oleservice.exe

  • Thread starter Thread starter erables40
  • Start date Start date
E

erables40

Hi I have this file starting in my services, and can't figure out where
it came from.
The file info doesn't say anything. The services description is:
Communication Protocol that uses 128-bit encryption.
it has no dependencies it is located in
C:\WINDOWS\system32\OLEService.exe
the only other file created the same day than this file is normal.dll.
This was about a week ago and can't remember if I installed anything
that day.
Google doesn't show anything.
Can anyone tell me if they know what this file does, or is there a
software that i can get a more complete info on the file like the
author.
TIA
 
From: <[email protected]>

| Hi I have this file starting in my services, and can't figure out where
| it came from.
| The file info doesn't say anything. The services description is:
| Communication Protocol that uses 128-bit encryption.
| it has no dependencies it is located in
| C:\WINDOWS\system32\OLEService.exe
| the only other file created the same day than this file is normal.dll.
| This was about a week ago and can't remember if I installed anything
| that day.
| Google doesn't show anything.
| Can anyone tell me if they know what this file does, or is there a
| software that i can get a more complete info on the file like the
| author.
| TIA



If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
thanks for the help but I have already run adaware spybot and nod32
complete system scan and all were ok.
 
From: <[email protected]>

| thanks for the help but I have already run adaware spybot and nod32
| complete system scan and all were ok.


Please submit a sample of "oleservice.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.
 
Try downloading REGMON and FILEMON and running it. Then filter the
OLEService.exe and normal.dll files and see what is accessing them.
 
ok here is the report for both files; results were the same for both:
AntiVir 6.33.0.77 01.20.2006 no virus found
Avast 4.6.695.0 01.18.2006 Win32:Trojano-2992
AVG 718 01.19.2006 no virus found
Avira 6.33.0.77 01.20.2006 no virus found
BitDefender 7.2 01.20.2006 no virus found
CAT-QuickHeal 8.00 01.18.2006 no virus found
ClamAV devel-20051123 01.19.2006 Trojan.Clicker.Delf-8
DrWeb 4.33 01.20.2006 no virus found
eTrust-InoculateIT 23.71.55 01.20.2006 no virus found
eTrust-Vet 12.4.2052 01.20.2006 no virus found
Ewido 3.5 01.20.2006 no virus found
Fortinet 2.54.0.0 01.20.2006 no virus found
F-Prot 3.16c 01.19.2006 no virus found
Ikarus 0.2.59.0 01.20.2006 no virus found
Kaspersky 4.0.2.24 01.20.2006 no virus found
McAfee 4678 01.19.2006 Generic AdClicker.i
NOD32v2 1.1372 01.19.2006 no virus found
Norman 5.70.10 01.19.2006 no virus found
Panda 9.0.0.4 01.20.2006 Suspicious file
Sophos 4.01.0 01.20.2006 no virus found
Symantec 8.0 01.20.2006 no virus found
TheHacker 5.9.2.077 01.20.2006 no virus found
UNA 1.83 01.19.2006 no virus found
VBA32 3.10.5 01.19.2006 suspected of Trojan-Clicker.Delf.5

for regmon, it doesn't seem to access anything, but filemon oleservice
seems to try to find anything that is a web browser, here is just a
short output log:
118 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\system32\netscape6.exe FILE NOT
FOUND Attributes: Error
119 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\system32\netscape6.exe FILE NOT
FOUND Attributes: Error
120 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\system32\netscape6.exe FILE NOT
FOUND Attributes: Error
121 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\system\netscape6.exe FILE NOT FOUND Attributes:
Error
122 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\netscape6.exe FILE NOT FOUND Attributes: Error
123 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\system32\netscape6.exe FILE NOT
FOUND Attributes: Error
124 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\netscape6.exe FILE NOT FOUND Attributes: Error
125 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\System32\Wbem\netscape6.exe FILE NOT
FOUND Attributes: Error
126 8:30:02 AM OLEService.exe:1344 QUERY INFORMATION C:\Program
Files\ATI Technologies\ATI Control Panel\netscape6.exe FILE NOT
FOUND Attributes: Error
127 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\system32\netscape6 WWW_GetWindowInfo.exe FILE
NOT FOUND Attributes: Error
128 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\system32\netscape6 WWW_GetWindowInfo.exe FILE
NOT FOUND Attributes: Error
129 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\system32\netscape6 WWW_GetWindowInfo.exe FILE
NOT FOUND Attributes: Error
130 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\system\netscape6 WWW_GetWindowInfo.exe FILE NOT
FOUND Attributes: Error
131 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\netscape6 WWW_GetWindowInfo.exe FILE NOT
FOUND Attributes: Error
132 8:30:02 AM OLEService.exe:1344 QUERY
INFORMATION C:\WINDOWS\system32\netscape6 WWW_GetWindowInfo.exe FILE
NOT FOUND Attributes: Error
 
From: <[email protected]>

< snip >

| McAfee 4678 01.19.2006 Generic AdClicker.i

< snip >

Use the McAfee module in the below utility.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
Back
Top