bds hacdef

Discussion in 'Trojan Defence Suite' started by alim, Jul 21, 2004.

Thread Status:
Not open for further replies.
  1. alim

    alim Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    17
    hello
    i have a backdoor virus which i think is called bds hacdef. i have not been able to download hijackthis. it seems like the virus is stopping any attempt for me to get the program.

    instead i have used TDS. TDS found a Spy.DBE file in my system32 folder called bdeinstall.exe

    also my anti virus program found a file assoicated with the trojan

    C:\WINNT\HXDEFDRV.SYS

    Contains a signature of the (dangerous) backdoor program BDS/HacDef.073.B.1 Backdoor server programs


    i thought after deleting those 2 files that i had solved my virus problem but after i restarted my pc i found the HXDEFDRV.SYS again

    can anyone help me?
     
  2. PepsiMax

    PepsiMax Registered Member

    Joined:
    Jul 21, 2004
    Posts:
    12
    Location:
    UK
    Hi alim

    I'm new here and not sure if I'm able to post links to 3rd party sites. I have found some information for you here which concerns the trojan you have, and gives help and advice on removing it. Good luck :)
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    In C:\WINNT see if you can find HXDEF.INI
    If you can, just delete it and reboot, the rootkit requires this file. Once you do that you should be able to clean up with your antivirus

    The problem here is that the rootkit hides from Windows, the antivirus driver can see the HXDEF driver and stop it from loading but it should also be removing it - if it doesnt then you might need to remove it manually. You can email support if you are still having problems
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  5. Azn_Tweaker

    Azn_Tweaker Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    120
    Location:
    Canada, Toronto
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Before anything i would follow Gavin's advice to get the nasty file away to disarm and stop the nasty in it's traces before doing anything else.
    Except for a deep scan with fully updated TDS of course (with every other scanner and resident protection temporary closed to give TDS full access to every file)
    Since you have TDS, can you also look if your HOSTS file was changed?
    TDS > System Analysis > View File > Network Hosts would bring you to the HOSTS file which you can edit if you like; if that has been illegaly changed and blocking security sites rename the HOSTS file so you have access again.

    Please post back your experiences till here, so we can step you through this!
     
  7. alim

    alim Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    17
    thanks for all your replys

    i have been having a bit of a nightmare. i have been able to log in to windows in normal mode after i deleted a file that TDS found - c:\recycler\s-1-5...\dc2.sys

    im going thru all the info now on a friends pc. i have had some luck finding and deleting files in regedit. the files that i have deleted are svhost.exe and also deleting the values keys linking to .outhost. the trendmirco site recommmends also searching for links in the registry to the files below,

    .23052004.exe <-- The name of this file is the date of tomorrow
    .hxdefdrv.sys
    .sezzbc.ig2
    .vzcdaq.2nh

    that is that next thing im going to try.

    Gavin i have only been able to locate in winnt the file hxdefdrv.sys. i think that some of the trojans files are invisible even when i have set folder options to show invisble files.

    can anyone recommend a program like hijackthis as i cant download/install it.

    Jooske the host file was changed to something very simliar to the one in PepsiMaxs link.

    thanks again
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Before you delete anything, can you please be so kind aftr the TDS scan (don't forget to update it on the TDS site!) to rightclick on one of the alerts in the TDS bottom console and save to text, and paste that scandump.txt file into your next posting. Think it might be important to know the full paths too where files are located, so you delete the right files TDS might indicate too.
    You are doing a fine job already.
    To locate files, make sure folderoptions are set on showing everything and every file extension.
    It surely helps to close temporary the scanners like AVG if you run that one to avoid that hiding nasty files from sight.
    With the nasty files found and deleted first (and clean the recycle bin - and you might have to look another time in the safe mode if windows shows the wanted files now) the greatest danger must be over.

    Yes hijackthis can be downloaded in message [thread]15913[/thread].
    It could be a great help, and we work with AutoStartViewer too (from the DiamondCS site too).
    Wonder if you do a search with windows if the files would show up.
     
  9. alim

    alim Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    17
    the scan dump txt for hxdefdrv.sys is:

    Scan Control Dumped @ 17:36:48 22-07-04
    Positive Indentification: Rootkit.Hacker Defender 0.8.4 (sys)

    File: c:\winnt\hxdefdrv.sys



    To locate files, make sure folder options are set on showing everything and every file extension

    just did this thanks. i can now find the recycler folder. inside both recycler bins is the hxdefdrv.sys file. i havent deleted it from winnt yet, so are they previous files that i have deleted?

    also in my processes list is svhost.exe which i deleted from the registry. i cant end the process how can i delete it?

    i have searched regedit for sezzbc, about 20 files were linked to it including the file vzcdaq.2nh - i deleted them all.

    foolishly i didnt think of looking where they were linking to. i just wanted them off my pc as soon as poss
     
  10. alim

    alim Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    17
    i found this info on PepsiMaxs link but i cant find winuins.ini
    this is the file that kills hijackthis. but i cant find it. i did a search for it in regedit and found data values referencing:
    trj
    svhost
    trjaj6js
    winunins
    .exe
    hxdef

    if i delete these entries and restart will that help?

    the config file it uses to install/run itself is this (winunins.ini):

    [Hidden Table]
    inatjoy.dll
    motkrtin.dll
    witadr.dll
    winunins.exe
    winunins.ini
    svhost.exe
    CWShredder*
    HijackThis*
    ProceXP*
    Spybot*
    msconfig*

    [Root Processes]
    svhost.exe
    trj4j6js.exe
    winunins.exe

    [Hidden Services]
    HackerDefender*

    [Hidden RegKeys]
    HackerDefender100
    LEGACY_HACKERDEFENDER100
    HackerDefenderDrv100
    LEGACY_HACKERDEFENDERDRV100

    [Hidden RegValues]

    [Startup Run]
    C:\WINNT\svhost.exe -sr -0

    [Free Space]

    [Hidden Ports]

    [Settings]
    Password=qweqwe
    BackdoorShell=ddd.exe
    FileMappingName=_.-=[PokuS]=-._
    ServiceName=HackerDefender100
    ServiceDisplayName=Windows System Uninstaller
    ServiceDescription=Microsoft System Service
    DriverName=HackerDefenderDrv100
    DriverFileName=hxdefdrv.sys
     
    Last edited: Jul 22, 2004
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Leaving this to Gavin or other expert again, at least you locate the files now!
    If there files are somewhere re-created a reboot would bring them back, so does system-restore.
    I think of this since you found files in the recyclebin; not sure if the nasty itself places them there too for some unknown reason.
    You could also create an AutoStartViewer logfile (also from diamondCS site) with all options checked and send the log file of that one to support@diamondcs.com.au for good advice which entries to get from the AutoStart.
    You find so many files, which extension has this one you named in the little list on top? winunins
    Did you set your folder options to show also all extensions?
     
  12. alim

    alim Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    17
    winuins.ini is a config file
    the problem is that this config file is hiding all the files that i can use to get at it:

    [Hidden Table]
    inatjoy.dll
    motkrtin.dll
    witadr.dll
    winunins.exe
    winunins.ini
    svhost.exe
    CWShredder*
    HijackThis*
    ProceXP*
    Spybot*
    msconfig*
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Which anti-virus are you using?
     
  14. alim

    alim Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    17
    at the moment i have antivir. i tried to install bitdefender but with no luck. the installation stalled at starting services

    i found some info on another forum about hxdefdrv.sys

    it automatically recreates the hxdefdrv.sys file in /winnt which it uses to create a backdoor into your PC AFTER you delete it

    maybe this was what was in the recycling bin
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That was what i meant yes. Did you close antivir also completely with it's resident protection when you were searching for the files?
    If you locate the files, you'll have to look in the running processes (Process List in TDS or Task Manager in windows) if they are running and kill them so you can delete them.
     
  16. alim

    alim Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    17
    antivir is not in task manager and i have not started it up
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did not mean antivir in the taskmanager, the files which are part of the infection could have running processes :)

    For antivir i don't know wether it has the same habit like AVP does in hiding files, but you should be able to find them in safe mode then!
    If Gavin agrees i would love to advice you to delete all files involved with it, but it's most irritating you still don't have that ini file Gavin asked for in the first place. :ninja:

    BTW were you able to down;oad the HJiJackThis log in the meantime and are you familiar with it?
     
  18. alim

    alim Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    17
    the only i can see that is infected is svhost.exe i tried to end process but access was denied

    hijackthis is one of the names under hidden in the winunins.ini

    i have hijackthis in a zip file in my drive, i have it on a CD and also a key drive. i just cant see it :'(

    so i havent had the pleasure of using it yet

    the only thing that i think i can do is search the registry for all the filnames that i have found and remove them. hopefully this might distrupt winunins. do you think it might work?
     
  19. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    If you are able to run the Recovery Console, then you can rename the ini file using the "Ren" command. Rename it to something else but don't delete it. Reboot normally and the ini file should be visible and the rootkit should not be active. Even if it is (because it is being somehow reinstalled at every boot), you will now have the ini file to read. This may work in Safe Mode too.

    Nick
     
  20. alim

    alim Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    17
    i have managed to removed the trojan, by creating an empty notepad file and saving it as winunins.ini in the winnt directory this overwrites the trojan config file. after restarting i could see the nasty files and also hijackthis and process explorer.

    not sure if this is the most eligant way doing it? downside is that by wiping the config i could not get access to it to see what other files it pointed to.

    i scaned the drive with hijackthis. i only found 3 entires that looked nasty, they had links to outhost.info. can i post my hijackthis log?

    i then searched through the regsitry for these names:

    outhost.info
    svhost
    winunins
    hxdef
    hack
    hacker

    i deleted alll references to them

    when i tried to search in my harddrive for those names i noticed a new problem of my own making i think. i cant to a search in windows, i cant start TDS, in normal mode the active desktop is inactive, in the winnt directory no files are visible but the status bar says that there are hundreds of files there.

    its seems that services will not start at startup. in process explorer the items in the services.exe tree are in pink is this normal?

    i think that this was caused by previous attempts of mine to remove references of the trojan from the registry. instead of just deleting values i must have deleted some keys maybe. i remember deleting some labeled a, b, c, d, e, f.
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I'm really not sure this moment what's best, so with deleting the ini file again the rootkit would not be able to run and you might be able to use your computer more or less normal again?
    Did you also in the meantime create an AutoStartViwer log and sent it to support@diamondcs.com.au or post it here if you prefer, and why not the HJT log too, but forgive me i'm no HJT expert so i'm not able to work with your HJT log, but fortunately you can yourself as you just described.

    Process Explorer? I think you mean Port Explorer?
    pink or do you mean red (default) characters for HIDDEN connections?
    Those can be part of the nasty, depending which they are.
    Thinking, get rid of that ini file so the rootkit can't run anymore like Gavin described above and since you posted in the forum the many files associated to it you must be able to find them, once their processes are located and killed.
     
  22. alim

    alim Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    17
    here is my autostartviewer log

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Administrator@FELINE, 07-22-2004
    c:\autoexec.bat
    C:\CDROM\MSCDEX.EXE /D:MSCD00D /M:20
    c:\winnt\system32\autoexec.nt
    C:\WINNT\system32\mscdexnt.exe
    C:\WINNT\system32\redir.exe
    C:\WINNT\system32\dosx.exe
    C:\WINNT\system32\nw16.exe
    C:\WINNT\system32\vwipxspx.exe
    c:\winnt\system32\config.nt
    C:\WINNT\system32\himem.sys
    c:\config.sys
    C:\CDROM\SSCDROM.SYS /D:MSCD00D /V
    c:\winnt\system.ini [drivers]
    timer=timer.drv
    c:\winnt\system.ini [boot]\shell
    C:\WINNT\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINNT\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe" "%1
    HKCR\jsefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
    mobsync.exe /logon
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
    C:\WINNT\system32\internat.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
    C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINNT\system32\NETSHELL.dll
    C:\WINNT\System32\webcheck.dll
    C:\WINNT\system32\stobject.dll
    C:\WINNT\Tasks\songs.job
    C:\Documents and Settings\Administrator\Desktop\current projects\vaudeville\songs.mov
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AOL 6.0 Tray Icon.lnk
    C:\Program Files\AOL 6.0\aoltray.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
    C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk
    C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Startup Options.lnk
    C:\Program Files\Iomega\Tools_NT\STARTNT.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office10\OSA.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Post-it® Software Notes Lite.lnk
    C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Prevx Home.lnk
    C:\Program Files\PREVX\Prevx Home\SAGUI.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Refresh.lnk
    C:\Program Files\Iomega\Tools_NT\REFRESH.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Splash.lnk
    C:\Program Files\Iomega\Tools_NT\SPLASH.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINNT\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINNT\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINNT\system32\msafd.dll
    C:\WINNT\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINNT\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINNT\system32\ie4uinit.exe
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINNT\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AppleTalk\
    C:\WINNT\System32\DRIVERS\sfmatalk.sys
    HKLM\System\CurrentControlSet\Services\atalk\
    C:\WINNT\System32\DRIVERS\atalk.sys
    HKLM\System\CurrentControlSet\Services\atfsd\
    C:\WINNT\System32\DRIVERS\atfsd.sys
    HKLM\System\CurrentControlSet\Services\ATMsg\
    C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATMsg.exe -service
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\dmserver\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\HidUsb\
    C:\WINNT\System32\DRIVERS\hidusb.sys
    HKLM\System\CurrentControlSet\Services\IomegaAccess\
    C:\Program Files\Iomega\Tools_NT\IOMEGAACCESS.EXE /S
    HKLM\System\CurrentControlSet\Services\irda\
    C:\WINNT\System32\DRIVERS\irda.sys
    HKLM\System\CurrentControlSet\Services\KC180\
    C:\WINNT\System32\Drivers\kcirusb.sys
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\Miramar AppleTalk File Server\
    C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATSERVER.EXE
    HKLM\System\CurrentControlSet\Services\Miramar AppleTalk Print Server\
    C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATSPOOL.EXE
    HKLM\System\CurrentControlSet\Services\NWCWorkstation\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\NwlnkIpx\
    C:\WINNT\System32\DRIVERS\nwlnkipx.sys
    HKLM\System\CurrentControlSet\Services\NwlnkNb\
    C:\WINNT\System32\DRIVERS\nwlnknb.sys
    HKLM\System\CurrentControlSet\Services\NwlnkSpx\
    C:\WINNT\System32\DRIVERS\nwlnkspx.sys
    HKLM\System\CurrentControlSet\Services\PackethSvc\
    C:\WINNT\System32\PackethSvc.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINNT\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\PREVXAgent\
    C:\Program Files\PREVX\Prevx Home\PXAgent.exe -f -af
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\RemoteRegistry\
    C:\WINNT\system32\regsvc.exe
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINNT\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINNT\system32\MSTask.exe
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\StiSvc\
    C:\WINNT\system32\stisvc.exe
    HKLM\System\CurrentControlSet\Services\SVKP\
    \??\C:\WINNT\System32\SVKP.sys
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\WinMgmt\
    C:\WINNT\System32\WBEM\WinMgmt.exe
    HKLM\System\CurrentControlSet\Services\WMDM PMSP Service\
    C:\WINNT\System32\mspmspsv.exe
    HKLM\System\CurrentControlSet\Services\ZipToA\
    C:\WINNT\System32\ZipToA.exe

    can anyone see way no service are starting on pc?

    process explorer is a program that gives you more in depth info into processes than task manager. it also was hidden by the nasty config file
    i can post the log form this as well
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Anything that could be helpful; the ASViewer log is rather complicated already;
    did you handle the HJT log yourself in the meantime?
     
  24. alim

    alim Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    17
    process explorer file looking at services.exe

    Process PID CPU Description Company Name
    System Idle Process 0 98
    Interrupts n/a 1 Hardware Interrupts
    DPCs n/a Deferred Procedure Calls
    System 8
    smss.exe 144 Windows NT Session Manager Microsoft Corporation
    csrss.exe 168 Client Server Runtime Process Microsoft Corporation
    winlogon.exe 188 Windows NT Logon Application Microsoft Corporation
    services.exe 216 Services and Controller app Microsoft Corporation
    PackethSvc.exe 496 Virtual Adapter Service America Online, Inc.
    ATMSG.EXE 528 PC MACLAN Messenger Miramar Systems Inc.
    ATSERVER.EXE 596 PC MACLAN File Server Miramar Systems Inc.
    ATSPOOL.EXE 648 PC MACLAN Print Server Miramar Systems Inc.
    PXAgent.exe 668 Prevx Agent Prevx Ltd.
    regsvc.exe 692 Remote Registry Service Microsoft Corporation
    stisvc.exe 716 Still Image Devices Monitor Microsoft Corporation
    mspmspsv.exe 736 WMDM PMSP Service Microsoft Corporation
    ZIPTOA.EXE 764
    lsass.exe 228 LSA Executable and Server DLL (Export Version) Microsoft Corporation
    explorer.exe 800 Windows Explorer Microsoft Corporation
    AcroTray.exe 824 AcroTray Adobe Systems Inc.
    IMGICON.EXE 844 IMGICON Iomega Corp.
    procexp.exe 864 1 Sysinternals Process Explorer Sysinternals

    Process: services.exe Pid: 216

    Type Name
    Desktop \Default
    Directory \KnownDlls
    Directory \BaseNamedObjects
    Directory \Windows
    Event \BaseNamedObjects\userenv: User Profile setup event
    Event \BaseNamedObjects\SC_AutoStartComplete
    Event \BaseNamedObjects\SvcctrlStartEvent_A3752DX
    Event \BaseNamedObjects\ScNetDrvMsg
    Event \BaseNamedObjects\DHCPNEWIPADDRESS
    Event \BaseNamedObjects\PnP_No_Pending_Install_Events
    Event \BaseNamedObjects\DmioLoaded
    Event \BaseNamedObjects\ReSyncKernel
    Event \BaseNamedObjects\DmAdminStop
    Event \BaseNamedObjects\LDMAdmin
    Event \Device\DmControl\VxKernel2VoldEvent
    Event \LanmanServerAnnounceEvent
    Event \BaseNamedObjects\wkssvc: MUP finished initializing event
    Event \BaseNamedObjects\WkssvcToAgentStartEvent
    Event \BaseNamedObjects\WkssvcToAgentStopEvent
    Event \BaseNamedObjects\AgentToWkssvcEvent
    File C:\WINNT\system32
    File \Device\WMIServiceDevice
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\scerpc
    File \Device\NamedPipe\scerpc
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\svcctl
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\net\NtControlPipe1
    File \Device\NamedPipe\net\NtControlPipe1
    File C:\WINNT\system32\config\AppEvent.Evt
    File C:\WINNT\system32\config\SecEvent.Evt
    File C:\WINNT\system32\config\SysEvent.Evt
    File C:\WINNT\Registration\R0000000000cc.clb
    File \Device\Tcp
    File \Device\Tcp
    File \Device\Ip
    File \Device\Ip
    File \Device\Ip
    File \Device\NamedPipe\DhcpClient
    File \Device\NamedPipe\svcctl
    File \Device\Tcp
    File \Device\NetBt_Wins_Export
    File \Device\NetBt_Wins_Export
    File \Device\NamedPipe\ntsvcs
    File \Device\Ip
    File C:\WINNT\system32\drivers\etc
    File \Device\Tcp
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\net\NtControlPipe2
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\net\NtControlPipe3
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\net\NtControlPipe5
    File \Device\LanmanRedirector
    File \Device\LanmanDatagramReceiver
    File \Device\LanmanServer
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\svcctl
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\net\NtControlPipe6
    File \Device\NamedPipe\net\NtControlPipe7
    File \Device\NwRdr
    File \Device\NwRdr
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\net\NtControlPipe8
    File \Device\NamedPipe\net\NtControlPipe0
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\net\NtControlPipe10
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\SecondaryLogon
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\net\NtControlPipe11
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\net\NtControlPipe12
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\ntsvcs
    File \Device\LanmanDatagramReceiver
    File \Device\NamedPipe\ntsvcs
    File \Device\NamedPipe\WMIEP_320
    Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
    Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
    Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
    Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\Order
    Key HKLM\SYSTEM\ControlSet001\Control\ServiceGroupOrder
    Key HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent
    Key HKLM\SYSTEM\ControlSet001\Services\EVENTLOG
    Key HKLM
    Key HKCR
    Key HKLM\SOFTWARE\MICROSOFT\COM3
    Key HKU
    Key HKLM\SOFTWARE\MICROSOFT\COM3
    Key HKCR\CLSID
    Key HKCR
    Key HKLM\SOFTWARE\MICROSOFT\COM3
    Key HKLM\SOFTWARE\MICROSOFT\COM3
    Key HKLM\SOFTWARE\MICROSOFT\COM3
    Key HKCR\CLSID
    Key HKCR
    Key HKU\.DEFAULT
    Key HKLM\SOFTWARE\MICROSOFT\Tracing\RASAPI32
    Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
    Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
    Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
    Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
    Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
    Key HKLM\SYSTEM\ControlSet001\Services\Dhcp\Parameters
    Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    Key HKLM\SYSTEM\ControlSet001\Services\Dhcp\Parameters\Options
    Key HKLM\SYSTEM\ControlSet001\Services
    Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters
    Key HKLM\SYSTEM\ControlSet001\Services\Browser\Parameters
    Key HKLM\SYSTEM\ControlSet001\Enum
    Key HKLM\SYSTEM\ControlSet001\Services
    Key HKLM\SYSTEM\ControlSet001\Services\lanmanserver\Parameters
    Key HKLM\SYSTEM\ControlSet001\Control\CLASS
    Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
    Key HKLM\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters
    Mutant \NlsCacheMutant
    Mutant \BaseNamedObjects\RasPbFile
    Mutant \BaseNamedObjects\PnP_Init_Mutex
    Port \RPC Control\ntsvcs
    Port \ErrorLogPort
    Port \XactSrvLpcPort
    Process PackethSvc.exe(496)
    Process ATMSG.EXE(52:cool:
    Process ATSERVER.EXE(596)
    Process ATSPOOL.EXE(64:cool:
    Process PXAgent.exe(66:cool:
    Process regsvc.exe(692)
    Process stisvc.exe(716)
    Process mspmspsv.exe(736)
    Process ZIPTOA.EXE(764)
    Process <Non-existant Process>(200)
    Section \BaseNamedObjects\__R_0000000000cc_SMem__
    Thread services.exe(216): 240
    Thread services.exe(216): 308
    Thread services.exe(216): 312
    Thread services.exe(216): 316
    Thread services.exe(216): 320
    Thread services.exe(216): 100
    Thread services.exe(216): 420
    Thread services.exe(216): 428
    Thread services.exe(216): 432
    Thread services.exe(216): 456
    Thread services.exe(216): 456
    Thread services.exe(216): 464
    Thread services.exe(216): 468
    Thread services.exe(216): 472
    Thread services.exe(216): 476
    Thread services.exe(216): 460
    Thread services.exe(216): 480
    Thread services.exe(216): 316
    Thread services.exe(216): 876
    Thread services.exe(216): 560
    Thread services.exe(216): 584
    Thread services.exe(216): 624
    Thread services.exe(216): 636
    Thread services.exe(216): 660
    Thread services.exe(216): 676
    Thread services.exe(216): 700
    Thread services.exe(216): 776
    Thread services.exe(216): 780
    Thread services.exe(216): 316
    Thread services.exe(216): 808
    Token NT AUTHORITY\SYSTEM
    Token FELINE\Administrator
    Token NT AUTHORITY\SYSTEM
    WindowStation \Windows\WindowStations\Service-0x0-3e7$
    WindowStation \Windows\WindowStations\Service-0x0-3e7$
     
  25. alim

    alim Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    17
    heres me hijackthis report. my services arent starting at logon

    Logfile of HijackThis v1.97.7
    Scan saved at 23:12:07, on 22/07/2004
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\PackethSvc.exe
    C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATMsg.exe
    C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATSERVER.EXE
    C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATSPOOL.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\System32\ZipToA.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
    C:\WINNT\System32\taskmgr.exe
    C:\unzipped\procexpnt\procexp.exe
    C:\unzipped\hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - Startup: AOL 6.0 Tray Icon.lnk = C:\Program Files\AOL 6.0\aoltray.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
    O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools_NT\STARTNT.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    O4 - Global Startup: Prevx Home.lnk = C:\Program Files\PREVX\Prevx Home\SAGUI.exe
    O4 - Global Startup: Refresh.lnk = C:\Program Files\Iomega\Tools_NT\REFRESH.EXE
    O4 - Global Startup: Splash.lnk = C:\Program Files\Iomega\Tools_NT\SPLASH.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O19 - User stylesheet: C:\WINNT\system32\yddsrm.m23



    ...help... :'(
     
Thread Status:
Not open for further replies.