NOD32 detected virus Win32/ServU-Daemon

Discussion in 'NOD32 version 2 Forum' started by Spong, Feb 28, 2005.

Thread Status:
Not open for further replies.
  1. Spong

    Spong Registered Member

    Joined:
    Feb 28, 2005
    Posts:
    5
    Hi all,

    Great forum....have been browsing it for ages and now finally have a question that a search can't answer.

    I ran a scan today and NOD32 said it found a virus called Win32/ServU-Daemon. It said it is located in
    C:\Windows\system32\dllcache\win32\csrss.exe.tcf

    I have searched all over the internet and cannot find an answer on how to get rid of it. It is quarintined at the moment.

    Do I just delete ito_O

    Thanks in advance.

    Spong
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Spong, welcome to Wilders.

    Do you have Nod32 set up like these settings? If so, when you run a scan (clean) what options does it give you when it finds this file?

    Cheers :D
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    delete the entire win32 folder inside the dllcache it is a folder that just contains trojans and a backdoor hacker

    dllcache should NEVER have any subfolders inside it at all

    boot into safe mode and set the computer like this to see the files/folders

    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    However if that folder has been infected it is highly likely that there are other infected files within the system

    For this case I would like to see a HJT log and before you actually delete the folder please zip it & do this so I can check other files inside it and there will be other files that NOD and the other AV's should ID

    please go to http://www.thespykiller.co.uk/forum/index.php and upload these files so I can examine them and distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)
    please upload this folder C:\Windows\system32\dllcache\win32

    the tcf suffix is a newish one for this malware

    HJT from the website in my sig
     
  4. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    by any chance have you got trojan hunter installed?

    tcf is a custom extension of trojan hunter, it uses that extension when it renames detected trojans
     
  5. Kryspy

    Kryspy Guest

    ServU-Daemon is a file that belongs to the FTP server program Serv-U and is in no way a virus.

    Kryspy
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    when it's in the location it is on that computer it is being used as a hacktool and will 99% sure to haev other hacktools with it and it will almost certainly have stolen all sorts of information from the computer and sent it bak to the hacker
     
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    so true. serv-U is a common part of rootkits. usually it, and its process are hidden using a special program ( hacktool.hide windows or similar)
    usually these rootkits consist of serv-U, backdoor.iroffer and a bot( backdoor.sdbot most often)
    i'd be surprised if serv-U was the only malicious file there...

    thats why i suggest downloading and installing(updating too) tds-3

    do it like this:


    download the trial version of tds-3 anti trojan from here:
    http://www.diamondcs.com.au/tds/downloads/tds3setup.exe
    install it, but do not launch it yet

    update it: right click the link below, select "save as"
    http://www.diamondcs.com.au/tds/radius.td3

    save it to the directory where you installed tds-3, overwriting the previous radius.td3.

    then launch tds-3. in the top bar of tds window click system testing> full system scan.
    detections will appear in the lower pane of tds window. after the scan is finished ( it'll take a while ) right click the list> select save as txt. save it and post the contents of the scandump.txt here

    After posting the scanlog go ahead and right click the list again, this time select delete! Delete everything labelled positive identification

    there possibly is somthing that gets detected as suspicious, or as positive identification( ADV) -->do not delete those

    a combination of trojan hunter/tds-3 should nail it :D
     
  8. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Well, Serv-U is a legitimate FTP server (see http://www.serv-u.com ), but it has been pirated and used as a hacker tool so much that it can be thought of as "guilt by association". If you know that it is supposed to be there, then fine, you can set an exception for it if you have to. However, if you are surprised to find it on your computer, then you have been hacked.

    I remember working on a computer one time that had this FTP server on it, illegitimately. It turns out that the FTP server was used to manage a ripped DVD collection hidden in "C:\System Volume Information", where it was practically indetectable. That explained why about 50 GB were apparently missing from the hard drive. In this case, none of the antivirus/trojan programs would detect the payload, since ripped DVDs are neither viruses not trojans. I had to figure out how to find and read the Serv-U config file to figure out where the data was being stored.

    By the way, the owner of this computer had no idea about any of this. I tend to believe him, since he is originally from Mexico, and these were German DVDs.
     
  9. Spong

    Spong Registered Member

    Joined:
    Feb 28, 2005
    Posts:
    5
    Hi all,

    Thanks for the helpful replies.... :)

    @ Blackspear: yes I have used those settings for no32. When options I get for the virus are quarintine or delete.

    @dvk01: I have zipped the folder and posted on your website. Also, here is my HJK log
    -------------------------------------------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 7:53:11 PM, on 1/03/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Java\j2re1.4.2_05\bin\jusched.exe
    C:\NOD32\nod32kui.exe
    C:\Quicktime\iTunesHelper.exe
    C:\Rage3DTweak\RegTwk.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Acrobat 6.0\Distillr\acrotray.exe
    C:\Diskeeper\DkService.exe
    C:\VCOM\Fix-It\mxtask.exe
    C:\NOD32\nod32krn.exe
    c:\windows\system32\dllcache\win32\winlogon.exe
    c:\WINDOWS\$NtServicePackUninstall$\services.exe
    C:\OUTPOS~1\outpost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\VCOM\Fix-It\mxtask.exe
    C:\WINDOWS\System32\alg.exe
    C:\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Firefox\firefox.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\FlashGet\jccatch.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\FlashGet\fgiebar.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\NOD32\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [iTunesHelper] C:\Quicktime\iTunesHelper.exe
    O4 - HKLM\..\Run: [RegTweak] C:\Rage3DTweak\RegTwk.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [Outpost Firewall] C:\OUTPOS~1\outpost.exe /waitservice
    O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 4.2\THGuard.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Startup: Acrobat Assistant.lnk = C:\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Acrobat 6.0\Distillr\acrotray.exe
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Download All by FlashGet - C:\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\FlashGet\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\OUTPOS~1\TRASH.EXE (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\OUTPOS~1\TRASH.EXE (HKCU)
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096970806515
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Diskeeper\DkService.exe
    O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\VCOM\Fix-It\mxtask.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\NOD32\nod32krn.exe
    O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
    O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
    O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\OUTPOS~1\outpost.exe
    ------------------------------------------------------------------------

    @illuka: yes I use TrojanHunter ;) downloaded TDS3 demo and did a full scan

    Here is the scandump.txt
    ------------------------------------------------------------------------
    Scan Control Dumped @ 19:51:49 01-03-05
    Positive identification: Riskware.Tool.ServiceRunner.d
    File: c:\windows\system32\dllcache\win32\winlogon.exe

    Positive identification: Riskware.Tool.ServiceRunner.d
    File: c:\windows\system32\dllcache\win32\winlogon.exe

    Positive identification: Riskware.Tool.ServiceRunner.d
    File: c:\windows\system32\dllcache\win32\winlogon.exe

    Positive identification: Riskware.FTP.Serv-U.4100a
    File: c:\windows\system32\dllcache\win32\csrss.exe.tcf

    Positive identification: Riskware.Tool.ServiceRunner.d
    File: c:\windows\system32\dllcache\win32\winlogon.exe
    -----------------------------------------------------------------------

    Again, thanks for the help... :D

    Spong
     
  10. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    removed!

    he's yours Derek ;)
     
    Last edited: Mar 1, 2005
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    first please upload this folder as it will be full of trojans c:\WINDOWS\$NtServicePackUninstall$\

    be careful as there will be genuine folders with a lot of letters and numbers after the $NtServicePackUninstall$ only send the plain $NtServicePackUninstall$ folder

    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
    O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe

    now run killbox and paste The FIRST ONE of these lines into the box, select standard file delete then press the red X button,say yes to the prompt

    then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, don't worry, if it says unable to delete then make a note of the file name and let us know when you reply

    c:\WINDOWS\$NtServicePackUninstall$\services.exe
    c:\windows\system32\winmgnt.dll
    c:\windows\system32\spoolvc.dll
    c:\windows\system32\schost.dll


    Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

    then as some of the folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    delete this folder that is marked in bold

    c:\windows\system32\dllcache\win32\

    then go to C:\windows\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for C:\temp

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then

    reboot

    Edit to add additional files to delete
     
    Last edited: Mar 1, 2005
  12. Spong

    Spong Registered Member

    Joined:
    Feb 28, 2005
    Posts:
    5
    Derek,

    The C:\WINDOWS\$NtServicePackUninstall$ folder is 340mb. It has 2,521 files. Do you still want me to upload the folder to your website?

    Spong
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    That is a bit too big

    even an sp2 folder isn't that big

    have you got any other $NtServicePackUninstall$ folders on the computer, they should have numbers and letters after them

    It is possible I suppose that it's the genuine XPSP2 uninstall folder, but it shouldn't have anything running from it

    Right click the folder and check it's creation date and compare that to any SP2 files inside system32 and see if they match up
     
  14. Spong

    Spong Registered Member

    Joined:
    Feb 28, 2005
    Posts:
    5
    I checked the different $NtServicePackUninstall$ folders and most of them are only a few mb at most (largest being roughly 11mb).

    Most of the folders are modified on 5th Oct 04. A few are 28th Jan 05. The original C:\WINDOWS\$NtServicePackUninstall$ folder was modified on 2nd Nov 04.

    Spong
     
  15. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Doing some more research it could be the genuine XP SP2 uninstall folder but theree are a few new worms/triojans/viruses that are known to overwrite legitimate files in that folder and that looks like what has hapened here

    I think the next step is to do a series of online scans to determine if there are anymore infected files in there. I woukd suggest at least the top 3 on this list with this

    I know it will take some time, but it is likely to be important

    The good thing is that if you are happy with SP2 then that folder isn't needed as it is only the uninstall instructions for SP2 and the backup of the old files that were backed up in case you want to uninstall SP2 which hopefully you don't

    Do trhe scans first and see what is found, but if there was 1 file running from there, then I strongly suspect that there wil be some more infected files

    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/
    http://www.bitdefender.com/scan/licence.php
    http://www.commandondemand.com/eval/index.cfm
    http://www.freedom.net/viruscenter/onlineviruscheck.html
    http://info.ahnlab.com/english/
    http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp
     
  16. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    to see which worm/virus it is killbox should have made backups in C:\!submit

    please zip any files inside there and upload to spykiller

    If c:\WINDOWS\$NtServicePackUninstall$\services.exe was infected and I don't know of any legitimate reason for any file to ever run from athe uninstall folder then we can soon find out what it is & hopefully determine what other ones are infected along with it
     
  17. Spong

    Spong Registered Member

    Joined:
    Feb 28, 2005
    Posts:
    5
    Sorry for the late reply :oops:

    Here is my progress....I used all the online scanners that dvk01 posted and results were all nil virus' found.

    @dvk01: I have done all that you advised and there is no sign of the virus according to the online scanners. I have posted the zipped C:\!submit file on spykiller.

    Thanks for all your help everyone. :-*

    Spong
     
  18. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337

    Humm... for what its worth.. my directory is 450 mb.... but all is well and working good. But I must have 100mb more crap than you do... :eek:
     
  19. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Well the services.exe file is scanning clean, but I have absolutely no idea why it was runniung or attempting to run from the service pack files when NOTHING should run from there

    All the other files you sent are known to be part of the SERVU FTP server that was being used as a backdoor

    It looks like you are clean now and as I said before if you DO not intend to uninstall SP2 then it is perfectly safe to delete the entire $NtServicePackUninstall$ folder
    I have on mine and many other people have as soon as they were sure that SP2 didn't cause any problems on their system
     
  20. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    That sounds like a good idea....
    no problem with SP2 updates after deleting those either?

    Since its an uninstall dir.. I don't suppose it will affect future service pack installs either?
     
  21. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Well I deleted mine... but there are two files that want to stay because they say they are being used?....
    1. hidserv.dll
    2. hid.dll
    I looked them up on Google and it appears they are part of hid audio?
    LINK
    I also have that file in windows\system32 and windows\system32\dllcache
    as well as my service pack file in windows\servicepackfiles\i386

    It appears to be related to the screensaver also?
    link

    I agree... nothing should be running from that folder.... Ill try some other things..
     
  22. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    hidserv.dll
    and hid.dll can also be malware files that are part of a hidden server and that is what I suspect has happened

    if they are running from the $NtServicePackUninstall$ flder than it is highly likely taht they are malicious or being used by a malicious application even if they are innocent files

    They should be able to be deleted from taht folder in safe mode

    do not delete the copies in the other folders which are the latest versions and will be needed
     
  23. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Thanks Derek.... I was able to delete them in safe mode.... however then my HID service would not start......
    All that seemed to be dependant upon that file running is the "remote procedure call"

    Heres the tricky part! After a reboot it wouldn't start either! but I have a program your prob familiar with called "Reghealer".
    I am curious to know if this other fellow that had a program running from the update files has used this programo_Oo_O

    anyway.... I ran regclean and after a reboot... then it was up and running just fine!!!! It is apparently using one of my ofher "hid.dll" files I mentioned.

    The reason I mentions "regclean".. is that that program will see entries in the registry and ofter "fix" and reroute pathways that it thinks are in error.

    1. That could have been how mine and the other fellas started running out of such a peculiar place in the first place?
    2.That also could have been what corrected mine, once it saw that those files were deleted, it "had" to find an alternate pathway for it to runo_O

    Of course the other alternative is that I really had something funky running from there..... I don't think so.... I scan my system reasonably thouough with the latest of pestpatrol, spybot, rootkitrevealer, VX2 finder, adaware, spyware blaster, and registry protection.
    But I"m not ruling that out!!! But all seems to work well.

    IN case I haven't made myself clear... all I am saying is that its possible that "reghealer" is what got that file running from the wrong place, and if so... its prob the best way to fix it "once its deleted in safe mode"

    thanks for your help on this matter!!!
     
  24. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I suppose it's possible for the SP2 installation to go wrong and for some reason the HID files were in use and stayed in use despite the reboot & windows just followed them to where they moved to instead of being updated to the newer versions in teh SP" update

    The only way I can see taht happening is if you were using some device that depended on it like a strange mouse or keyboard

    H I D = human interface device

    EDIT:

    or as you say you and he both used a registry cleaner originally that misread the info & pointed to the wrong place

    Reg cleaners can be good or can be dangerous

    Glad it all worked out for you in the end
     
  25. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Humm.. I don't know... I have 4 computers in my house.. I updated them all with a downloaded sp2 file... we all use laser mouses..... I do have a steering wheel that could have been plugged ino_O?
    But usually its unplugged....

    I don't know?
    But thanks for the brainstorm!!
     
Thread Status:
Not open for further replies.