I
ian henry
i recently ran a programme which allowed a hacker access
to my machine.the programme was over 100mb and ran
through dos. it changed my computer to be part of a
network were i had little or no permissions. i wiped my
hard disk and reinstalled xp pro but there are still
progs running in the backround that i have not seen
before. i list them now.
Services
Service Executable Status Startup
vsmon vsmon.exe -service Running Auto
WZCSVC svchost.ex e -k netsvcs Running Auto
wuauserv svchost.ex e -k netsvcs Running Auto
WmiApSrv wmiapsrv.e xe Stopped Manual
Wmi svchost.ex e -k netsvcs Stopped Manual
WmdmPmSp svchost.ex e -k netsvcs Running Auto
winmgmt svchost.ex e -k netsvcs Running Auto
WebClient svchost.ex e -k LocalServi ce Running Auto
W32Time svchost.ex e -k netsvcs Running Auto
VSS vssvc.exe Stopped Manual
UPS ups.exe Stopped Manual
upnphost svchost.ex e -k LocalServi ce Stopped Manual
uploadmgr svchost.ex e -k netsvcs Running Auto
TrkWks svchost.ex e -k netsvcs Running Auto
TlntSvr tlntsvr.ex e Stopped Manual
Themes svchost.ex e -k netsvcs Running Auto
TermServic e svchost.ex e -k netsvcs Running Manual
TapiSrv svchost.ex e -k netsvcs Running Manual
SysmonLog smlogsvc.e xe Stopped Manual
SwPrv dllhost.ex e /Processid :{8C80A7BC -F43F-49B1 -9850-
4D78 9B9A1888} Stopped Manual
stisvc svchost.ex e -k imgsvc Stopped Manual
SSDPSRV svchost.ex e -k LocalServi ce Running Manual
srservice svchost.ex e -k netsvcs Running Auto
Spooler spoolsv.ex e Running Auto
ShellHWDet ection svchost.ex e -k netsvcs Running Auto
SharedAcce ss svchost.ex e -k netsvcs Running Auto
SENS svchost.ex e -k netsvcs Running Auto
seclogon svchost.ex e -k netsvcs Running Auto
Schedule svchost.ex e -k netsvcs Running Auto
SCardSvr SCardSvr.e xe Stopped Manual
SCardDrv SCardSvr.e xe Stopped Manual
SamSs lsass.exe Running Auto
RSVP rsvp.exe Stopped Manual
RpcSs svchost -k rpcss Running Auto
RpcLocator locator.ex e Stopped Manual
RemoteRegi stry svchost.ex e -k LocalServi ce Running
Auto
RemoteAcce ss svchost.ex e -k netsvcs Stopped Disabled
RDSessMgr sessmgr.ex e Stopped Manual
RasMan svchost.ex e -k netsvcs Running Manual
RasAuto svchost.ex e -k netsvcs Running Manual
ProtectedS torage lsass.exe Running Auto
PolicyAgen t lsass.exe Running Auto
PlugPlay services.e xe Running Auto
Pctspk pctspk.exe Running Auto
NtmsSvc svchost.ex e -k netsvcs Stopped Manual
NtLmSsp lsass.exe Stopped Manual
Nla svchost.ex e -k netsvcs Running Manual
Netman svchost.ex e -k netsvcs Running Manual
Netlogon lsass.exe Stopped Manual
NetDDEdsdm netdde.exe Stopped Manual
NetDDE netdde.exe Stopped Manual
MSIServer msiexec.ex e /V Stopped Manual
MSDTC msdtc.exe Stopped Manual
mnmsrvc mnmsrvc.ex e Stopped Manual
Messenger svchost.ex e -k netsvcs Running Auto
LmHosts svchost.ex e -k LocalServi ce Running Auto
lanmanwork station svchost.ex e -k netsvcs Running Auto
lanmanserv er svchost.ex e -k netsvcs Running Auto
ImapiServi ce imapi.exe Stopped Manual
HidServ svchost.ex e -k netsvcs Stopped Disabled
helpsvc svchost.ex e -k netsvcs Running Auto
FastUserSw itchingCom patibility svchost.ex e -k netsvcs
Running Manual
EventSyste m svchost.ex e -k netsvcs Running Manual
Eventlog services.e xe Running Auto
ERSvc svchost.ex e -k netsvcs Running Auto
Dnscache svchost.ex e -k NetworkSer vice Running Auto
dmserver svchost.ex e -k netsvcs Running Auto
dmadmin dmadmin.ex e /com Stopped Manual
Dhcp svchost.ex e -k netsvcs Running Auto
CryptSvc svchost.ex e -k netsvcs Running Auto
COMSysApp dllhost.ex e /Processid :{02D4B3F1 -FD88-11D1 -
960D-0080 5FC79235} Stopped Manual
ClipSrv clipsrv.ex e Stopped Manual
cisvc cisvc.exe Stopped Manual
Browser svchost.ex e -k netsvcs Running Auto
BITS svchost.ex e -k netsvcs Stopped Manual
AudioSrv svchost.ex e -k netsvcs Running Auto
AppMgmt svchost.ex e -k netsvcs Stopped Manual
ALG alg.exe Running Manual
Alerter svchost.ex e -k LocalServi ce Stopped Manual
zone alarm pro tells me applications that never wanted
access before are trying to access now, such as:
Windows Command Processor
Windows NT Logon Application
Services and Controller app
these processes are accessing ip addresses i dont know.
also,this programme infected my other hard disk and the
same problems occur. an unknown user account also exists.
all this after i formatted the drive with partition magic
8 several times.
could someone please tell me how to get this backdoor
annoyance out of my machine.any suggestions much
apprieciated. thanks for your time.
regards, ian. (e-mail address removed)
to my machine.the programme was over 100mb and ran
through dos. it changed my computer to be part of a
network were i had little or no permissions. i wiped my
hard disk and reinstalled xp pro but there are still
progs running in the backround that i have not seen
before. i list them now.
Services
Service Executable Status Startup
vsmon vsmon.exe -service Running Auto
WZCSVC svchost.ex e -k netsvcs Running Auto
wuauserv svchost.ex e -k netsvcs Running Auto
WmiApSrv wmiapsrv.e xe Stopped Manual
Wmi svchost.ex e -k netsvcs Stopped Manual
WmdmPmSp svchost.ex e -k netsvcs Running Auto
winmgmt svchost.ex e -k netsvcs Running Auto
WebClient svchost.ex e -k LocalServi ce Running Auto
W32Time svchost.ex e -k netsvcs Running Auto
VSS vssvc.exe Stopped Manual
UPS ups.exe Stopped Manual
upnphost svchost.ex e -k LocalServi ce Stopped Manual
uploadmgr svchost.ex e -k netsvcs Running Auto
TrkWks svchost.ex e -k netsvcs Running Auto
TlntSvr tlntsvr.ex e Stopped Manual
Themes svchost.ex e -k netsvcs Running Auto
TermServic e svchost.ex e -k netsvcs Running Manual
TapiSrv svchost.ex e -k netsvcs Running Manual
SysmonLog smlogsvc.e xe Stopped Manual
SwPrv dllhost.ex e /Processid :{8C80A7BC -F43F-49B1 -9850-
4D78 9B9A1888} Stopped Manual
stisvc svchost.ex e -k imgsvc Stopped Manual
SSDPSRV svchost.ex e -k LocalServi ce Running Manual
srservice svchost.ex e -k netsvcs Running Auto
Spooler spoolsv.ex e Running Auto
ShellHWDet ection svchost.ex e -k netsvcs Running Auto
SharedAcce ss svchost.ex e -k netsvcs Running Auto
SENS svchost.ex e -k netsvcs Running Auto
seclogon svchost.ex e -k netsvcs Running Auto
Schedule svchost.ex e -k netsvcs Running Auto
SCardSvr SCardSvr.e xe Stopped Manual
SCardDrv SCardSvr.e xe Stopped Manual
SamSs lsass.exe Running Auto
RSVP rsvp.exe Stopped Manual
RpcSs svchost -k rpcss Running Auto
RpcLocator locator.ex e Stopped Manual
RemoteRegi stry svchost.ex e -k LocalServi ce Running
Auto
RemoteAcce ss svchost.ex e -k netsvcs Stopped Disabled
RDSessMgr sessmgr.ex e Stopped Manual
RasMan svchost.ex e -k netsvcs Running Manual
RasAuto svchost.ex e -k netsvcs Running Manual
ProtectedS torage lsass.exe Running Auto
PolicyAgen t lsass.exe Running Auto
PlugPlay services.e xe Running Auto
Pctspk pctspk.exe Running Auto
NtmsSvc svchost.ex e -k netsvcs Stopped Manual
NtLmSsp lsass.exe Stopped Manual
Nla svchost.ex e -k netsvcs Running Manual
Netman svchost.ex e -k netsvcs Running Manual
Netlogon lsass.exe Stopped Manual
NetDDEdsdm netdde.exe Stopped Manual
NetDDE netdde.exe Stopped Manual
MSIServer msiexec.ex e /V Stopped Manual
MSDTC msdtc.exe Stopped Manual
mnmsrvc mnmsrvc.ex e Stopped Manual
Messenger svchost.ex e -k netsvcs Running Auto
LmHosts svchost.ex e -k LocalServi ce Running Auto
lanmanwork station svchost.ex e -k netsvcs Running Auto
lanmanserv er svchost.ex e -k netsvcs Running Auto
ImapiServi ce imapi.exe Stopped Manual
HidServ svchost.ex e -k netsvcs Stopped Disabled
helpsvc svchost.ex e -k netsvcs Running Auto
FastUserSw itchingCom patibility svchost.ex e -k netsvcs
Running Manual
EventSyste m svchost.ex e -k netsvcs Running Manual
Eventlog services.e xe Running Auto
ERSvc svchost.ex e -k netsvcs Running Auto
Dnscache svchost.ex e -k NetworkSer vice Running Auto
dmserver svchost.ex e -k netsvcs Running Auto
dmadmin dmadmin.ex e /com Stopped Manual
Dhcp svchost.ex e -k netsvcs Running Auto
CryptSvc svchost.ex e -k netsvcs Running Auto
COMSysApp dllhost.ex e /Processid :{02D4B3F1 -FD88-11D1 -
960D-0080 5FC79235} Stopped Manual
ClipSrv clipsrv.ex e Stopped Manual
cisvc cisvc.exe Stopped Manual
Browser svchost.ex e -k netsvcs Running Auto
BITS svchost.ex e -k netsvcs Stopped Manual
AudioSrv svchost.ex e -k netsvcs Running Auto
AppMgmt svchost.ex e -k netsvcs Stopped Manual
ALG alg.exe Running Manual
Alerter svchost.ex e -k LocalServi ce Stopped Manual
zone alarm pro tells me applications that never wanted
access before are trying to access now, such as:
Windows Command Processor
Windows NT Logon Application
Services and Controller app
these processes are accessing ip addresses i dont know.
also,this programme infected my other hard disk and the
same problems occur. an unknown user account also exists.
all this after i formatted the drive with partition magic
8 several times.
could someone please tell me how to get this backdoor
annoyance out of my machine.any suggestions much
apprieciated. thanks for your time.
regards, ian. (e-mail address removed)