1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Weird Windows Services

Discussion in 'Virus & Other Malware Removal' started by ToXiCaTioN.d, Jan 12, 2013.

Thread Status:
Not open for further replies.
  1. ToXiCaTioN.d

    ToXiCaTioN.d Thread Starter

    Joined:
    Jul 2, 2008
    Messages:
    93
    For starters, this is a Windows Home Server. Here is a bit of history:

    From day one the server has had issues, nothing malware related but something doesn't seem right with the OS. It could possibly be due the OS itself, being a Home Server edition. About a half a year ago, it somehow got infected (more than likely me trusting a rogue program) and because RDP was enabled on the server somebody was able to create an account and have full administrative access. Since then I've deleted the account, disabled RDP from outside the network, and ran several scans. Everything seemed good until I noticed a rogue "Windows services" service. (the lowercase s gave it away) Attempting to disable it, it said that "Network Connections" depends on it. Thought that was odd, so I looked into it. Did a scan (on VirusTotal) on the "Windows services" and "Network Connections" file(s) and they were flagged as rogue. Did a virus scan with NOD32, Kaspersky and Malwarebytes and they all came back clean. So naturally I deleted those files and turned off the services. Since then, I haven't been able to view my network connections as it requires "Network Connections" to be enabled, but because the files were rogue I haven't turned it back on.

    Sorry for such a long history, I just wanted to take precautions. Just for the record no personal data is stored on the server, it is mainly just for file storage. Also a worthy note, I haven't been able to view my files over the network (via mapped drives or just through the network option) since this happened. I can't even see the computer, and using the hostname to connect to the server hasn't worked since. I use RDP to connect to this computer, it doesn't have a physical keyboard or mouse. I can hook them up if needed.

    Anyways...

    TSG SysInfo Scan
    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows Home Server Premium, Service Pack 1, v.721, 64 bit
    Processor: AMD Athlon(tm) II X2 250 Processor, AMD64 Family 16 Model 6 Stepping 3
    Processor Count: 2
    RAM: 4095 Mb
    Graphics Card: ATI Radeon HD 4770, 512 Mb
    Hard Drives: C: Total - 61439 MB, Free - 15070 MB; D: Total - 892326 MB, Free - 308857 MB; E: Total - 1430796 MB, Free - 1104820 MB; G: Total - 38163 MB, Free - 36916 MB; H: Total - 953867 MB, Free - 654340 MB;
    Motherboard: BIOSTAR Group, A780L3L
    Antivirus: None

    Although it says there isn't an antivirus, Kaspersky Small Office Security 2 is installed as a trial (finding antiviruses that install on WHS is practically impossible)

    Thank you for your support!
     
  2. ToXiCaTioN.d

    ToXiCaTioN.d Thread Starter

    Joined:
    Jul 2, 2008
    Messages:
    93
    Maybe I should post a HiJack this log.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:34:05 PM, on 1/13/2013
    Platform: Windows 7 SP1, v.721 (WinNT 6.00.3505)
    MSIE: Internet Explorer v8.00 (8.00.7601.17105)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\uTorrent\uTorrent.exe
    C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe
    G:\xampp\xampp-control.exe
    G:\xampp\apache\bin\httpd.exe
    G:\xampp\apache\bin\httpd.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\ProgramData\TVersity\Media Server\berkelium.exe
    C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe,
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe"
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED
    O4 - HKUS\S-1-5-21-112553301-2407407974-3742717288-1009\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED (User 'MediaStreamingAdmin')
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O15 - ESC Trusted Zone: http://www.google.ca
    O15 - ESC Trusted Zone: http://*.imagesak.securepaynet.net (HKLM)
    O15 - ESC Trusted Zone: http://*.img.godaddy.com (HKLM)
    O15 - ESC Trusted Zone: http://*.img3.wsimg.com (HKLM)
    O15 - ESC Trusted Zone: http://login.live.com (HKLM)
    O15 - ESC Trusted Zone: http://accountservices.passport.net (HKLM)
    O15 - ESC Trusted Zone: http://*.www.godaddy.com (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (Bitdefender QuickScan Control) - http://quickscan.bitdefender.com/qsax/qsax.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{541490F7-8D30-4223-9681-B6E61926CA0A}: NameServer = 8.8.8.8,8.8.4.4
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C4D6115A-9677-467D-8CC9-2A51542E93A0}: NameServer = 8.8.8.8,8.8.4.4
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-35 (AddInInfrastructureSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    O23 - Service: Kaspersky Small Office Security (AVP) - Kaspersky Lab - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe
    O23 - Service: @%systemroot%\system32\certocm.dll,-347 (CertSvc) - Unknown owner - C:\Windows\system32\certsrv.exe (file missing)
    O23 - Service: CryptoStorage control service (CSObjectsSrv) - Infowatch - C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-15 (DevicesProviderSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-31 (DomainManagerProviderSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - g:\xampp\filezillaftp\filezillaserver.exe
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-7 (HealthAlertsSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-39 (IdentitySvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)
    O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-43 (initMonitor) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: mysql - Unknown owner - g:\xampp\mysql\bin\mysqld.exe
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-33 (NetworkingHelperSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-21 (NotificationsProviderSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-29 (RAAdminProviderSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%Systemroot%\system32\rqs.exe,-200 (rqs) - Unknown owner - C:\Windows\system32\rqs.exe (file missing)
    O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
    O23 - Service: rundll 32. (rundll) - Unknown owner - C:\Windows\inf\sys\rundll32.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-37 (ServerBackupSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-19 (ServiceProviderRegistry) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\ProviderRegistryService.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-25 (SettingsProvider) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SettingsProvider.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-5 (SqmProviderSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\storageservice.exe,-1000 (storageservice) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\storageservice.exe (file missing)
    O23 - Service: TVersity Media Server (TVersityMediaServer) - Unknown owner - C:\ProgramData\TVersity\Media Server\MediaServer.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-11 (whsmss) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\MediaStreamingProvider.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-13 (WSSUPnPDevice) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\UPnPDevice.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-3 (WSS_ComputerBackupProviderSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Server\Bin\wssbackup.exe,-1 (WSS_ComputerBackupSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\WSSBackup.exe (file missing)

    --
    End of file - 11578 bytes
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1084925

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice