servicei.exe on Windows XP

[coldnature]

Recently noticed that if you rebuild a computer with Windows XP SP1 and let it sit for an hour, it gets a registry run entry of "System Service", file servicei.exe. If you delete it, it comes back, until you apply critical updates. Not sure if SP2 or one of the critical updates is fixing it yet. It's taking advantage of a known hole obviously and the remedy is simple, but I'm curious why there is no information available on it.

While running, the service trys to connect to a series of IP addresses 192.168.xxx.xxx on all ports. It makes a connection on port 1403 to 150.171.36.72.reverse.layeredtech.com

I think it is trying to replicate itself. We have a firewall in place, so I think it may be running on one of my machines. I'm going to check this out now, but I'm wondering if anyone has seen this yet. I've been searching the web on it for almost a week and found only one other person with it, but that situation was different.

 

[johncp]

Hi

I have just reinstalled XP Pro. and have experienced exactly the infection you describe. servicei.exe appeared in system32 as a hidden file almost as soon as I authenticated my copy of XP. Yep, deleting it doesn't get rid of it. Haven't installed SP2 yet.

My knowledge of ports & their operation is sketchy. Netstat reports

TCP mesh:epmap mesh:0 LISTENING
TCP mesh:microsoft-ds mesh:0 LISTENING
TCP mesh:1025 mesh:0 LISTENING
TCP mesh:2131 mesh:0 LISTENING
TCP mesh:5000 mesh:0 LISTENING
TCP mesh:netbios-ssn mesh:0 LISTENING
TCP mesh:2131 serv-2-5-236.lycos-vds.com:7744 SYN_SENT
UDP mesh:epmap *:*
UDP mesh:microsoft-ds *:*
UDP mesh:isakmp *:*
UDP mesh:1026 *:*
UDP mesh:1027 *:*
UDP mesh:1165 *:*
UDP mesh:ntp *:*
UDP mesh:netbios-ns *:*
UDP mesh:netbios-dgm *:*
UDP mesh:1900 *:*
UDP mesh:ntp *:*
UDP mesh:1900 *:*
UDP mesh:2081 *:*

 

[pechenegs]

Download hijack this from the link below.Please do this. Click here:

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

to download HijackThis. Click scan and save a logfile, then post it here so we can take a look at it for you. Don't click fix on anything in hijack this as most of the files are legitimate.

 

[johncp]

Logfile of HijackThis v1.97.7
Scan saved at 4:25:44 PM, on 8/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Utils\HiJack_this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.co.uk/

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [System Service] servicei.exe
O4 - HKLM\..\Run: [SpyHunter] D:\utils\SDSpyBot\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} -

http://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab

O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -

http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125263604537

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125265744223

 

[pechenegs]

I'm surprised you havent got more infections especially without an active anti-virus, no firewall and no patrches for XP


You need to get Xp SP1 asap and all other patches, you are open to multiple threats!

http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx

Free anti virus: download one of them.


free anti-virus tools

AVG7 from

http://free.grisoft.com/freeweb.php

Anti-vir

http://www.free-av.com/

free firewall: Download one of them!


free firewalls

http://www.filseclab.com/eng/products/firewall.htm

http://www.wilderssecurity.com/showthread.php?s=f8dcfa76390a4ce82c853bf0edfec99b&t=92710

http://www.zonelabs.com

sygate

http://www.simtel.com/product.download.mirrors.php?id=53687

go to add/remove and uninstall SpyHunter, look for it's folders in C:\program files and delete it. It's a dubious programme.

http://startup.iamnotageek.com/srch-SpyHunter.exe.html

go to this site and download these tools and once you get both adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the immunize button.

reboot again


With CWshredder close all browsers and programmes and select the FIX button.



Go here and download Microsoft Antispyware Beta. First in the top menu click
File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick Scan Now" and click Spyware scan options. In that window put a tick by Run a full system scan and then put a check by all three options below that then
click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it quarantine the items that have that option rather than delete just in case. It is a beta program and there may be false positives)

Restart your computer.


All tools can be downloaded at the link below and found on that page!


. Microsoft® Windows AntiSpyware
. Trend micro CWShredder
. SpyBot search and destroy
. AdAware SE

http://www.majorgeeks.com/downloads31.html

After doing all that now do this!




* Download the trial version of Ewido Security Suite here

http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.


*Download Cleanup from Here

http://www.stevengould.org/software...p/download.html

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET



* Click here for info on how to boot to safe mode if you don't already know how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:



have hijack this fix these entries. close all browsers and programmes before clicking FIX.


O4 - HKLM\..\Run: [System Service] servicei.exe
O4 - HKLM\..\Run: [SpyHunter] D:\utils\SDSpyBot\SpyHunter\SpyHunter.exe


find and delete these files and folders if there?


Because XP will not always show you hidden files and folders by default,
Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden
files and folders" and "Search system subfolders"


Next click on My Computer. Go to Tools > Folder Options. Click on the View
tab and make sure that "Show hidden files and folders" is checked. Also
uncheck "Hide protected operating system files" and "Hide extensions for
known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


find and delete this file if there!

servicei.exe




* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop


* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.



Run ActiveScan online virus scan here

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!



post another hijack this log, the ewido and active scan logs

 

[johncp]

Coldnature

I removed servicei.exe and its registry entries & it hasn’t reappeared
It seemed to appear when I authenticated my copy of XP.
Worrying to think MS has an infected site, but not surprising

Pechenegs

Remember I’m (slowly) reinstalling XP cos it crashed
SP1 is installed, and now SP2

I installed SP2 months ago when it because available then deinstalled
it cos it didn’t block the winampa virus, it did install WMP10,
which interfers with downloads and can only be removed by nuking it,
SP2 screwed up a 3rd party app and continually nagged me to switch
on automatic updates (not a good idea IMO).

Although SP2 was deinstalled I had very few problems despite running
an out of date version of Norton.

The secret is NOT to use virus magnet Internet Explorer and to stop MS
Messenger running. I find Mozilla is a great broser with far fewer security issues.

I’l try out the free firewalls and antivirus progs.

My advice to anyone contemplating Norton AV – DON”T
Semantec will not be getting any more of my money. I tried to renew my
PC Norton AV license over the net. Their webpage took my creditcard but failed
to dispense a new license. I had the same problem with my laptop Norton AV,
except I was careful not to lose money.
Then I upgraded from NT4 to XP Pro. Norton AV wouldn’’t run under XP so I had to buy an XP compatible copy. Then I found out the license renewal fee had tripled
Freeware is definitely the way to go

I’ve used Spyhunter for some time without problems.
Ok run it and it installs itself to run at boot – but this can be fixed in the registry.

I’m having major reinstall problems with XP Pro, so it’s gonna be the weekend
before I report back on all the other stuff you recommend