Mysterious XP service keeps reappearing

Discussion in 'other security issues & news' started by DangImStumped, Dec 10, 2005.

Thread Status:
Not open for further replies.
  1. DangImStumped

    DangImStumped Registered Member

    Joined:
    Dec 10, 2005
    Posts:
    4
    Lately random named services have appeared on my pc. I know they are not valid and randomly generated because google turns up nothing. The only thing that turned up was a post by someone with the same problem but no solution.
    This time it is named Dosc2rlegpbo, two days ago it was Mrretesosc. Always the same mo: It has no dependencies and is stopped. Attempting to start it gives "Error 3. The system cannot find the path specified." (path to exe is blank) There are no files on the system with these names.

    Deleting all registry references gets rid of the problem for a while but then somehow it returns under a new guise.

    I've ran spybot, adaware, hijackthis, startuplist, rootkitrevealer, ewido- Nothing.
    (You'll have to take my word for it that i am reasonably proficient at interpreting the results)

    Can anyonw tell me HOW this thing keeps getting rewritten to the registry? o_O
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi DangImStumped

    ... and welcome to Wilders :)

    Is the registry key being written to consistent?

    Regards,

    CrazyM
     
  3. DangImStumped

    DangImStumped Registered Member

    Joined:
    Dec 10, 2005
    Posts:
    4
    This has happened 4-6 times in the past month: i was wondering through xp services on day and found something weird looking; the only information anywhere on my pc concerning it was some registry entries - assuming it was something nasty i deleted the keys.
    Some days later poof! Same thing came back with a different name.
    Delete it... it returns at random times...

    Obviously something on my pc or the net tells windows to write these entries
    (take my word for it - i don't click popups, install unknown apps, etc)
    i need someone techy enough to explain HOW this is working: somehow get Windows to tell me "At point X, application Z ran this command and wrote to the registry..."
    i know how to read hijackthis, i could hunt for an exe, dll, etc if there was one.
    - that's why this is so puzzling - there is no mystery app running that can explain this :mad:

    i deleted MRRETESOSC two days ago, an hour ago before i rebooted pc there was nothing.
    Reboot and now the service Dosc2rlegpbo is there - actually gone - i deleted keys again.

    a snip from the registry:
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRRETESOSC]
    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRRETESOSC\0000]
    "Service"="Mrretesosc"
    "Legacy"=dword:00000001
    "ConfigFlags"=dword:00000000
    "Class"="LegacyDriver"
    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    "DeviceDesc"="Mrretesosc"

    yes, it's always HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY[random name]
    and
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mrretesosc]
    "ErrorControl"=dword:00000000
    "Type"=dword:00000020
    "Group"="SpoolerGroup" <-- group changes each time
    "Tag"=dword:00000001
    "Start"=dword:00000003
     
  4. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    I believe the key is here...

    Whenever you run RootkitRevealer (RR), it creates a randomly-named service to do the real work (see below). If RR happens to crash before it tidies up properly, these services will be orphaned and remain in your services list (esp. if you subsequently delete the temp file that RR creates in your TEMP folder). You will need to remove them manually.

    The way that RR works is to compare the info returned by API calls and the same info determined by direct access to registry and file system data structures. RR then reports any differences found. If a rootkit is present that can identify a running RR instance, it could selectively allow RR to 'see' the malware it cloaks. If RR finds no discrepancies in the two sets of data it sees, it presumes no cloaking is being performed and therefore remains quiet. The randomly named service is designed to counter this.
     
  5. DangImStumped

    DangImStumped Registered Member

    Joined:
    Dec 10, 2005
    Posts:
    4
    well thank you but i ran rootkit revealer BECAUSE of the strangely reoccuring service...

    i'm about to lose my mind - i deleted keys an hour ago and it came back AGAIN!
    I had / have Antihook running but may have been careless with the allows / blocks

    this very moment i am looking at services and they are all legitimate - a minute / hour / day from now i know this thing will come back: random named service with no path to executable written to the registry.
    so weird that no one has a clue to what this is....

    maybe im the very first to get some new bug? :(
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You could try a registry monitor utility and filter on the keys in question to see if that helps narrow down where they are coming from.

    RegMon from Sysinternals
    RegistryProt from DiamondCS
    RegDefend from Ghost Security

    Regards,

    CrazyM
     
  7. controler

    controler Guest

    Try IceSword

    ^Then post the results
     
  8. Hexaguano

    Hexaguano Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    100
    Photoshop CS will generate "random services" as part of its piracy prevention. Are you running Photoshop CS?
     
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    If it is malware, it's entirely possible that it's got a strange startup somewhere, like a hook. The reason people are having a problem with CounterSpy is that it has a message hook, and every time it's called it starts the program back up.. so you have to remove that hook (disable protection) before closing the program. (that's just an example of how something like a message hook could be causing this kind of problem)

    I would get something more comprehensive for startups, such as SysInternal's AutoRuns or a-squared HijackFree, to look through the system. You might also try an online scan by Kaspersky. In the meantime I would keep an eye out for apps that may have some sneaky component, and keep an eye on your firewall. You might also get SysInternal's Process Explorer and take a look at things, see if there's any foreign DLLs common to more than one app.. right click on them and do a Google search.
     
  10. DangImStumped

    DangImStumped Registered Member

    Joined:
    Dec 10, 2005
    Posts:
    4
    Holy Crap! Hexaguano wins the prize! (I think) :eek:
    yeah i have photoshop cs - i started it and Antihook popped up half a dozen attempts to write to registry by cs - they were random strings of letters -
    but i did a reg search for them after i closed cs and they weren't in the registry;
    i rebooted and presto! random named service appeared - odd though that this had a different string than the ones antihook displayed?...

    Here's the strange thing: i've had cs for a couple of years and it never did it before; no i haven't updated it recently / at all -
    why would it start doing it now (on its own) o_O
    i may be paranoid but why / how could cs suddenly start doing it now unless it could -er- secretly phone home?

    also - because i get obsessed by trivial geek stuff:
    What purpose does a bogus (since it doesn't start any real program) service serve?
     
  11. Hexaguano

    Hexaguano Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    100
    I'm not sure what triggers PS to reinstall the "driver". I know that if you delete the one that exists, it will try to reinstall. If you have Process Guard and have the Block Rootkit/Driver/Service Installation checked, it will block this driver install and still run fine. (or you can upgrade to CS2 as it doesn't use this method...)
     
  12. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    That's freaky. And I'd be pissed at the makers of photoshop cs. Even it seems benign. Seems swarmy at the least. It's like the 3rd cousin of Sony's rootkit.
     
Loading...
Thread Status:
Not open for further replies.