Discussion in 'LnS English Forum' started by want2bemalwarefree, Jan 20, 2005.

Not open for further replies.
1. ### want2bemalwarefreeRegistered Member

Joined:
Jan 20, 2005
Posts:
19
Location:
Texas
I am having horrendous problems with a profoundly sophisticated malware which goes undetected by NOD32, TDS-3, Worm Guard, SpySweeper, Pest Patrol, UnHackMe, Ad Aware SE, Port Explorer, and everything else I have tried. The new beta 2 driver for LooknStop does detect that this thing is trying to get to the internet and allows me to block it - as a result I have purchased LooknStop tonight and am VERY grateful for this wonderful piece of software.

The symptom is that it picks running programs and tries to use them to get to the Internet. An example would be the following warning from LooknStop:

Service and Controller app
C:\WINDOWS\SYSTEM32\SERVICES.EXE
This software has started the following
application which connects to the internet.
Do you authorize it to do that?
Generic Host Process for Win32 Services
C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Sometimes it tries the above repeatedly until LooknStop shuts off all access to the Internet and I have to reboot. Other times it tries once or twice in a row at random intervals and then goes dormant for a while. On one occasion it went through a list of about 10 or 11 of the currently running processes which had access to the internet and tried each of them twice. Tonight it did something new - now that it has been thwarted by LooknStop it tried to send some UDP packets at one point. Fortunately LooknStop blocked this also.

I have been fighting this thing since last Wednesday and the only thing which even detects its presence is LooknStop with the new Beta 2 driver and the registry settings set. Nothing else can detect it .

Any suggestions would be greatly appreciated. I intend to try Reg Run Security Suite Gold and Ewido Security Suite tomorrow night, if I get time, to see if either of these can detect it.

2. ### BlackspearGlobal Moderator

Joined:
Dec 2, 2002
Posts:
15,115
Location:
Gold Coast, Queensland, Australia
Hi Want2bemalwarefree, welcome to Wilders. As your thread is in regards to a Virus, Trojan or Malware I have moved it to this forum.

Have you tried running your programs in Safe Mode as advised in General Cleaning.

If these steps do not resolve your situation, you will need to download and run “Hijack This” found here and post your log at one of the forums found at A-SAP. The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

Once your system is clean, you may want to take a look here for further discussion on security and how to make your system that much stronger and here for more.

This is what works really well for me, very simple to use and maintain.

Hope this helps...

Let us know how you go.

Cheers

Last edited: Jan 21, 2005
3. ### Jason_DiamondCSFormer DCS Moderator

Joined:
Nov 11, 2002
Posts:
1,046
Location:
Perth, Western Australia
Hi Want2bemalwarefree,

you may want to run Process Explorer (http://www.sysinternals.com/ntw2k/freeware/procexp.shtml) and when you get these alerts from LooknStop take a look at the modules relating to that process. If you could copy all the modules in there to a list and post it here it would allow us to help further.

4. ### MickeyTheManSecurity Expert

Joined:
Feb 9, 2002
Posts:
1,017
svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated
There is also a svchost.exe is a process which is registered as the W32.Welchia.Worm. It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow and instigates your computer to shut down

Joined:
Jan 11, 2005
Posts:
67
Location:
Poland
6. ### want2bemalwarefreeRegistered Member

Joined:
Jan 20, 2005
Posts:
19
Location:
Texas
Thank you for all your suggestions. I will first try to identify this thing using the tool that Jason recommended. If that is not successful then I will try to eradicate it using the procedure Blackspear provided. Hopefully by Monday I will have something positive to report .

7. ### dvk01Global Moderator

Joined:
Oct 9, 2003
Posts:
3,131
Location:
Loughton, Essex. UK

9. ### XyzzyRegistered Member

Joined:
Jan 11, 2005
Posts:
67
Location:
Poland
1. Still, this may be a trojan.
2. Check MD5, you will be 100% sure. If your MD5 is OK, you can just allow it when LnS requests.

X.

10. ### dvk01Global Moderator

Joined:
Oct 9, 2003
Posts:
3,131
Location:
Loughton, Essex. UK
I can be 110% sure that services.exe is genuine otherwise the computer won't work

It is the services and controller application that starts and stops services for M\$ and everytime you do anything with the computer it will start or stop a service

When you ask to go on the net one of the multiple versions of SVCHOST will be activated and attempt to do something to connect, eithe a dns look up or some other vital function

Yes there are trojans that try to take over but as you have checked with NOD/TDS etc that possibilty is very remote

LNS has the ability to warn you if any other program tries to piggyback on a running program to access the net

However this service.exe is designed to do that and stopping it doing it's job will prevent you getting on the net

Several other firewalls that also have this capability have these processes in an automatic allow list to prevent this problem

11. ### want2bemalwarefreeRegistered Member

Joined:
Jan 20, 2005
Posts:
19
Location:
Texas
Derek - thank you for your responses - I would like to provide more details to confirm that the behavior I am seeing is normal behavior. Services.exe consistently tries to use other programs to access the internet in very odd patterns. Sometimes, out of nowhere, it will try 10 different executables in a row, twice each, all of which are currently running processes, to access the internet. Sometimes it only uses svchost.exe once or twice. Sometimes it tries to use svchost.exe and other executables in alternation 5 or 6 times in a row. Sometimes it continually tries to use svchost.exe 30 or more times in a row. Sometimes immediately after I block it there is one or two UDP warnings from LookNStop. Sometimes there is an ICMP warning right after I block it. As I am typing this there have been 6 popups for WCESCOMM.EXE which should only be used when I connect my PDA to its sync cradle (this is part of ActiveSync) and now it is continuing to popup warnings as I type this.

All the applications that services.exe tries to use to access the internet causing warnings are themselves able to access the internet just fine. I can use ActiveSync, IE, Firefox, and Opera with no problem, I can update virus and spyware definitions, etc., and none of these operations generate any warnings from LooknStop. The warnings come out of nowhere, when it seems that none of the legitimate programs are or should be trying to access the internet, like ActiveSync right now.

Do those behavioral patterns match the normal behavior for services.exe? If so, then you are correct and the firewall messages are a false alarm or configuration error on my part. I followed Blackspear's very detailed instructions for configuring LooknStop so I think it is configured correctly, unless I made a mistake at some point.

If this is not the normal behavior (even though services.exe normally does use other programs to access the internet) then I think there is something lurking around on my system that LooknStop has correctly identified. Before trying LooknStop I also tried Outpost but it kept popping up a large number of warnings about components of IE that were changed and other warnings I did not understand, all of which resulted in not being able to use the internet at all. At the time I assumed that either Outpost was too complicated for me to understand or that they had significant bugs in their software. Now, in retrospect, Outpost may have been correctly detecting that there was malware on my system, but communicated that information in a way that was less understandable than LooknStop.

Even if LooknStop has given a false alarm, in the last 24 hours something has succeeded in destoying the databases for both Pest Patrol and SpySweeper, crippling both programs. SpySweeper even popped up a message box saying that I needed to reinstall it to restore it to functionality. None of the software I have installed or run has detected anything (the list now includes: VxFinder, Stinger, Spybot, BugOff, CWShredder, PrevX Pro 2005, AVG Pro, NOD32, TDS-3 Professional, Wormguard, SpySweeper, Pest Patrol, Ad Aware SE Pro, Zone Alarm Pro, UnHackMe, Ewido Security Suite).

The only unusual thing ever detected is that Spybot claimed that an ActiveX entry was Netster but my reasearch seems to indicate that RdxIE.dll is actually something asssociated with software from Real so I did not let Spybot remove it.

I plan to follow the general cleaning instructions this weekend after trying two other tools just to complete the list of tools I have tried. If nothing else, I have certainly learned a lot about the available tools for malware detection, removal, and prevention .

12. ### dvk01Global Moderator

Joined:
Oct 9, 2003
Posts:
3,131
Location:
Loughton, Essex. UK
I find it very hard to believe that there is any malware on your computer that all your security software hasn't found

It's not impossible but extremely unlikely

Active sync is one of these pains that forever pops up regardless of whether a pda is connected or not

I don't know what has damaged pest patrol & spysweeper

I would be very interested in seeing a HJT log in your case as it will enable me to determine whether there MIGHT be an unknown baddie

I know we don't normally ask for HJT logs to be posted but in your case I am willing to look at it and see if anything is out of place

I still think though that what you have described is perfectly normal behaviour when services.exe is blocked from doing it's job, (except for the Spysweeper and Pest patrol problems and there is possibly a simple answer to that)

go to here and download 'Hijack This!'. double click on the file and it will self extract to C:\program files\hijackthis.
Go to that folder then doubleclick the Hijackthis.exe
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.

13. ### want2bemalwarefreeRegistered Member

Joined:
Jan 20, 2005
Posts:
19
Location:
Texas
Derek,

Thank you very much for your willingness to examine a HJT log. I will create one tonight and post it here. I appreciate your willingness to help so others do not have to go through what I have been through, whether from a malware pest or a false alarm.

Mark

14. ### want2bemalwarefreeRegistered Member

Joined:
Jan 20, 2005
Posts:
19
Location:
Texas
Derek,

Below find the HJT log I just collected. As an aside, Pest Patrol suddenly came back to life tonight for some reason (it was not working when I came home during lunch). SpySweeper is still dead as a doornail. I performed an update on PestPatrol and then did a full system scan with it and it found something named viewpoint toolbar which had 13 registry entries and 4 files. The location of the files contained "Mozilla plugin" so I am assuming that this was a surf-by install without my permission. I then ran a Spybot scan and it found something named DSO Exploit which has 5 registry entries. I did not allow either program to fix these items yet. Reg Run Security Suite Gold found two unsigned ActiveX applications in MyComputer zone, again I did not allow it to fix these.

Oddly enough, for the first time in many days, tonight there have been no attempts by SERVICES.EXE to use other programs to access the internet. When I came home at lunchtime there were a flood of them including the ActiveSync one which I had never seen since installing LooknStop on Tuesday night. Very strange.

------

Logfile of HijackThis v1.99.0
Scan saved at 1:20:34 AM, on 1/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Prevx Pro\PXAgent.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Soft4Ever\looknstop\looknstop.exe
C:\Program Files\Prevx Pro\SAGUI.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\PhatWare\PhatNotes Professional\notesnotify.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
O4 - HKLM\..\Run: [PrevxPro] "C:\Program Files\Prevx Pro\SAGUI.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?322
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Configuration Service - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Prevx Agent - Prevx Ltd. - C:\Program Files\Prevx Pro\PXAgent.exe
O23 - Service: Retrospect Launcher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Sentry 2020 - Unknown - C:\Program Files\SoftWinter\Sentry2020XP3.0b13\SentryService.exe
O23 - Service: UPS - UPSentry Service - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe

---------

One last thing I thought I might mention. When I run TDS-3 it detects two NTFS Alternate Data Streams in c:\windows\system32\winlogon.exe. Until now I have ignored this but I thought I would include the information here in case it is relevant:

PARENT
Path: c:\windows\system32\winlogon.exe
Size: 483328 bytes
MZ Exe: EXE

STREAM
Name: :[]summaryinformation (where [] is actually a box character)
Size: 88 bytes
MZ Exe: Unknown

STREAM
Name: :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Size: 0 bytes
MZ Exe: Unknown

Thanks again for your willingness to investigate this,
Mark

15. ### want2bemalwarefreeRegistered Member

Joined:
Jan 20, 2005
Posts:
19
Location:
Texas
Jason,

I tried running Process Explorer last night and I left it up for a while waiting for an alert to occur. When one did occur I checked Process Explorer and could not find any process associated with the alert. Perhaps this is due to unfamiliarity with the program but it did not give any indication as to which process(es) were running at the time. Periodically it would change the color of some of the processes as they were running but nothing happened during the alert. I watched for processes which were using CPU time and again, nothing correlated with the alert. After blocking it that alert, several more happened in rapid succession but nothing in the Process Explorer window indicated what was running at the time.

Thanks anyway,
Mark

16. ### want2bemalwarefreeRegistered Member

Joined:
Jan 20, 2005
Posts:
19
Location:
Texas
CORRECTION TO AN EARLIER POST:

When I was home during lunch yesterday I inadvertently permanently blocked SERVICES.EXE from connecting to the internet and from using other programs to connect to the internet which is why I did not see any alerts at all last evening. Now that I have removed the permanent block the attempts have started again, as before.

Mark

17. ### want2bemalwarefreeRegistered Member

Joined:
Jan 20, 2005
Posts:
19
Location:
Texas
Xyzzy,

I would be happy to try your suggestion but I do not know how I would find someone with the exact same level of Windows. I have SP1 plus all critical updates. There have been a few updates which I have not allowed on my system, like the Microsoft malware detection tool - due to the fact that once you put that thing on you will no longer be able to turn off automatic updates for it unless you turn them off for everything - I find that totally unreasonable and ridiculous. There may have been others which were not critical and which, like the malware tool, had side effects which I found to be unacceptable. I have no way of knowing if any of these updates would change services.exe so that the MD5 would be different - or is it the case that MD5 is not a checksum and would not be affected by this? Sorry for my ignorance on this subject. If it is the case that all I have to do is find someone with Windows XP Pro SP1 then it should be no problem.

Thanks,
Mark

18. ### dvk01Global Moderator

Joined:
Oct 9, 2003
Posts:
3,131
Location:
Loughton, Essex. UK
Those streams in winlogon looks like you have had KAV installed at some time and that's a common left over

I am convinced that it is a false alarm and you shpould allow services.exe to connect & ignore the messages

19. ### want2bemalwarefreeRegistered Member

Joined:
Jan 20, 2005
Posts:
19
Location:
Texas
Derek,

Thank you again for your advice and assistance. I have done what you recommended and this has eliminated the alerts about svchost.exe. Unfortunately there still appears to be something on my system related to svchost.exe because Sunday night PrevX Pro 2005 alerted me to an attempt by svchost.exe to perpetrate a buffer overflow.

That, in combination with SpySweeper and PestPatrol being disabled, convinces me that there is either some undetected malware still lurking around, or someone has managed to get access to my system, or the operating system is damaged in some way from the virus and malware which were removed.

Either way, the best solution is to just reinstall it from scratch and put all the updates and protective software in place before the system is ever connected to the internet. At that point I should have a clean system once again and be relatively safe from reinfestation.

Mark

20. ### XyzzyRegistered Member

Joined:
Jan 11, 2005
Posts:
67
Location:
Poland
If you have not reinstalled yet:
Find your services.exe and display properties from right mouse button menu. In Version tab there is version number. It gets updated when the file is changed by a patch or fix from Microsoft. Get md5sum.exe from internet. Post your file version along with md5 and some info to some forum (like this one) or appropriate Usenet group. Wait for an answer
X.

21. ### mitchellGuest

i installed sp2 and now my internet doesnt work. it just keeps on coming dsn error when i try to go on a page. I have svchost but i dont know wat to do. Im using a laptop right now as my other com wont show websites. Every1 talks about how they got the problem and then it worked again but mine just doesnt go on.

Mitchell

22. ### snapdraginRegistered Member

Joined:
Feb 16, 2002
Posts:
8,415
Location:
Hi mitchell,

I am not sure if you are aware, but you have posted in a thread that is in the "Official LooknStop Firewall Forum". If you are not using LooknStop Firewall, then I will move your post over to a more suitable forum here.

Regards,

snap

23. ### dvk01Global Moderator

Joined:
Oct 9, 2003
Posts:
3,131
Location:
Loughton, Essex. UK
Mitchel

If you are using another firewall, then Turn OFF the SP2 firewall that is ususlly the problem

24. ### FredericLnS Developer

Joined:
Jan 9, 2003
Posts:
4,354
Location:
France
Hi Mitchell,

Another tip: if you are using ICS server on Windows XP-SP2 with Look 'n' Stop, you need to import the following rules (on the server) to allow the client PCs to connect to internet:
http://looknstop.soft4ever.com/Rules/XPSP2-ICS.rie

Regards,

Frederic