Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Services.exe at 99% cpu - Sloooow PC


  • This topic is locked This topic is locked
17 replies to this topic

#1 domehead

domehead

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 21 July 2009 - 08:15 PM

Hey all,

I have an Athlon-based PC running Windows 2000 SP4.

For the past couple of weeks, it has taken longer than usual to boot up (Sitting for around a minute on the 'Preparing Network Connections' display before prompting for user password - This used to take about 4 seconds) - not sure if this is a symptom or clue.

However the main problem is that the whole thing slows dramatically at intervals. When I check with Task Manager, SERVICES.EXE is hogging the cpu.

This appears to be the Services and controller app in C:\WINNT\system32\SERVICES.EXE

Avast anti-virus found and removed a Trojan WIN32:Trojan-gen from a file called C:\WINNT\scvhosts.exe
Spybot S&D found nothing, neither did Malwarebytes Anti-Malware

As I am typing this, I am getting interrupted by very high internet traffic as Services.exe takes 100% of the cpu time and everything seizes up for about a minute, then it stops again. Very odd.

I will be happy to run/re-run any and all programs you may advise. :thumbsup:

BC AdBot (Login to Remove)

 


m

#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 AM

Posted 21 July 2009 - 08:19 PM

Hello and welcome to Bleeping Computer.

Please run ATF and SAS:
Credits to Boopme

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#3 domehead

domehead
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 22 July 2009 - 08:21 AM

Thanks for the quick reply Computer Pro!

Did as you instructed. Here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/22/2009 at 04:38 AM

Application Version : 4.26.1006

Core Rules Database Version : 4010
Trace Rules Database Version: 1950

Scan type : Complete Scan
Total Scan Time : 01:43:21

Memory items scanned : 189
Memory threats detected : 0
Registry items scanned : 4626
Registry threats detected : 2
File items scanned : 16189
File threats detected : 1

Trojan.Media-Codec
HKCR\Media-Codec.Chl
HKCR\Media-Codec.Chl\CLSID

Unclassified.Unknown Origin
C:\DOWNLOADS\UTILS\CD\NERO KEYGEN FOR ALL NERO APPZ & PLUGINS.EXE

Hmm - not sure where that last one came from! :thumbsup:

Gah! Had a power cut while I was posting this. Whole street power went out for 4 hours!
The cpu-hogging is still happening, by the way.

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 AM

Posted 22 July 2009 - 10:30 AM

Ok, please Update Malwarebytes, then run a FULL scan.

Then, after that run this and post a log:

Please download and run Processexplorer


http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply

Edited by Computer Pro, 22 July 2009 - 10:30 AM.

Computer Pro

#5 domehead

domehead
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 22 July 2009 - 07:02 PM

OK - Malwarebytes log:-

Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\downloads\Agent\Music\Apps\soundforge8\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\downloads\Grabit\ahead nero v8.3.6.0 -embrace -www.united-forums.co.uk-\keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.

2 more bad boys found - I really don't recall running either of them!

Process explorer log:-

Process PID CPU Description Company Name
System Idle Process 0 96.88
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 8
smss.exe 288 Windows NT Session Manager Microsoft Corporation
csrss.exe 316 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 336 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 364 Services and Controller app Microsoft Corporation
svchost.exe 548 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 576 Spooler SubSystem App Microsoft Corporation
aswUpdSv.exe 632 avast! Antivirus updating service ALWIL Software
ashServ.exe 648 avast! antivirus service ALWIL Software
svchost.exe 668 Generic Host Process for Win32 Services Microsoft Corporation
jqs.exe 692 3.13 Java™ Quick Starter Service Sun Microsystems, Inc.
PnkBstrA.exe 740
regsvc.exe 760 Remote Registry Service Microsoft Corporation
mstask.exe 764 Task Scheduler Engine Microsoft Corporation
stisvc.exe 852 Still Image Devices Monitor Microsoft Corporation
TomTomHOMEServi 936 Windows Service for TomTom HOME TomTom
ULCDRSvr.exe 980 ULCDRSvr Ulead Systems, Inc.
vsmon.exe 1024 TrueVector Service Zone Labs, LLC
winmgmt.exe 1152 Windows Management Instrumentation Microsoft Corporation
svchost.exe 1192 Generic Host Process for Win32 Services Microsoft Corporation
ashMaiSv.exe 1400 avast! e-Mail Scanner Service ALWIL Software
ashWebSv.exe 1444 avast! Web Scanner ALWIL Software
LSASS.EXE 376 LSA Executable and Server DLL (Export Version) Microsoft Corporation
explorer.exe 1212 Windows Explorer Microsoft Corporation
zlclient.exe 1440 ZoneAlarm Client Zone Labs, LLC
VCDDaemon.exe 1452 Virtual CloneDrive Daemon Elaborate Bytes AG
ashDisp.exe 1468 avast! service GUI component ALWIL Software
jusched.exe 1488 Java™ Platform SE binary Sun Microsystems, Inc.
rundll32.exe 1456 Run a DLL as an App Microsoft Corporation
procexp.exe 588 Sysinternals Process Explorer Sysinternals - www.sysinternals.com


Tried to catch SERVICES.EXE with 99% of cpu but failed...

:thumbsup:

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 AM

Posted 22 July 2009 - 09:14 PM

First I want to warn you of a danger on the net:

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a lot of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the Operating System.

Next, from Process Explorer, I see that you have the Remote Registry service active (as default). Is this computer issued by a company, or do you personally own it?

If you personally own it, then I would highly suggest that you disable the Remote Registry service as it allows hackers (if you have malware on your PC) to access your registry remotely. For example, a backdoor trojan or something of that sort. You don't have this as we can tell, but most of the time, the safest decision is to have it disabled. To disable it (only if you personally own the PC):

*Go to Start->Run->type services.msc in the Run box, then click ok.

*Find the Service labeled Remote Registry.

*Right click on it, and select Properties.

*Under "Startup Type", please use the dropdown box to select Disabled. Then click Apply, then Ok. You can then close the Services window.



Next, Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
o Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Edited by Computer Pro, 22 July 2009 - 09:14 PM.

Computer Pro

#7 domehead

domehead
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 23 July 2009 - 02:53 PM

Thanks for the advice. I have to say that there are way too many files on this computer - some of dubious origin. I could have gone through and deleted much of the stuff, but didn't want to obscure any findings made here.

No idea why Remote Registry service was enabled - Disabled as instructed.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, July 23, 2009
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 23, 2009 11:50:04
Records in database: 2519895
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 210579
Threat name: 10
Infected objects: 18
Suspicious objects: 0
Duration of the scan: 08:33:09 <<<<------Eeeeeek!


File name / Threat name / Threats count
C:\Documents and Settings\MF\Application Data\Thunderbird\Profiles\nxuk8q11.default\Mail\Local Folders\Inbox Infected: Trojan-Downloader.Win32.Small.dam 2
C:\Downloads\Agent\Books\Temp\Apps\IPOD Video Converter 2 4 Keygen.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.e 1
C:\Downloads\Security\Trinity Rescue Kit\trinity-rescue-kit.3.3-build-334.iso Infected: not-a-virus:NetTool.Win32.PsKill.a 3
C:\Downloads\Security\Trinity Rescue Kit\trinity-rescue-kit.3.3-build-334.iso Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.i 3
C:\Downloads\Utils\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a 2
C:\Downloads\Web\Mirc\mirc617.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
C:\Downloads\Web\mirc62.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
C:\Downloads\Web\Xolox\xolox1.5.exe Infected: not-a-virus:AdWare.Win32.SaveNow.e 1
C:\Downloads\Web\Xolox\xolox1.5.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl 2
C:\Downloads\Web\Xolox\xolox1.5.exe Infected: not-a-virus:AdWare.Win32.SaveNow 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1

The selected area was scanned.

Funnily enough, the Trinity Rescue kit is something I looked at here on BC! Clearly there are some things which the detection software just get wrong. I guess that is why the experts here are so essential when dealing with the messes us dumber people get into! :thumbsup:

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 AM

Posted 23 July 2009 - 02:59 PM

Some scanners detect other tools as types of malware, just from their makeup even though they are not.

Next, lets run Dr. Web (as the Kaspersky scanner doesnt delete anything):

Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr. Web Cureit as follows:
Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#9 domehead

domehead
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 24 July 2009 - 08:59 PM

Wow - That took a loooong time!

Here's the Doctor's log:

IPOD Video Converter 2 4 Keygen.exe\KASPER~1.EXE;C:\Downloads\Agent\Books\Temp\Apps\IPOD Video Converter 2 4 Keygen.exe;Tool.ProductKey;;
IPOD Video Converter 2 4 Keygen.exe;C:\Downloads\Agent\Books\Temp\Apps;Archive contains infected objects;Moved.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Downloads\Security\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Downloads\Security\SmitfraudFix.exe;Tool.ShutDown.14;;
SmitfraudFix.exe;C:\Downloads\Security;Archive contains infected objects;Moved.;
Process.exe;C:\Downloads\Security\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Downloads\Security\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;
zlsSetup_70_483_000_en.exe/Z4BARSPINSTALL.EXE/data001\data001;C:\Downloads\Security\ZoneAlarm\Win2000\zlsSetup_70_483_000_en.exe/Z4BARSPINSTALL.EXE/data001;Adware.MyWebSearch.22;;
data001;C:\Downloads\Security\ZoneAlarm\Win2000;Container contains infected objects;;
Z4BARSPINSTALL.EXE;C:\Downloads\Security\ZoneAlarm\Win2000;Container contains infected objects;;
zlsSetup_70_483_000_en.exe;C:\Downloads\Security\ZoneAlarm\Win2000;Archive contains infected objects;Moved.;
mirc62.exe\data007;C:\Downloads\Web\mirc62.exe;Program.mIRC.60;;
mirc62.exe;C:\Downloads\Web;Archive contains infected objects;Moved.;
xolox1.5.exe\data003;C:\Downloads\Web\Xolox\xolox1.5.exe;Adware.SaveNow;;
xolox1.5.exe;C:\Downloads\Web\Xolox;Archive contains infected objects;Moved.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.617;Incurable.Moved.;
yBookmaker.exe;C:\Program Files\yBook;Modification of Win32.HLLM.Generic.425;Moved.;
zlsSetup_70_483_000_en.exe/Z4BARSPINSTALL.EXE/data001\data001;C:\Shares\Put Here\Security\zlsSetup_70_483_000_en.exe/Z4BARSPINSTALL.EXE/data001;Adware.MyWebSearch.22;;
data001;C:\Shares\Put Here\Security;Container contains infected objects;;
Z4BARSPINSTALL.EXE;C:\Shares\Put Here\Security;Container contains infected objects;;
zlsSetup_70_483_000_en.exe;C:\Shares\Put Here\Security;Archive contains infected objects;Moved.;
Process.exe;C:\Shares\Put Here\Security\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Shares\Put Here\Security\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;

Thanks for sticking with me so far! :thumbsup:

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 AM

Posted 24 July 2009 - 09:21 PM

Your very welcome. How are things running so far?
Computer Pro

#11 domehead

domehead
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 25 July 2009 - 07:51 AM

Well, the symptoms are still there :flowers:

At random intervals, SERVICES.EXE hogs the cpu - I did manage to catch it in Process Explorer: -

Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 8
smss.exe 288 Windows NT Session Manager Microsoft Corporation
csrss.exe 316 1.56 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 336 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 364 98.44 Services and Controller app Microsoft Corporation
svchost.exe 548 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 576 Spooler SubSystem App Microsoft Corporation
aswUpdSv.exe 632 avast! Antivirus updating service ALWIL Software
ashServ.exe 652 avast! antivirus service ALWIL Software
svchost.exe 684 Generic Host Process for Win32 Services Microsoft Corporation
jqs.exe 712 Java™ Quick Starter Service Sun Microsystems, Inc.
PnkBstrA.exe 744
mstask.exe 776 Task Scheduler Engine Microsoft Corporation
stisvc.exe 836 Still Image Devices Monitor Microsoft Corporation
TomTomHOMEServi 928 Windows Service for TomTom HOME TomTom
ULCDRSvr.exe 996 ULCDRSvr Ulead Systems, Inc.
vsmon.exe 1076 TrueVector Service Zone Labs, LLC
winmgmt.exe 1132 Windows Management Instrumentation Microsoft Corporation
svchost.exe 1148 Generic Host Process for Win32 Services Microsoft Corporation
ashWebSv.exe 1388 avast! Web Scanner ALWIL Software
ashMaiSv.exe 1392 avast! e-Mail Scanner Service ALWIL Software
LSASS.EXE 376 LSA Executable and Server DLL (Export Version) Microsoft Corporation
explorer.exe 1276 Windows Explorer Microsoft Corporation
zlclient.exe 1428 ZoneAlarm Client Zone Labs, LLC
VCDDaemon.exe 1456 Virtual CloneDrive Daemon Elaborate Bytes AG
ashDisp.exe 1528 avast! service GUI component ALWIL Software
jusched.exe 1476 Java™ Platform SE binary Sun Microsystems, Inc.
rundll32.exe 1556 Run a DLL as an App Microsoft Corporation
procexp.exe 1564 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

This cpu hogging is sometimes accompanied by a lot of traffic in and out of my internet connection.
Can some of these services be stopped? Could it be a clash of some sort?
Have I been hijacked?

I have so many questions - and so little brain! :thumbsup:

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:47 PM

Posted 25 July 2009 - 09:24 AM

You are connecting thru a router? and not directly thru a dsl or cable modem? to the internet?

Avast has a semi firewall?

Edited by DaChew, 25 July 2009 - 09:24 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:47 PM

Posted 25 July 2009 - 09:25 AM

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Chewy

No. Try not. Do... or do not. There is no try.

#14 domehead

domehead
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 25 July 2009 - 09:56 AM

Hey DaChew!

Thanks for jumping in to help.

Yes I do connect through a Router
I am using ZoneAlarm Firewall (Hmm- will have to change it soon cos the latest version will not run on Win 2k) :thumbsup:

Here is the log from the Smitfraudfix Search:-

SmitFraudFix v2.417

Scan done at 15:51:02.25, Sat 25/07/2009
Run from C:\Downloads\Security\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\PnkBstrA.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Security\ZoneAlarm\zlclient.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\Security\SmitfraudFix\Policies.exe
C:\WINNT\system32\cmd.exe

hosts


C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\WINNT\system32\LogFiles


C:\Documents and Settings\MF


C:\DOCUME~1\MF\LOCALS~1\Temp


C:\Documents and Settings\MF\Application Data


Start Menu


C:\DOCUME~1\MF\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINNT\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: NVIDIA nForce MCP Networking Controller Driver
DNS Server Search Order: 212.159.13.49
DNS Server Search Order: 212.159.13.50

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AC7AEDB5-BC4F-4B7B-897C-C49CDFE6087E}: DhcpNameServer=192.168.7.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AC7AEDB5-BC4F-4B7B-897C-C49CDFE6087E}: NameServer=212.159.13.49,212.159.13.50
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AC7AEDB5-BC4F-4B7B-897C-C49CDFE6087E}: DhcpNameServer=192.168.7.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AC7AEDB5-BC4F-4B7B-897C-C49CDFE6087E}: NameServer=212.159.13.49,212.159.13.50
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AC7AEDB5-BC4F-4B7B-897C-C49CDFE6087E}: DhcpNameServer=192.168.7.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AC7AEDB5-BC4F-4B7B-897C-C49CDFE6087E}: NameServer=212.159.13.49,212.159.13.50
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.7.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.7.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.7.1


Scanning for wininet.dll infection


End

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:47 PM

Posted 25 July 2009 - 10:29 AM

We see a lot of problems with zonealarm but that trojan media codec is a real nasty

Let's look for rootkits

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users