{4ionaphrrv

Discussion in 'malware problems & news' started by Dobermann, Nov 29, 2005.

Thread Status:
Not open for further replies.
  1. Dobermann

    Dobermann Registered Member

    Joined:
    Dec 11, 2004
    Posts:
    50
    XP-P

    What is ito_O? It is a Service that I have not seen before in its list of services. I have disabled it (it was set to manual with an apparent password) and am starting the run of a couple AV pgms, but so far nothing to report (will be using LavaSoft, ewido and AntiVir).

    My computer has started acting really wierd, video trails, slooooow performance, slow HD reads. It could be a hardware issue with the notebook, but won't know until after the scans. I do not do email on that computer, am behind a firewall, and really have no reason to suspect trojan/worm/virus/spyware or any malware for that matter, but between this wierd service and the possible hardware problems, things are not what they should be.

    Only new software was a trail of Nero 7 Ultra which I downloaded directly from their site.

    Any ideas on that service??

    Thanks,
    Dobermann
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
  3. Dobermann

    Dobermann Registered Member

    Joined:
    Dec 11, 2004
    Posts:
    50
    Yeah, I had googled it, too... even tried shortening its strange name to catch some derivate of it, but that did not work either.

    Thanks for the links in your sig. I will check them out also.

    Dobermann
     
  4. Dobermann

    Dobermann Registered Member

    Joined:
    Dec 11, 2004
    Posts:
    50
    Well, virus checks reported no problems at all. Since I disabled that service, the notebook is back to normal. No more video trails, no more slow HD reads, etc.

    I tried to see the name of the exe file associated with it, but nothing showed up when I checked while in Services.

    Strange, truly strange!
    Dobermann
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Have you looked for that word in the registry ?
     
  6. Dobermann

    Dobermann Registered Member

    Joined:
    Dec 11, 2004
    Posts:
    50
    Good idea -- I had not thought of that. Yes, it did show up:

    Code:
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{4IONAPHRRV
    Class Name:        <NO CLASS>
    Last Write Time:   11/29/2005 - 4:19 PM
    Value 0
      Name:            NextInstance
      Type:            REG_DWORD
      Data:            0x1
    
    
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{4IONAPHRRV\0000
    Class Name:        <NO CLASS>
    Last Write Time:   11/29/2005 - 4:19 PM
    Value 0
      Name:            Service
      Type:            REG_SZ
      Data:            {4ionaphrrv
    
    Value 1
      Name:            Legacy
      Type:            REG_DWORD
      Data:            0x1
    
    Value 2
      Name:            ConfigFlags
      Type:            REG_DWORD
      Data:            0x0
    
    Value 3
      Name:            Class
      Type:            REG_SZ
      Data:            LegacyDriver
    
    Value 4
      Name:            ClassGUID
      Type:            REG_SZ
      Data:            {8ECC055D-047F-11D1-A537-0000F8753ED1}
    
    Value 5
      Name:            DeviceDesc
      Type:            REG_SZ
      Data:            {4ionaphrrv
    
    ***********
    
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{4ionaphrrv
    Class Name:        <NO CLASS>
    Last Write Time:   11/30/2005 - 1:56 PM
    Value 0
      Name:            ErrorControl
      Type:            REG_DWORD
      Data:            0x1
    
    Value 1
      Name:            Type
      Type:            REG_DWORD
      Data:            0x10
    
    Value 2
      Name:            Group
      Type:            REG_SZ
      Data:            FSFilter Compression
    
    Value 3
      Name:            Tag
      Type:            REG_DWORD
      Data:            0x1
    
    Value 4
      Name:            Start
      Type:            REG_DWORD
      Data:            0x4
    
    Value 5
      Name:            DisplayName
      Type:            REG_SZ
      Data:            {4ionaphrrv
    
    
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{4ionaphrrv\Security
    Class Name:        <NO CLASS>
    Last Write Time:   10/13/2005 - 9:58 PM
    Value 0
      Name:            Security
      Type:            REG_BINARY
      Data:            
    00000000   01 00 14 80 90 00 00 00 - 9c 00 00 00 14 00 00 00  ................
    00000010   30 00 00 00 02 00 1c 00 - 01 00 00 00 02 80 14 00  0...............
    00000020   ff 01 0f 00 01 01 00 00 - 00 00 00 01 00 00 00 00  ÿ...............
    00000030   02 00 60 00 04 00 00 00 - 00 00 14 00 fd 01 02 00  ..`.........ý...
    00000040   01 01 00 00 00 00 00 05 - 12 00 00 00 00 00 18 00  ................
    00000050   ff 01 0f 00 01 02 00 00 - 00 00 00 05 20 00 00 00  ÿ........... ...
    00000060   20 02 00 00 00 00 14 00 - 8d 01 02 00 01 01 00 00   ...............
    00000070   00 00 00 05 0b 00 00 00 - 00 00 18 00 fd 01 02 00  ............ý...
    00000080   01 02 00 00 00 00 00 05 - d8 00 af 00 f6 00 74 00  ........Ø.¯.ö.t.
    00000090   00 00 9a 00 00 00 a1 00 - 00 0a 0a 00 00 00 00 00  ......¡.........
    000000a0   dd 00 a0 00 25 00 df 00 -                          Ý. .%.ß.
    
    
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{4ionaphrrv\Enum
    Class Name:        <NO CLASS>
    Last Write Time:   11/30/2005 - 1:56 PM
    Value 0
      Name:            0
      Type:            REG_SZ
      Data:            Root\LEGACY_{4IONAPHRRV\0000
    
    Value 1
      Name:            Count
      Type:            REG_DWORD
      Data:            0x1
    
    Value 2
      Name:            NextInstance
      Type:            REG_DWORD
      Data:            0x1
    
    
    ***********
    
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{4IONAPHRRV
    Class Name:        <NO CLASS>
    Last Write Time:   11/29/2005 - 4:19 PM
    Value 0
      Name:            NextInstance
      Type:            REG_DWORD
      Data:            0x1
    
    
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{4IONAPHRRV\0000
    Class Name:        <NO CLASS>
    Last Write Time:   11/29/2005 - 4:19 PM
    Value 0
      Name:            Service
      Type:            REG_SZ
      Data:            {4ionaphrrv
    
    Value 1
      Name:            Legacy
      Type:            REG_DWORD
      Data:            0x1
    
    Value 2
      Name:            ConfigFlags
      Type:            REG_DWORD
      Data:            0x0
    
    Value 3
      Name:            Class
      Type:            REG_SZ
      Data:            LegacyDriver
    
    Value 4
      Name:            ClassGUID
      Type:            REG_SZ
      Data:            {8ECC055D-047F-11D1-A537-0000F8753ED1}
    
    Value 5
      Name:            DeviceDesc
      Type:            REG_SZ
      Data:            {4ionaphrrv
    
    
    ***********
    
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\{4ionaphrrv
    Class Name:        <NO CLASS>
    Last Write Time:   11/30/2005 - 1:52 PM
    Value 0
      Name:            ErrorControl
      Type:            REG_DWORD
      Data:            0x1
    
    Value 1
      Name:            Type
      Type:            REG_DWORD
      Data:            0x10
    
    Value 2
      Name:            Group
      Type:            REG_SZ
      Data:            FSFilter Compression
    
    Value 3
      Name:            Tag
      Type:            REG_DWORD
      Data:            0x1
    
    Value 4
      Name:            Start
      Type:            REG_DWORD
      Data:            0x4
    
    Value 5
      Name:            DisplayName
      Type:            REG_SZ
      Data:            {4ionaphrrv
    
    
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\{4ionaphrrv\Security
    Class Name:        <NO CLASS>
    Last Write Time:   10/13/2005 - 9:58 PM
    Value 0
      Name:            Security
      Type:            REG_BINARY
      Data:            
    00000000   01 00 14 80 90 00 00 00 - 9c 00 00 00 14 00 00 00  ................
    00000010   30 00 00 00 02 00 1c 00 - 01 00 00 00 02 80 14 00  0...............
    00000020   ff 01 0f 00 01 01 00 00 - 00 00 00 01 00 00 00 00  ÿ...............
    00000030   02 00 60 00 04 00 00 00 - 00 00 14 00 fd 01 02 00  ..`.........ý...
    00000040   01 01 00 00 00 00 00 05 - 12 00 00 00 00 00 18 00  ................
    00000050   ff 01 0f 00 01 02 00 00 - 00 00 00 05 20 00 00 00  ÿ........... ...
    00000060   20 02 00 00 00 00 14 00 - 8d 01 02 00 01 01 00 00   ...............
    00000070   00 00 00 05 0b 00 00 00 - 00 00 18 00 fd 01 02 00  ............ý...
    00000080   01 02 00 00 00 00 00 05 - d8 00 af 00 f6 00 74 00  ........Ø.¯.ö.t.
    00000090   00 00 9a 00 00 00 a1 00 - 00 0a 0a 00 00 00 00 00  ......¡.........
    000000a0   dd 00 a0 00 25 00 df 00 -                          Ý. .%.ß.
    
    
    *********
    
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{4IONAPHRRV
    Class Name:        <NO CLASS>
    Last Write Time:   11/29/2005 - 4:19 PM
    Value 0
      Name:            NextInstance
      Type:            REG_DWORD
      Data:            0x1
    
    
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{4IONAPHRRV\0000
    Class Name:        <NO CLASS>
    Last Write Time:   11/29/2005 - 4:19 PM
    Value 0
      Name:            Service
      Type:            REG_SZ
      Data:            {4ionaphrrv
    
    Value 1
      Name:            Legacy
      Type:            REG_DWORD
      Data:            0x1
    
    Value 2
      Name:            ConfigFlags
      Type:            REG_DWORD
      Data:            0x0
    
    Value 3
      Name:            Class
      Type:            REG_SZ
      Data:            LegacyDriver
    
    Value 4
      Name:            ClassGUID
      Type:            REG_SZ
      Data:            {8ECC055D-047F-11D1-A537-0000F8753ED1}
    
    Value 5
      Name:            DeviceDesc
      Type:            REG_SZ
      Data:            {4ionaphrrv
    
    
    ********
    
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{4ionaphrrv
    Class Name:        <NO CLASS>
    Last Write Time:   11/30/2005 - 1:56 PM
    Value 0
      Name:            ErrorControl
      Type:            REG_DWORD
      Data:            0x1
    
    Value 1
      Name:            Type
      Type:            REG_DWORD
      Data:            0x10
    
    Value 2
      Name:            Group
      Type:            REG_SZ
      Data:            FSFilter Compression
    
    Value 3
      Name:            Tag
      Type:            REG_DWORD
      Data:            0x1
    
    Value 4
      Name:            Start
      Type:            REG_DWORD
      Data:            0x4
    
    Value 5
      Name:            DisplayName
      Type:            REG_SZ
      Data:            {4ionaphrrv
    
    
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{4ionaphrrv\Security
    Class Name:        <NO CLASS>
    Last Write Time:   10/13/2005 - 9:58 PM
    Value 0
      Name:            Security
      Type:            REG_BINARY
      Data:            
    00000000   01 00 14 80 90 00 00 00 - 9c 00 00 00 14 00 00 00  ................
    00000010   30 00 00 00 02 00 1c 00 - 01 00 00 00 02 80 14 00  0...............
    00000020   ff 01 0f 00 01 01 00 00 - 00 00 00 01 00 00 00 00  ÿ...............
    00000030   02 00 60 00 04 00 00 00 - 00 00 14 00 fd 01 02 00  ..`.........ý...
    00000040   01 01 00 00 00 00 00 05 - 12 00 00 00 00 00 18 00  ................
    00000050   ff 01 0f 00 01 02 00 00 - 00 00 00 05 20 00 00 00  ÿ........... ...
    00000060   20 02 00 00 00 00 14 00 - 8d 01 02 00 01 01 00 00   ...............
    00000070   00 00 00 05 0b 00 00 00 - 00 00 18 00 fd 01 02 00  ............ý...
    00000080   01 02 00 00 00 00 00 05 - d8 00 af 00 f6 00 74 00  ........Ø.¯.ö.t.
    00000090   00 00 9a 00 00 00 a1 00 - 00 0a 0a 00 00 00 00 00  ......¡.........
    000000a0   dd 00 a0 00 25 00 df 00 -                          Ý. .%.ß.
    
    
    Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{4ionaphrrv\Enum
    Class Name:        <NO CLASS>
    Last Write Time:   11/30/2005 - 1:56 PM
    Value 0
      Name:            0
      Type:            REG_SZ
      Data:            Root\LEGACY_{4IONAPHRRV\0000
    
    Value 1
      Name:            Count
      Type:            REG_DWORD
      Data:            0x1
    
    Value 2
      Name:            NextInstance
      Type:            REG_DWORD
      Data:            0x1 
    I realize the the CS001 and CS002 are backups/previous versions of the main CCS, but I thought I might include then anyhow.

    As an update, I leave my boxes on 24/7. This morning when I went to check on it, it had shut itself off. Now the only way I can get it to stay on is to use Safe Mode (it lets me use networking). I'm tempted to turn it back on and see if I can boot as normal once again.

    I hate to think I need to reformat and reinstall. I already have two other boxes I need to bring back up to speed plus my PPC. I sure don't want to have to add another one....

    Dobermann
     
    Last edited by a moderator: Dec 2, 2005
  7. "Banish"

    "Banish" Guest

    This topic may already have been solved, but a Google search on the ClassGuid 8ECC055D-047F-11D1-A537-0000F8753ED1 yields several hits that seem to be related to a worm called "Banish".
     
  8. Dobermann

    Dobermann Registered Member

    Joined:
    Dec 11, 2004
    Posts:
    50
    Thanks for the suggestion. I followed the links from google, and can safely say that none of the registry keys mentioned were found on my box. It has also passed every single AV scan I have tried on it. I am right now running the web-based McAfee scan, but seriously doubt it will find anything based upon the results received from the other scans and that this box has no reason to be infected (does not do email, behind a firewall, no external files allowed on it, don't use IE (mozilla only) etc).

    The box is very strange. If I boot into safe mode, it runs as fast as normal. If I boot normally, it runs terribly slow, starting from loading XPP to being fully loaded.

    I run the command line seti version, and over the years I have found this to be an excellent indicator of system performance. In safe mode, a typical normal angle WU takes 13923 seconds to complete. A similar normal angle WU in non-safe mode now takes 25085 seconds to complete - nearly double the time. This is a clear indication that something else is sucking up the cpu cycles. LAN activity (sent/received) is virtually nil.

    Only 15 services are running (well, 14 if you don't count taskmgr):
    cmd.exe
    csrss.exe
    explorer.exe
    lsass.exe
    services.exe
    smss.exe
    spoolsv.exe
    svchost.exe (4 instances)
    System
    System Idle Process
    taskmgr.exe
    winlogon.exe

    Any other ideas from anyone?
    Thanks,
    Dobermann
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Excluding the possible hardware issues for a moment....are you using a Hosts file and if so....do you have the DNS Client service enabled or disabled ?
     
  10. Dobermann

    Dobermann Registered Member

    Joined:
    Dec 11, 2004
    Posts:
    50
    There are only two things in my hosts file:

    127.0.0.1 localhost
    64.91.255.87 www.dcsresearch.com

    At this stage of the game, and after all different the AVs I have run (last two were McAfee and Kysbersky), with perfectly clean results every time, it's got to be some sort of hardware/driver issue that is slowing it down so badly. I don't even think this strange service is related to it, as there is no exe file associated with it either in the registry or in Services. Since it is disabled now, if I try to enable and start it, it errors out saying there is no exe to run.

    I'm beginning to wonder if maybe it isn't a power issue. It is doing strange things like saying the USB connected items are connect to 1.1 hubs rather than 2.0. It did this a while back, and after simply removing all USB info from the device manager and reinstalling, it fixed it. This time when I did the same thing, it did not fix it.

    It also has a hard time shutting down (excluding the excessively long wait time for that, too). When I go to power back up, the power button fashes on/off rapidly on the box. I am leaving the battery out of it and have to resort to pulling the plug out of the notebook several times before it stops flashing and will let me power it on. It's okay once it is on, but until that golden moment, you never know what it will do.

    In safe mode, it won't recognize the 1 minute time out for blanking the screen. There are other little strange things, too. I think I just have to bite the bullet and reinstall/restore from my image cd after backup of files and see how it goes then.

    Just what I always wanted to do.....

    Dobermann
     
Thread Status:
Not open for further replies.