Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Services


  • Please log in to reply
4 replies to this topic

#1 Reya

Reya

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:30 AM

Posted 09 November 2006 - 03:37 AM

I'm pretty sure some of the services my computer starts are not legit. The only problem is, even after reading the tutorial article on services and malware, I'm still not comprehending how to diagnose (although I understand minimal on removing them through the registry).

Perhaps someone could walk me through the process? My HJT is clean, the services shown there are legit (although there is one that I don't need anymore that seems determined to stay, HJT keeps telling me to disable it even after I ended the process through task manager).

I used the getservices.bat program and have a file of all the services running and have already found some very suspicious suckers. But removing them is something I'm not yet confident enough to do without an expert's assistance. Anyone willing to help?


-looks around- And I can't upload the .txt file. D:

BC AdBot (Login to Remove)

 


#2 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:07:30 AM

Posted 09 November 2006 - 09:03 AM

Can you copy and paste the appropriate parts of the .txt file to a forum reply?
Regards,
John

Edited by jgweed, 09 November 2006 - 09:28 AM.

Whereof one cannot speak, thereof one should be silent.

#3 Reya

Reya
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:30 AM

Posted 09 November 2006 - 12:57 PM

This is the one that I'm pretty sure is harmless, but refuses to make itself scarce.


SERVICE_NAME: I2enutss
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME :
LOAD_ORDER_GROUP : Boot Bus Extender
TAG : 1
DISPLAY_NAME : I2enutss
DEPENDENCIES :
SERVICE_START_NAME:


SERVICE_NAME: ShellHWDetection
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : Shell Hardware Detection
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

There are quite a few with the Binary path of C:\WINDOWS\System32\svchost.exe -k netsvcs, which a search on CastleCops will tell you is malicious, although the services associated with it, such as

SERVICE_NAME: xmlprov
Manages XML configuration files on a domain basis for automatic network provisioning.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Provisioning Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem


seem legit. O_o


Thanks for your time, John.

-Reya

Edited by Reya, 09 November 2006 - 01:00 PM.


#4 Reya

Reya
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:30 AM

Posted 11 November 2006 - 02:13 PM

Giving this a little nudge.

#5 Reya

Reya
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:30 AM

Posted 17 November 2006 - 04:17 AM

And another little nudge.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users