Services.exe in c:\windows

Discussion in 'adware, spyware & hijack cleaning' started by Smokey, Jul 4, 2004.

Thread Status:
Not open for further replies.
  1. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    [solved] Services.exe in c:\windows

    My software firewall (kerio 4) alerts me with several alerts, one of them:

    [4/7/2004 1:10:08]
    Direction: outgoing
    Local Point: 0.0.0.0, port 1954
    Adapter: NVIDIA nForce MCP Networking Controller - Pakketplanner-minipoort
    Remote Point: origin2.microsoft.com [207.46.250.252], port http [80]
    Protocol: TCP
    Application path: C:\WINDOWS\services.exe
    Description: services
    File version:
    Size: 6.748
    Created: 2003/5/29, 09:52:40
    Modified: 2003/5/29, 09:52:40
    Accessed: 2003/12/31, 14:44:06

    It seems, this application is trying to make an outgoing connection to Microsoft and others.

    The system on which it occurs has WinXP Professional.

    As far I know, the application services.exe normally is in the windows\system32 directory, it is there too with another size: 101.888 and date (9-7-2001).

    I have scanned the application with Kaspersky AV, F-Secure AV and TDS, and no alarm at all.

    Logfile of HijackThis v1.98.0
    Scan saved at 16:13:12, on 4-7-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\services.exe
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Executive Software\Diskeeper Administrator\Controller\AdminServer.exe
    C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
    C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe
    C:\WINDOWS\System32\SRVANY.EXE
    C:\Program Files\ISDNCID\isdncid.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\SLEE503.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\PowerQuest\V2i Protector 2.0\Agent\PQV2iSvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\mHotkey.exe
    C:\WINDOWS\CNYHKey.exe
    C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\Program Files\Eicon\Diva\DiTask.exe
    C:\Program Files\Eicon\Diva\Divamon.exe
    C:\Program Files\Eicon\Diva\watch.exe
    C:\Program Files\Eicon\Diva\cgserver.exe
    C:\Program Files\Eicon\Diva\diinfo.exe
    C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\DC-216 Utility\Systemtray.exe
    C:\Program Files\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    C:\Program Files\CpuIdle\cpuidle.exe
    C:\Program Files\Motherboard Monitor 5\MBM5.EXE
    C:\WINDOWS\System32\HPHipm11.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe
    C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
    C:\PROGRA~1\COMMON~1\Nokia\Services\ServiceLayer.exe
    C:\Program Files\RAM Saver Pro\ramsaverpro.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Wireless Watch\WirelessWatch.exe
    C:\Program Files\Steganos Security Suite 6\sss.exe
    C:\Program Files\Steganos Security Suite 6\safe.exe
    C:\Program Files\Steganos Security Suite 6\spm.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
    C:\ScanPanel\ScnPanel.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\PROGRA~1\Sitecom\Bluetooth Software\BtStackServer.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe
    C:\Program Files\eMule\eMule.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Ontrack\PowerDesk\PDExplo.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\TEMP\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.wilderssecurity.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.wilderssecurity.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dave's Play Toy
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {16664845-0E00-11D2-8059-000000000000} - (no file)
    O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
    O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
    O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
    O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
    O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
    O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
    O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [CleanRegPath] C:\PROGRA~1\DC-216 Utility\CleanReg.exe
    O4 - HKLM\..\Run: [ADSLSYSTEMTRAY] C:\PROGRA~1\DC-216 Utility\Systemtray.exe
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdle\cpuidle.exe
    O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
    O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\System32\LVComS.exe
    O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe" -run -n Workstation -v 5.0.0.0
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Dave"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    O4 - HKCU\..\Run: [Speaking Clock Deluxe] "C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe"
    O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
    O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
    O4 - HKCU\..\Run: [RAMSaverPro] C:\Program Files\RAM Saver Pro\ramsaverpro.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [Wireless Watch#Autostart] "C:\Program Files\Wireless Watch\WirelessWatch.exe"
    O4 - HKCU\..\Run: [SSS6_Suite] "C:\Program Files\Steganos Security Suite 6\sss.exe" /booting
    O4 - HKCU\..\Run: [SSS6_SAFE] "C:\Program Files\Steganos Security Suite 6\safe.exe" /booting
    O4 - HKCU\..\Run: [SSS6_SPM] "C:\Program Files\Steganos Security Suite 6\spm.exe" /booting
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Dave"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Alles downloaden met &ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
    O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Do&wnload met &ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
    O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
    O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\CopernicAgentExt.dll
    O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\CopernicAgentExt.dll
    O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\CopernicAgent.exe
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\CopernicAgent.exe
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
    O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\CopernicAgent.exe
    O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe
    O9 - Extra button: Joyo - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - (no file)
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
    O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
    O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - (no file)
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: eBay Homepage - {D4951B60-8FF9-4813-B716-FF3E75386E74} - http://www.preispiraten.de/cgi-bin/e/tracker_short.pl?http://www.ebay.de (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

    What could be nasty here?

    Thanks for your help,

    Ciao,


    Smokey
     
    Last edited: Jul 11, 2004
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    There's no Startup entry for this 'rogue' services.exe file in your log; it may indeed have registered itself to start as a additional service, or to be launched some other way.

    Please do the following:

    In Hijack This, press "Config" > "Miscellaneous Tools".
    Under the "Generate Startuplist log" button, check the "List also minor sections" box.

    Now press "Generate Startuplist Log"
    This will generate a text file that will list all applications that are loaded from practically every known startup location.

    Go to Edit > select all, copy it and post its contents here.
     
  3. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Ok, there we go:

    StartupList report, 4-7-2004, 18:32:55
    StartupList version: 1.52.2
    Started from : C:\TEMP\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\services.exe
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Executive Software\Diskeeper Administrator\Controller\AdminServer.exe
    C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
    C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe
    C:\WINDOWS\System32\SRVANY.EXE
    C:\Program Files\ISDNCID\isdncid.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\SLEE503.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\PowerQuest\V2i Protector 2.0\Agent\PQV2iSvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\mHotkey.exe
    C:\WINDOWS\CNYHKey.exe
    C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\Program Files\Eicon\Diva\DiTask.exe
    C:\Program Files\Eicon\Diva\Divamon.exe
    C:\Program Files\Eicon\Diva\watch.exe
    C:\Program Files\Eicon\Diva\cgserver.exe
    C:\Program Files\Eicon\Diva\diinfo.exe
    C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\DC-216 Utility\Systemtray.exe
    C:\Program Files\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    C:\Program Files\CpuIdle\cpuidle.exe
    C:\Program Files\Motherboard Monitor 5\MBM5.EXE
    C:\WINDOWS\System32\HPHipm11.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe
    C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
    C:\PROGRA~1\COMMON~1\Nokia\Services\ServiceLayer.exe
    C:\Program Files\RAM Saver Pro\ramsaverpro.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Wireless Watch\WirelessWatch.exe
    C:\Program Files\Steganos Security Suite 6\sss.exe
    C:\Program Files\Steganos Security Suite 6\safe.exe
    C:\Program Files\Steganos Security Suite 6\spm.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
    C:\ScanPanel\ScnPanel.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\PROGRA~1\Sitecom\Bluetooth Software\BtStackServer.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe
    C:\Program Files\eMule\eMule.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Ontrack\PowerDesk\PDExplo.exe
    C:\TEMP\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten]
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    BTTray.lnk = ?
    ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    CHotkey = mHotkey.exe
    ledpointer = CNYHKey.exe
    InstantAccess = C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
    RegisterDropHandler = C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    CARPService = carpserv.exe
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    WinFaxAppPortStarter = wfxsnt40.exe
    DiTask.exe = "C:\Program Files\Eicon\Diva\DiTask.exe"
    Divamon.exe = "C:\Program Files\Eicon\Diva\Divamon.exe"
    Eicon TechnologyLAN_DAEMON = "C:\Program Files\Eicon\Diva\watch.exe"
    CGServer = "C:\Program Files\Eicon\Diva\cgserver.exe"
    RCScheduleCheck = C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
    Opware12 = "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
    Fix-It AV = C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
    NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
    SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    SoundMan = SOUNDMAN.EXE
    CleanRegPath = C:\PROGRA~1\DC-216 Utility\CleanReg.exe
    ADSLSYSTEMTRAY = C:\PROGRA~1\DC-216 Utility\Systemtray.exe
    LWBMOUSE = C:\Program Files\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe
    HPHmon04 = C:\WINDOWS\System32\hphmon04.exe
    HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    DAEMON Tools-1033 = "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    Nokia Tray Application = C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    NvMixerTray = C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    CpuIdle = C:\Program Files\CpuIdle\cpuidle.exe
    MBM 5 = "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
    LVCOMS = C:\WINDOWS\System32\LVComS.exe
    KAV50 = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe" -run -n Workstation -v 5.0.0.0

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    Index Washer = C:\Program Files\Webroot\Washer\WashIdx.exe "Dave"

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    RegisterDropHandler = C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
    ATI Launchpad =
    ATI Remote Control = C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    Speaking Clock Deluxe = "C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe"
    Bandwidth Monitor Pro = "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
    Internet Download Accelerator = C:\Program Files\IDA\ida.exe -autorun
    RAMSaverPro = C:\Program Files\RAM Saver Pro\ramsaverpro.exe
    Window Washer = C:\Program Files\Webroot\Washer\wwDisp.exe
    Wireless Watch#Autostart = "C:\Program Files\Wireless Watch\WirelessWatch.exe"
    SSS6_Suite = "C:\Program Files\Steganos Security Suite 6\sss.exe" /booting
    SSS6_SAFE = "C:\Program Files\Steganos Security Suite 6\safe.exe" /booting
    SSS6_SPM = "C:\Program Files\Steganos Security Suite 6\spm.exe" /booting
    SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    Index Washer = C:\Program Files\Webroot\Washer\WashIdx.exe "Dave"

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44AE4113-C121-10CC-1F32-A0BC12E2014D}]
    StubPath = C:\WINDOWS\System32\msapplg.exe

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - (no file) - {16664845-0E00-11D2-8059-000000000000}
    (no name) - C:\PROGRA~1\IDA\idaiehlp.dll - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6}
    (no name) - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - c:\windows\downloaded program files\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    1 Copernic Intra-Daily ~DAVE-E0THNENAX8 Dave.job
    2 Copernic Daily ~DAVE-E0THNENAX8 Dave.job
    3 Copernic Weekly ~DAVE-E0THNENAX8 Dave.job
    4 Copernic Monthly ~DAVE-E0THNENAX8 Dave.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Checkers Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
    CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab

    [PCPitstop Utility]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\PCPITS~1.DLL
    CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

    [{6CB5E471-C305-11D3-99A8-000086395495}]
    CODEBASE = http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37912.4804513889

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Solitaire Showdown Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
    CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    Omgeving voor AFD-netwerkondersteuning: \SystemRoot\System32\drivers\afd.sys (autostart)
    aslm75: \??\C:\WINDOWS\system32\drivers\aslm75.sys (autostart)
    Aspi32: System32\drivers\aspi32.sys (autostart)
    Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
    ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Intelligente achtergrondsoverdrachtservice: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Bluetooth Serial Driver: \??\C:\WINDOWS\System32\drivers\btserial.sys (autostart)
    Bluetooth Port Client Driver: \??\C:\WINDOWS\System32\drivers\btslbcsp.sys (autostart)
    Bluetooth Service: C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe (autostart)
    Crypkey License: crypserv.exe (autostart)
    Services voor cryptografie: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Eicon CAPI 2.0-stuurprogramma: System32\DRIVERS\DISDN\capi202k.sys (autostart)
    Eicon-poortstuurprogramma: System32\DRIVERS\DISDN\diport40.sys (autostart)
    Diskeeper: C:\Program Files\Executive Software\Diskeeper\DkService.exe (autostart)
    Diskeeper Administrator Service: C:\Program Files\Executive Software\Diskeeper Administrator\Controller\AdminServer.exe (autostart)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    Fix-It Task Manager: C:\PROGRA~1\VCOM\Fix-It\mxtask.exe -Service (autostart)
    GEARSecurity: %SystemRoot%\System32\GEARSec.exe (autostart)
    GFI LANguard N.S.S. 5.0 attendant service: "C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service (autostart)
    Help en ondersteuning: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
    Infraroodmonitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    ISDNCid: %SystemRoot%\System32\SRVANY.EXE (autostart)
    KLBLMain: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe -run bl -n Workstation -v 5.0.0.0 -ttsr 10000000 (autostart)
    Kerio Personal Firewall 4: C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
    mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
    NWLink IPX/SPX/NetBIOS-compatibel transportprotocol: System32\DRIVERS\nwlnkipx.sys (autostart)
    NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
    NWLink SPX/SPXII-protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
    SAP Agent: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    oodld: \??\C:\Program Files\OO Software\DriveLED\oodleddr.sys (autostart)
    pavdrv: System32\DRIVERS\pavdrv51.sys (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC-services: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (autostart)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Steganos Live Encryption Engine (Version 503) [Driver]: \??\C:\WINDOWS\System32\drivers\SLEE503.sys (autostart)
    Steganos Live Encryption Engine (Version 503) [Service]: C:\WINDOWS\System32\SLEE503.exe (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore-service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
    StreamDispatcher: System32\DRIVERS\strmdisp.sys (autostart)
    SVKP: \??\C:\WINDOWS\System32\SVKP.sys (autostart)
    Thema's: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Uploadbeheer: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    V2i Protector: C:\Program Files\PowerQuest\V2i Protector 2.0\Agent\PQV2iSvc.exe (autostart)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration-service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------

    Ciao,

    Smokey
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Well, there's absolutely no reference to a Services.exe file i your Windows folder anywhere, except of course in your Running Processes... :(

    Would you please find that file, rightclick it, choose properties, and tell us whether that helps to determine what it could be?

    Also, would you please upload the file (the one in C:\Windows, to be sure!) to these two excellent on line file scanners in order to be tested :

    Dialogue Science on-line virus checker
    Kasperski anti virus checker

    It would be interesting to see what these scanners make of it.
     
  5. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Properties c:\windows\services.exe: 6.748 bytes
    On disc: 8.192 bytes
    Date: 5-29-2003

    Have checked the file with the online-scanners you mentioned, KAV AV for Workstations, F-Secure AV and TDS.

    Results: clear :rolleyes:

    BTW: Results of KAV Online:

    Scanned file: services.exe

    services.exe - packed with MEW
    services.exe - OK

    Statistics:
    Known viruses: 91980 Updated: 04-07-2004
    File size (Kb): 7 Virus bodies: 0
    Files: 2 Warnings: 0
    Archives: 0 Suspicious: 0

    What the h*ck could it be?

    As you have seen, it have tried to make an outgoing connection, within 1 hour maybe 30 times, and to different destinations.......

    Maybe I am stupid, I understand more from security then common people (I think), but just in this case I don't know what happens and why. o_O

    Ciao,

    Smokey
     
  6. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    BTW: I have just renamed the file, rebooted the system, and now, after the reboot, the file have placed itself again in the windows directory...... :mad:
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    It's a mystery to me... Would you please send a copy of the file to nosuchuserATxs4all.nl for analysis? (replace 'AT' by @).

    I'll see what I can find out.


    Thanks!
     
  8. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Send the nasty one to the email-adress above.

    Let's see what it brings...... :rolleyes:
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Thank you, got it! :)

    I'll execute the file later tonight, and will log what happens. Will keep you posted.
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    OK, I executed the file and logged its install; no significant Registry changes were recorded.

    Subsequently, the file indeed attempted to access the Net, and proved impossible to delete; it even resisted attempts to end process on it using Task Manager.

    Here's how to get rid of it:

    Download TheKillbox: http://broadbandmedic.com/download/


    Unzip, launch the application, go to Menu > Action, and check 'Delete on Reboot'

    In the following window, go to File > Add File. Now browse to Services.exe > Then go to 'Action' > Process and Reboot

    You'll be prompted to reboot; do so. Subsequently, the file will be gone.

    Good luck,
     
    Last edited: Jul 5, 2004
  11. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Hi Tony,

    First, thanks for your efforts to help me.

    Have done what you advised, but, services.exe still appears....
    Very strange, there was only one solution: a system restore.

    My luck: every 3 hours I do an incremental backup on all my systems with V2i Protector, so a clean system minus 3 hours of work is back again and virus-free.

    I still don't know what the real cause of all problems is, and that is making me crazy 'cause I don't like it at all that something nasty happens and I don't can find out why.

    Ciao,


    Smokey
     
  12. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    That's strange, as I was able to delete the file the way I described, using PendingFileRenameOperations.
    However that may have been because of the way I installed it; it could well be a different story at your end.

    Anyway, good to hear you're up and running again. :)
     
  13. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    That's indeed the most important issue: running again clean!:D

    Another important issue: I found out what the nasty is (was):

    a variant of the TrojanDownloader.Win32.Delf virus.

    Exact name of the variant: TrojanDownloader.Win32.Delf.cq. virus.

    Let's have fun again,

    Ciao,



    Smokey
     
Thread Status:
Not open for further replies.