Explanation of Unknown Service that AntiSpyware Silently Grants Permission to Install (long)

[Bill Sanderson]

I haven't had a chance to look at the log yet--but I've read these messages,
and my current take on your situation is that you definitely were infected
with something, but it appears that it is now take care of.

Given that what you had before was a trojan, perhaps with an FTP component,
I would check the other machines with some care, and I would suggest that
you take a good look at the amount of disk space on that one, and what it is
being used by--you might have a collection of stuff that you don't know
about living in some hidden or strangely named subdirectory.

 

[David G.]

After serious thinking David G. wrote :

Hi David

Hopefully Andy is back soon and also check your HijackThis log.

Did you complete empty your System restore or removed specific
restorepoints ? Or Bitdefender "auto remove mode" ?

I ended up turning off System Restore and it says it removed all saved
restore points. BitDefender removed the ones it found, but I thought it
best to remove them all. Not sure how to manually check the folder since
the system seems to have it locked even to admins (and even from safe
mode).

 

[Bill Sanderson]

Not sure this works, but if desperate, start with an XP CD in the drive, and
see if your system will allow booting from the CD. If so, take the first
"R" for recover option, and boot to the recovery console.

This is a self-contained command line OS--HELP for the commands, that allows
you to look at selected portions of the original boot drive (you can look at
more with some advance preparation.

I can't remember whether this lets you look at the s/r area--I wouldn't
worry about it--just turning it off and back on (under XP or Windows Server
2003) removes all the old data. Under Windows Millennium Edition, you need
to do a restart between the turnoff and the turnon.

I've use the recovery console to deal with some malware that stays active
even in safe mode--otherwise, it is really for dire emergencies.

--

 

[AndyManchesta]

Hi David

Sorry Its been a long day at work, Ive just come on to
the newsgroup and can see alot of posts on this topic
since I went off this morning so will read through them
all now and then review the Hijack Log you sent

I'll repost as soon as I can but it will take me a couple
of hours at least to review the log in detail

Regards

Andy

 

[AndyManchesta]

Hi Again David

Your Log is clean so you did very well noticing this as
it entered your system, It doesnt explain where it came
from or how they got access but its great to see no signs
of infection in the log. If you have other pc's it may be
worth running the same sort of scanners on each to be
sure they all are clean.

With you having a backdoor open at some stage there is a
couple of things you can do to make sure security
settings have not been changed:

Open a IE Window and goto tools on the top bar then to
Internet Options, Press restore defaults on both
the 'Advanced Tab' and 'Security'

Then to clean up:

On The General Tab press 'Delete Files' and include all
offline content then apply if needed and exit.

Next goto start and run and type

prefetch

Delete the contents of this folder

Then back to start and run and type

%temp%

Delete the contents of this folder (Some will be in use
so delete everything else from here)

If you feel there is still a problem anytime just let us
know, We can go alot deeper than what Hijack This shows
if needed with tools like SilentRunners but I dont think
its required at this stage from reviewing your log.

The problem with backdoors is they often use files like
svchost but its too risky to touch them incase they are
genuine unless you find it anywhere except system32.
ServicePackFiles\i386 or \$NtServicePackUninstall$ but
this is just a example filename the trojan writers are
very smart and know how to make detection very difficult,
its not something you need to concerned about its more
for future reference if you get problems again

Also About the Auto Analysis sites for Hijack This, They
are useless and can cause alot of damage because there is
alot of malware that use genuine filenames to prevent
detection, Ive seen many False positives where they tag
essential files as Nasty or miss Malicious files and call
them safe so like Plun said these are ok for hints
but you should never follow a Auto Analysis site because
it can lead to seriously damage to the system.

If you need any help with anything anytime just let us
know, There's alot of experienced helpers on here who
will be happy to assist no matter what the questions are.

Good work spotting this before it could cause you any
problems or download more files.

Regards Andy

 

[David G.]

Hi Again David

<SNIP>

Andy,

I really appreciate your attention (as well as the other posters in the
thread). I realize no anti-spyware product is perfect, but do you have
any knowledge why MS AntiSpyware asked the question about whether I
wanted to install a new service, and even though I said "no", the
service installed anyway (at least it showed up in Services). For
example, here's an except from the Agent Events Log:

"The user myname, has decided to block the Windows service
servudaemon.exe (-2147483646) c:\windows\system32\servudaemon.exe from
being added."

BTW, I also just ran Kapersky's online scanner. It detected some old
screen saver worms in zipped PST files (probably forgot to delete them
from the spam folder). But everything else was clean. It was a slooooow
scanner and took almost 5 hours to complete scanning a single drive. But
it was very comprehensive.

Once again. Thanks to all for your help.

 

[Bill Sanderson]

Many thanks for your work here, Andy. Reading HijackThis logs is definitely
a skill I don't have. I'll do it for fun or on my own systems, but I don't
have the experience with reading them that is needed to come up with a good
answer in some reasonable amount of time.

 

[Bill Sanderson]

Kaspersky is first class.

I don't know the answer to your question about the service. This kind of
issue has come up during the beta--the question about whether the product,
in fact, reacts quickly enough that an action is, in fact, blocked according
to the users wishes.

I'm running a beta product which involves a firewall which controls outbound
access, and I can tell you that when it raises a dialog box for a choice,
the action is blocked until after I respond--much to my dismay at times.

I'm not sure this is right, in the current beta1 code. If you can give me a
simple set of replication steps to hand over to the developers, I would be
happy to raise the issue in a more formal way. However, I believe this is
probably already very clear in their sights, but perhaps awaiting beta2.



--

 

[AndyManchesta]

Hi David

I think Bill is right again it appears this may be a bug
in the beta1 coding if you choose not to install and it
still went ahead and added itself as a service, Its great
the protection was there though to make you aware of the
changes as it could of deleted essential files and
installed other files if it had been allowed to run for
any length of time.

If there was any active infections in the log I would of
said that maybe the attacker had the same rights on the
system as you except they are hidden so installed them as
a sevice and MSAS assumed it was your choice to allow
them but with it being clean its hard to know the answer
to this.

Who attacked your system is also still unknown as you say
you are very cautious about running files from unknown
sources so it still leaves the possibility of further
attacks but with the log being clean and the online scans
showing nothing except for infected restore points it
sounds like you have managed to stop this before it was
able to cause you any problems. Running similar scans on
all your Pc's and checking the permissions on your
firewall settings to make sure there isnt anything
granted that you have not allowed. Also setting up AV
protection and Firewalls on all your systems such as the
CA(eTrust)offer for a 1 year free trial for MS Customers
or AVG and Zone Alarm's free firewall or similar free
protection would help reduce further problems

All the best

Bill,

I know what you mean about Hijack This logs its getting
harder to be sure about anything these days because the
scum are using every trick in the book to avoid
detection, There is alot using Rootkit functions so it
was also handy this was ruled out before starting on the
log.

My method is just to copy the Hijack log to notepad and
check every path and filename in detail for anything that
looks out of place, Take off the ones you are sure about
as genuine and leave the others on the list then use
Yahoo,Google & other sources such as Castle Cops and
Symantecs security response search feature on all the
dll's, exe's, CLSID's etc.. and make sure they all
connect to the programs that are listed and delete each
line from notepad untill there is nothing left except
malicious entries then you can start working on a fix
once you know the problem area's, it gets easier each
time you review a log but you still cannot take anything
for granted or it might mean missing a important issue.

This log was simple enough and it was good to see no
problems, The only line that could work both ways was the
restrictions 06 entry which is a homepage lock in IE but
isnt a problem when you can see Spybot S&D Present as
that can set this restriction. It can also be fixed using
Hijack This without problems if the user is unsure and if
it returns then it's connected to Spybot. I didnt mention
this as I dont think its malicious with Spybot being
active but it should be fixed if Spybot isnt on the
system unless it was set by a network administrator.

Regards

Andy