Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Startservice takeover


  • Please log in to reply
2 replies to this topic

#1 germ2112

germ2112

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 10 April 2010 - 05:56 AM

I seem to have some type of infection.

I ran Rkill and got the following:

Ran as Administrator on 04/10/2010 at 6:38:48.

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Administrator\Local Settings\Application Data\KRHPHHBN\StartService.exe

Rkill completed on 04/10/2010 at 6:38:51.

Everytime I run RKill it comes up with this and I received a window that mIRC has encountered a problem and needs to close. When I click "to see what data this error report contains, click here" it tells me the appname is "Startservice.exe"

I uninstalled IRC and still see this message when running Rkill.

Please note that i can not manually see the \KRHPHHBN directory in windows, only in a command prompt, and am unable to delete it.

Additionally in my startup tab under System Configuration Utility, there are two listings for "StartService" with the command located at " C:\documents and settings\administrator\local settings\application data\KRHPHHBN\StartService.exe"

Additionally When I boot up, once windows loads, I immediately get the following warning a warning that Startservice can not load properly. Its a "Startservice.exe - Application Error" stating:"
"The instruction at "0x7c910ef4" referenced memory at "0x00e11520". The memory could not be "read".
Click on OK to terminate the program

If i Remove "startservice" from my startup config by unchecking it, once I reboot, it is rechecked.

please assist.

I forgot to mention a big part:

Im also getting redirects of google search results.

When searching in google, if I click on a result, it directs me to various other sites.

EDIT: Added info from second post to initial post by OP, moved thread to Am I Infected as more appropriate forum ~ Hamluis.

Edited by hamluis, 10 April 2010 - 07:36 AM.


BC AdBot (Login to Remove)

 


#2 Ruf10

Ruf10

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 10 April 2010 - 06:58 PM

My comp developed the same problem today, no matter what i do, i can't get rid of it. It uploads from startup even when you deselect it, it magically enables itself again. Need help!

#3 A1_Frank

A1_Frank

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 12 April 2010 - 04:38 PM

Had same prob here. Think I fixed it. You are user 1
-create user 2
-log in as user 2
-step 3: now you can go to user 1/Local Settings\Application Data\TWKNBHME and delete or rename startservice.exe
-step 4: use StartupControlPanel from Mike Lin to remove various started programs
-step 5: use Taskcontrol to kill various progs

-logoff and log in as user 1
-repeat steps 3-5 above for user 2

please add comments.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users