Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Service.exe Problem


  • Please log in to reply
3 replies to this topic

#1 smoak86

smoak86

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 31 March 2006 - 10:10 PM

A few weeks ago I started having problems with Internet Explorer causing errors even though I wasn't using it. Svchost runs it constantly. If you kill iexplore.exe in the processes, it just starts back. I've looked through this site and appreciate the info here. It looks like Service.exe is at least one problem. It may be service.exe that creates the other .exe's that run at startup, it may not. Unfortunately I've done everything I can think to do, and frankly I'm tired of trying the same things over and over without it working. This is what I've done so far (multiple times),

1. Run Ad-Aware and clean what it finds regularly.
2. Run Spybot S&D and clean what it finds regularly.
3. Run Getservices.bat and checked everything. Service was the only thing I found that I couldn't account for.
4. Used HJT and Autoruns to get rid of the .exe process associated with the problem. (probably 10+ so far)
5. Gone into Safe Mode and removed in regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\SERVICE (redundant, but who cares)
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\ENUM\ROOT\LEGACY_SERVICE (again)
Anything else I could find referring to Service.exe and the associated .exe's (SHELL, USERINIT, ETC.)
6. Used Killbox to delete C:\windows\system32\service.exe and
C:\windows\system32\randomfilethat'sdrivingmecrazy.exe (both delete on reboot)
7. Reboot in Safe Mode, looked for offending files and not found them.
8. Reboot in Normal Mode to have Zone Alarm ask for permission for the New .exe.
9. Looked and found that all my deleting was worthless.
10. Cursed. A lot.

Here are a few of the .exe's wiped so far. Each time I reboot, it starts back under the new file:
gephaaa.exe, ilscdlg.exe, mll_ycfg.exe, mm5.exe, mm6.exe, nvapqmgr.exe, phuvmaxb.exe, rasassec.exe, richbdvd.exe, spupemui.exe, v7vgcp70.exe

The latest version is tmp9ueng.exe.

Here's the latest HJT.

Logfile of HijackThis v1.99.1
Scan saved at 10:02:24 PM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\tmp9ueng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\tmp9ueng.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\IPSWITCH\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRAM FILES\YAHOO!\COMMON\YIETAGBM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Update Component] C:\WINDOWS\system32\tmp9ueng.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Update Component] C:\WINDOWS\system32\tmp9ueng.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5BED3930-2E9E-76D8-BACC-80DF2188D455} (CouponBar) - http://ftp.coupons.com/CouponsBarXML/CouponBarIE.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O21 - SSODL: IEFilter - {CFD48922-C34E-48DB-921F-435CCD88DDDD} - C:\WINDOWS\system32\IEFilter.dll
O21 - SSODL: Connection Explorer - {04EA0BCA-B633-4273-BCE9-4533E84C028E} - C:\WINDOWS\system32\wshowwin.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe


The R1's and R0's I'm not sure about.
I know I'm obviously missing something. I'm open to any ideas at this point.

Thanks in advance,

Smoak

BC AdBot (Login to Remove)

 


#2 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:05:05 AM

Posted 31 March 2006 - 10:54 PM

service - service.exe - Process Information

Process File: service or service.exe
Process Name: Dell Solution Center

Description:
service.exe is a process belonging to the Dell Solution Center which offers worldwide technical support and training for it's products. This program is important for the stable and secure running of your computer and should not be terminated. This process is also intalled alongside Adaptec SCSI cards, and again should not be terminated unless causing problems.

Note: service.exe is also a process which is registered as the WORM_KELVIR.DD and Win32.Raleka worms. These worms are distributed via the Internet through e-mail and comes in the form of an e-mail or an MSN instant message, in the hopes that you open itís hostile attachment. The worm has itís own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

Determining whether this process is a virus or a Windows process depends on the directory it is in.

Author: Dell
Part Of: Dell Hardware Support

Hang in and we will get your HJT log to the proper forum.

#3 smoak86

smoak86
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 31 March 2006 - 11:10 PM

Enthusiast,

I guess it would have made sense to put it under a Security heading.

Thanks,
Smoak

#4 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:05:05 AM

Posted 31 March 2006 - 11:20 PM

They will move your post to the Hijack This forum where our specialists will analyze it and help you with anything that needs to be addressed.

Or -

It might be faster if you repost it here:

http://www.bleepingcomputer.com/forums/posthjtlog.html

Either way, watch the HJT forum your post will be in and wait for an answer.

After they help you verify your system is clean if you are still experiencing any problems come back to this forum and we will help you figure it out.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users