01 AM

shadowjack55,

Now that you have an open HJT log posted in the HijackThis Logs and Malware Removal forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

I'm closing this topic until you are cleared by the HJT Team.
If, after your log has been cleaned, you still need help, please PM a Moderator and we will re-open this topic.

If you have any questions, don't hesitate to send me a PM.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users