Explanation of Unknown Service that AntiSpyware Silently Grants Permission to Install (long)

D

David G.

I have the following message in the Agent Events Log:

"Windows Service YITFXGRPFF
(C:\DOCUME~1\DAVIDG~1\LOCALS~1\Temp\YITFXGRPFF.exe) has been granted
permission to be installed. Microsoft AntiSpyware has determined this
program to be free of known spyware."


Can someone explain why a service that is trying to run from my
temporary internet files is silently granted permission by AntiSpyware
to install? Is there an option to tell AntiSpyware NOT to allow any
service to install without prompting me first?

The system in question:
- Fully patched Windows XP SP2 (patched as of last Tuesday I believe)
- Norton AntiVirus - with latest definitions - scanning for email (in /
out) and viruses
- MS AntiSpyware 1.0.615 (spyware Definition Version: 5745)
- SpywareBlaster (with latest definitions)
- Spybot Search & Destroy (with latest definitions)

Just Monday and then again today AntiSpyware caught two services trying
to install. I didn't allow either. Not sure how the files got on the PC
(I'm the only one that uses it and don't download from unknown sources
ever, and have not installed any new programs for a few weeks).

In any case, the services were installed and started running anyway,
despite me answering NO to allowing them. They showed up in the Services
applet. They were apparently dormant (I guess AntiSpyware was stopping
them from doing anything). I removed them carefully (RegDB and files)
and the system checks out fine (viruses and spyware clean). Today's
service was something called "TCP-IP.EXE" located in the WINDOWS\Media
folder). The service Monday was "SERVUDAEMON.EXE" in the
WINDOWS\SYSTEM32 folder.

However, when I saw the service yesterday being added automatically, I
got concerned.

Just to recap:

1- Can I instruct AntiSpyware to NEVER allow a service to be installed
without asking me?
2- The two other services it detected and I said NO to, were installed
anyway. Can someone explain why that occurred? They might not have been
allowed to do any harm, but they were running despite being detected by
AntiSpyware.

Thanks.
 
B

Bill Sanderson

Offhand, I would say your system may well have a trojan in place.

I can't explain the entry you posted from Microsoft antispyware about the
service running from TIF. Were you, by any chance, running a rootkit
detection program of some kind?

I would recommend calling Microsoft Product support services:

In the U.S. or Canada, call 1-866-pcsafety. Elsewhere in the world, call
you local Microsoft subsidiary or paid support number, and ask for the free
help with virus or security patch issues.

I've heard some negatives about this service recently, so I hope your
experience will go well--but the evidence you've posted--servudaemon.exe and
the unusually named service running from temp make me think that your system
should be looked at closely.

F-secure is still in beta on their rootkit detection app--you might want to
try it on your system:

http://www.f-secure.com/blacklight/try.shtml

The wording about the risks of beta software is quite strong. I've run
earlier versions of their beta product on many systems without any effect
whatsoever (including detecting any rootkits!)

--
 
D

David G.

Bill said:
Offhand, I would say your system may well have a trojan in place.

I can't explain the entry you posted from Microsoft antispyware about
the service running from TIF. Were you, by any chance, running a
rootkit detection program of some kind?

I would recommend calling Microsoft Product support services:

In the U.S. or Canada, call 1-866-pcsafety. Elsewhere in the world,
call you local Microsoft subsidiary or paid support number, and ask
for the free help with virus or security patch issues.

I've heard some negatives about this service recently, so I hope your
experience will go well--but the evidence you've
posted--servudaemon.exe and the unusually named service running from
temp make me think that your system should be looked at closely.

F-secure is still in beta on their rootkit detection app--you might
want to try it on your system:

http://www.f-secure.com/blacklight/try.shtml

The wording about the risks of beta software is quite strong. I've
run earlier versions of their beta product on many systems without
any effect whatsoever (including detecting any rootkits!)

That's interesting you ask about running a rootkit detection program. On
Monday (I think) I ran a rootkit detection program from Sysinternals.com
called RootkitRevealer.exe. I'm fairly sure I ran it after Monday's
problems started. I assume you were asking because you think there might
be a root kit installed. In any case, RootkitRevealer turned up nothing
using their latest detection rules. I'm pretty sure the system is clear
right now.

I'll have a look at f-secure and see what it reports.
 
D

David G.

Bill said:
Offhand, I would say your system may well have a trojan in place.

I can't explain the entry you posted from Microsoft antispyware about
the service running from TIF. Were you, by any chance, running a
rootkit detection program of some kind?

I would recommend calling Microsoft Product support services:

In the U.S. or Canada, call 1-866-pcsafety. Elsewhere in the world,
call you local Microsoft subsidiary or paid support number, and ask
for the free help with virus or security patch issues.

I've heard some negatives about this service recently, so I hope your
experience will go well--but the evidence you've
posted--servudaemon.exe and the unusually named service running from
temp make me think that your system should be looked at closely.

F-secure is still in beta on their rootkit detection app--you might
want to try it on your system:

http://www.f-secure.com/blacklight/try.shtml

The wording about the risks of beta software is quite strong. I've
run earlier versions of their beta product on many systems without
any effect whatsoever (including detecting any rootkits!)

Just ran BlackLight and it cam back negative...
 
B

Bill Sanderson

RootKitRevealer was what came to mind looking at the randomly named service
running from TEMP. I know that it's service component does something
unusual to avoid attack by the rootkits it is attempting to look at, and
that was the one thing I could spot that might have that precise
appearance--an unusual service running from an unexpected place, but vetted
by Microsoft Antispyware.

I haven't run it for a good while--I'll try it out myself later, and see
what happens.

So--that might well explain the Microsoft Antispyware oddity.
ServuDaemon.exe is another issue however--this isn't something you want
running on your system if you didn't put it there yourself, I believe.

--
 
B

Bill Sanderson

David G. said:
Just ran BlackLight and it cam back negative...


OK - I've just run RootKitRevealer, and I believe that explains what you saw
from Microsoft Antispyware--I don't have an answer to your request that it
disallow any service--that's a feature request, and these groups are the
right place to make such requests. Microsoft does read the feedback here.

Are you clear why Servudaemon.exe is on your system?
 
A

AndyManchesta

I agree with Bill

To me this sounds like you are being attacked from a
connected pc, open backdoor or someone has remote access
on your system,

The temp file you found could be anything Ive not used
rootkit revealers for a while but Im not convinced its
connected to them with it being a unknown filename, Some
parts are genuine like ServUDaemon.exe but only if you
put it there or it was done with your consent if not Id
say you have been hacked !!

online scanners are your best starting point. I hope Im
wrong because many backdoor trojans inject into essential
files to make removing them very difficult.

I do not know if you use these programs or if you are on
a network so this may not apply to you but I'll let you
decide that also I will not post any filenames or paths
yet untill I know abit more about if you use these
programs and if there is still problems on your pc as it
can be genuine or very nasty depending on who it there,
you may need to read these

http://securityresponse.symantec.com/avcenter/venc/data/ba
ckdoor.irc.aladinz.r.html

http://www3.ca.com/securityadvisor/pest/pest.aspx?
id=453074721

TCP-IP.exe Im not sure about but could be being used to
transfer files to your pc where the Attacker tells the
system that it's trying to send a file, then the system
open's a new file under that name such as the temp entry.

Try some of these to be safe and go for at least 2 of
them I suggest Panda,Symantec or Trend but I'll post a
few incase you have problems with some:

Online Scanners:

Bitdefender
-----------
http://www.bitdefender.com/scan/licence.php

kaspersky
----------
http://www.kaspersky.com/beta?product=161744315

Trojan Scan
-----------
http://www.trojanscan.com/

Panda activescan
----------
http://www.pandasoftware.com/products/activescan

Rav AV
-------
http://www.ravantivirus.com/scan

Symantecs Security check
-------------------------
http://security.symantec.com/ssc/home.asp?
j=1&langid=ie&venid=sym&plfid=23&pkj=KRNRGFRHUUEOLULNPWV

Trend Micro
------------
http://housecall.trendmicro.com/

Note that most viruses/trojans cannot be removed by
online scanners as the files are running on your system
so make a note of anything that is detected and not
cleaned so you can then remove them in safe mode.

I know Im assuming the worst here but its very suspicious
you are not aware of these and one is a ftp client
program it points towards malware in my view and could be
a serious problem.

If this doesnt clear the problems you are best using
Hijack This to show what the infection is then it will be
easier to repair any damage that has been caused.

http://www.greyknight17.com/spy/HijackThis.exe

Do NOT put HijackThis in the Temp folders by just running
the file save it to desktop or c:drive. Its advised you
do this because HijackThis creates a backup folder once
you do some fixes. Now run HijackThis.exe and click on
System scan and save the logfile . Post the log back on
here if you think its needed and I will check the entries
over and see what we can do to help.

Regards Andy
 
D

David G.

AndyManchesta said:
I agree with Bill

To me this sounds like you are being attacked from a
connected pc, open backdoor or someone has remote access
on your system,

The temp file you found could be anything Ive not used
rootkit revealers for a while but Im not convinced its
connected to them with it being a unknown filename, Some
parts are genuine like ServUDaemon.exe but only if you
put it there or it was done with your consent if not Id
say you have been hacked !!

online scanners are your best starting point. I hope Im
wrong because many backdoor trojans inject into essential
files to make removing them very difficult.

I do not know if you use these programs or if you are on
a network so this may not apply to you but I'll let you
decide that also I will not post any filenames or paths
yet untill I know abit more about if you use these
programs and if there is still problems on your pc as it
can be genuine or very nasty depending on who it there,
you may need to read these

I though the very same thing. I have a fully patched Windows 2000 Pro
laptop that I use for only streaming music to the stereo. Since I don't
use it for anything but file sharing across the network, I've only had
some anti-spyware programs running, but no antivirus. The temp file in
question pointed to (non-existent) file on that laptop. I pulled the
laptop (which is not normally turned on) from the network and installed
AVG AntiVirus. The laptop also runs with minimal services described on
Black Vipers web site (if I recall his handle).

A scan revealed nothing unusual. So I'm thinking the hack (if it was
one) came in from elsewhere. I have a hardware SPI firewall on my router
that has logged no unusual activity and has not indicated any new MAC
addresses that it granted connections to. Which makes me think something
happened internally (with another PC possibly) or I did something on the
problem PC that I can't remember. Possibly, it was on my PC dormant for
some time and slipped past one of the MS holes until patched. Not sure.

I ran HijackThis and here is the log file:

Let me know if you see anything this looks disturbing. Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 8:58:22 AM, on 8/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\OE-QuoteFix\oequotefix.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Documents\TempStorage\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Desktop Search Capture -
{7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google
Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program
Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IMSRun] C:\Program Files\NCH Swift Sound\IMS\ims.exe
/logon
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD
Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive
Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program
Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [KeePass Password Safe] C:\Program Files\KeePass
Password Safe\KeePass.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program
Files\Plaxo\2.4.1.5\InstallStub.exe -a
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk =
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program
Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk =
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft
SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite -
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft
ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft
ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
https://components.viewpoint.com/MT...ing_pages/dlp_pillar/b2c_optin_dlp_pillar.jsp
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) -
http://vapwea.ops.placeware.com/etc/place/ERASER/VAEpws-a2/5.1.2.150/lib/quicksilver.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download
Control Class) -
http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo
Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DECCF968-C279-40E8-97CF-9FECCEFB0EDE} (INVC Participant
Console 1.54) -
http://www.intechnologies.net/in/clients/participant/bin/INParticipant.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools
English Online) -
http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
AutoUpdate Support Package) -
http://www.creative.com/su/ocx/15012/CTPID.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} -
C:\WINDOWS\DOWNLO~1\mimectl.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IMS Telephone On-Hold PlayerService (IMSService) -
Unknown owner - C:\Program Files\NCH Swift Sound\IMS\ims.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation -
C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program
Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec
Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
B

Bill Sanderson

I ran RootKitRevealer, and indeed, got an alert from Microsoft Antispyware
about an "approved" service being run from TEMP. In my case, it was named
UPZIP, as I recall, but that's sufficiently strange for me to believe that
they are using randomly chosen names intentionally--I know that tool has had
to get smarter to avoid detection by the rootkits themselvves.

So--I think the service from temp issue is likely related to running
RootKitRevealer.

However, the ServeUDaemon and the TCPIP issues now seem more significant to
me--I haven't researched the TCP related executable--I've certainly heard of
malware installing its own IP stack to escape the security-related controls
on the Windows stack, so this situation still looks "wrong" to me.

--
 
D

David G.

AndyManchesta said:
I agree with Bill

To me this sounds like you are being attacked from a
connected pc, open backdoor or someone has remote access
on your system,

I'm currently running BitDefender online scan - nothing so far. I also
ran a full Norton scan yesterday from Safe Mode and it turned up
nothing.

I'm starting to think that whatever got on the system was caught and
stopped, but not completely removed by MS AntiSpyware. I looked at the
Symantec link you posted for the Servudaemon issue (I saw the same post
on Monday) and went through the list of areas of infection and saw
nothing on the PC that matches.

I'm somewhat optimistic that the PC is now fine, but not clear on how it
was infected in the first place. Until I figure it out, I'll quarantine
the other PCs on the network (which are never used for Internet access,
email, or any online activity - short of updating from Windows Update).

I'll post back later once BitDefender has completed... it's taking its
time.

Thanks.
 
B

Bill Sanderson

David - do you own a Minolta printer, by any chance? Or some other Minolta
device whose software might be installed on your machine?

--
 
D

David G.

Bill said:
David - do you own a Minolta printer, by any chance? Or some other
Minolta device whose software might be installed on your machine?

No. HP Printers only. The printers listed in Control Panel are:
HP LaserJet 1300
HP Color LaserJet
HP Color LaserJet 9500
Intuit Internal Printer
Microsoft Office Document Image Writer
Microsoft Office Live Meeting Document Writer

What are you seeing?
 
B

Bill Sanderson

One link to the TCP-ip.exe file that I found was information at a Minolta
site. I couldn't actually see much that was useful about it without logging
in, so I didn't get a clear picture of what this file is all about.

--
 
P

plun

After serious thinking David G. wrote :
Log posted in earlier response (9:26am today)

Well, with HijackThis.de you can analyze it yourself
and get some hints.

Its only minor "faults" within your log as I can see
you can probably directly sees if something is wrong
and HijackThis.de result is correct and perhaps remove this
faults.

Andy seems to be "out of office".
 
P

plun

plun expressed precisely :
After serious thinking David G. wrote :

Well, with HijackThis.de you can analyze it yourself
and get some hints.

Its only minor "faults" within your log as I can see
you can probably directly sees if something is wrong
and HijackThis.de result is correct and perhaps remove this
faults.

Andy seems to be "out of office".

One question, do you know why you have this ?

regsvr32 /s mqrt.dll

http://castlecops.com/s2279-regsvr32_s_mqrt_dll.html

Also some more questionable if you run analyze.
 
D

David G.

plun said:
One question, do you know why you have this ?

regsvr32 /s mqrt.dll

http://castlecops.com/s2279-regsvr32_s_mqrt_dll.html

Also some more questionable if you run analyze.

I've seen it there before. I know it's for Microsoft Message Queue, but
I'm not sure why it's performing a silent registration reboot. I was
going to remove it, but I left it in so this NG could see everything.

I'm going to get rid of it now.
 
D

David G.

Ok. BitDefender completed and located problem files in the System
Restore folder (as system restore points) and deleted them. I have not
performed any system restores lately. I'm going to reboot in safe mode
and make sure those files are in fact gone.

The rest of the PC came back clean.

I also analyzed the HijackThis log file over at hijackthis.de as Plun
recommended and it did not report any malware. It did report some
unknown items that were from trusted sources. I removed everything from
the WINDOWS\Downloaded Program Files that wasn't from a trusted source I
visit frequently.

The System Restore Points contained the following three items:
Backdoor.ServU.25
Application.NTSniff.110
Trojan.ServU.G

I'll run some of the other scanners later today to see if they turn up
anything.

If anyone has anything to add, please let me know. In the meantime, I'll
report back when I have more information.

Thanks.
 
P

plun

After serious thinking David G. wrote :
Backdoor.ServU.25
Application.NTSniff.110
Trojan.ServU.G

Hi David

Hopefully Andy is back soon and also check your HijackThis log.

Did you complete empty your System restore or removed specific
restorepoints ? Or Bitdefender "auto remove mode" ?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top