Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hidden service "service1"


  • Please log in to reply
26 replies to this topic

#1 redphender

redphender

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 11 December 2014 - 04:58 PM

I see in the event viewer an entry saying that "service1" has been started, event id 0. Surfing the registry I found the key in the picture.

I deleted it but after a reboot it has been recreated.

I can't find the "service1" even with sysinternals procmon, procexp  or autorun.

Scanning with gmer and tdskiller gave no results.

Please help me

Thanks

AndreaAttached File  service1.jpg   76.35KB   1 downloads


Edited by hamluis, 11 December 2014 - 06:20 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:13 PM

Posted 11 December 2014 - 07:14 PM

It looks like legit Net.Framework service.

Why exactly would you like to remove it?


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 redphender

redphender
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 12 December 2014 - 06:07 AM

Hi Broni

Because it doesn't appear in the service list. If it's a legitimate service why is hidden?



#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:13 PM

Posted 12 December 2014 - 07:40 PM

So you don't play with it.

Windows have many hidden files, folders and services.

Just to keep you from messing things up :)


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 redphender

redphender
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 13 December 2014 - 05:02 AM

I know about hidden folders and files ("show hidden" in folder's option) and using tools like autoruns is possible to see more than msconfig allows you to see. 

I'd like to know what the "service1" is for and to which program belongs. I've never seen such a service in other Windows 7 installation.



#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:13 PM

Posted 13 December 2014 - 06:18 PM

I already told you what it is.

I have very same entry in my registry.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 pyroclastic

pyroclastic

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:13 PM

Posted 13 December 2014 - 06:57 PM

I'd like to know what the "service1" is for and to which program belongs. I've never seen such a service in other Windows 7 installation.

See if this applies to your system http://www.bleepingcomputer.com/startups/Vista_Session_Launcher_Service-27547.html.



#8 redphender

redphender
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 14 December 2014 - 11:09 AM

Broni,

thanks but I'm not as calm as you are, I'll keep on investigating.

 

Pyroclastic,

thanks, does not apply. The post refers to a service1.exe file with associate service CustomSvc, I have no such .exe file in my system, nor customsvc service as well.

 

I created a vmware Windows 7 fresh installation, no 'service1' reported.

Another symptom; avast av randomly reports c:\programdata\microsoft\secure\icons\temp\tmp[random chars].exe as win32:dropper-gen virus



#9 pyroclastic

pyroclastic

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:13 PM

Posted 14 December 2014 - 01:51 PM

Pyroclastic,

thanks, does not apply. The post refers to a service1.exe file with associate service CustomSvc, I have no such .exe file in my system, nor customsvc service as well.

If you can't associate your Service1 with any known-good Service1, such as Session Launcher, you might as well be onto something - I'm not saying it's malicious it's just that there could be threats that use that specific handle (e.g. see this http://home.mcafee.com/virusinfo/virusprofile.aspx?key=4030670#none ;also not saying it's this particular threat). Session Launcher might not be the only legitimate thing using that handle, too, in fact there could be dozens; that one was just from the top of my head and BC had a nice link.

 

Seeing that Avast suggests that you've got a dropper on your system and you already obtained procexp/autoruns results, you could post those, or wait for Broni to give you instructions regarding FRST or another tool. Also, even if you're comfortable around the registry editor and Windows don't delete anything yet. Should it turn out to be a legitimate component you'd break something (sometimes that's irreversible or a real pain to fix ..) and if it's malicious it could also break things but even more obfuscate the bigger picture and as a result analysis attempts could be inconclusive.

 

In addition, if you could post a list of your installed programs it'd be easier to see something legitimate related to Service1. MiniToolBox can produce a list of your installed programs (http://www.bleepingcomputer.com/download/minitoolbox/). When in doubt wait for Broni to post back a more in depth solution.

 

Best regards.



#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:13 PM

Posted 14 December 2014 - 02:30 PM

Another symptom; avast av randomly reports c:\programdata\microsoft\secure\icons\temp\tmp[random chars].exe as win32:dropper-gen virus

 

This is more valid concern.

 

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
  • List Restore Points

Click Go and post the result.

p22002970.gif Please download Malwarebytes Anti-Malware to your desktop.
NOTE. If you already have MBAM 2.0 installed scroll down.

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.



If you already have MBAM 2.0 installed:

  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


How to get logs:
(Export log to save as txt)


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.



(Copy to clipboard for pasting into forum replies or tickets)

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.


p22002970.gifDownload 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit to your desktop.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"


NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.

p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.
Do NOT use spoilers.
Do NOT edit your reply to post additional logs. Create new reply. I'll not get any email notifications about edits so I won't know you posted something new.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 redphender

redphender
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 15 December 2014 - 04:32 PM

Broni & Pyroclastic,

thanks for your support.

Lot of scanning work ahead, I'll post the result as soon as possible



#12 redphender

redphender
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 15 December 2014 - 04:38 PM

log from Security Check

 

Results of screen317's Security Check version 0.99.93  
 Windows 7  x86 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Spybot - Search & Destroy 
 Java 8 Update 20  
 Java SE Development Kit 8 Update 20 
 Java Card Security for HP ProtectTools 
 Java version 32-bit out of Date! 
 Adobe Flash Player 10 Flash Player out of Date! 
 Adobe Flash Player 16.0.0.235  
 Adobe Reader XI  
 Mozilla Firefox (34.0.5) 
 Google Chrome (39.0.2171.71) 
 Google Chrome (39.0.2171.95) 
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast avastui.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log`````````````````````` 


#13 redphender

redphender
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 15 December 2014 - 04:41 PM

log from FSS

 

Farbar Service Scanner Version: 21-07-2014
Ran by localuser (administrator) on 15-12-2014 at 22:40:15
Running from "C:\Users\localuser\Google Drive\Tools\Farbar service scanner"
Microsoft Windows 7 Professional   (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
 
Other Services:
==============
 
 
File Check:
========
C:\windows\system32\nsisvc.dll => File is digitally signed
C:\windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\windows\system32\dhcpcore.dll => File is digitally signed
C:\windows\system32\Drivers\afd.sys => File is digitally signed
C:\windows\system32\Drivers\tdx.sys => File is digitally signed
C:\windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\windows\system32\dnsrslvr.dll => File is digitally signed
C:\windows\system32\mpssvc.dll => File is digitally signed
C:\windows\system32\bfe.dll => File is digitally signed
C:\windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\windows\system32\SDRSVC.dll => File is digitally signed
C:\windows\system32\vssvc.exe => File is digitally signed
C:\windows\system32\wscsvc.dll => File is digitally signed
C:\windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\windows\system32\wuaueng.dll => File is digitally signed
C:\windows\system32\qmgr.dll => File is digitally signed
C:\windows\system32\es.dll => File is digitally signed
C:\windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\windows\system32\ipnathlp.dll => File is digitally signed
C:\windows\system32\iphlpsvc.dll => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
 
 
**** End of log ****


#14 redphender

redphender
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 15 December 2014 - 05:06 PM

mbam log (sorry for the Italian, ask if you need translation)

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Data scansione: 15/12/2014
Ora scansione: 22:44:07
File di log: mbamlog.txt
Amministratore: Si
 
Versione: 2.00.4.1028
Database malware: v2014.12.15.05
Database rootkit: v2014.12.14.01
Licenza: Free
Protezione da malware: Disattivata
Protezione da siti web nocivi: Disattivata
Autoprotezione: Disattivata
 
SO: Windows 7
CPU: x86
File system: NTFS
Utente: localuser
 
Tipo di scansione: Scansione elementi nocivi
Risultati: Completata
Elementi analizzati: 382696
Tempo impiegato: 17 min, 3 sec
 
Memoria: Attivata
Esecuzioni automatiche: Attivata
File system: Attivata
Archivi compressi: Attivata
Rootkit: Disattivata
Euristica: Attivata
PUP: Avviso
PUM: Attivata
 
Processi: 0
(Nessun elemento malevolo rilevato)
 
Moduli: 0
(Nessun elemento malevolo rilevato)
 
Chiavi di registro: 0
(Nessun elemento malevolo rilevato)
 
Valori di registro: 0
(Nessun elemento malevolo rilevato)
 
Dati di registro: 0
(Nessun elemento malevolo rilevato)
 
Cartelle: 0
(Nessun elemento malevolo rilevato)
 
File: 0
(Nessun elemento malevolo rilevato)
 
Settori fisici: 0
(Nessun elemento malevolo rilevato)
 
 
(end)


#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:13 PM

Posted 15 December 2014 - 05:08 PM

No need for translation.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users