What are these services ??

Of late, I have noticed some unknown services which run as soon as i log on to the net ot start my PC...................

Some of those services are:
syshost.exe, ftp.exe, xpjava.exe, tftp.exe, cmd.exe, samsungs.exe, winmes.exe, nvsvc.exe, SVSS32.exe & slserves.exe

Please tell me what are these services & what are they running for. Are they some adware/spyware programs ? If so, please suggest a software that will help me to get rid of these programs/services.

Here is my HijackThis Log File:

Logfile of HijackThis v1.99.0
Scan saved at 11:43:52 AM, on 3/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Messenger Plus! 3\MsgPlus.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\slserves.exe
D:\WINDOWS\System32\taskmgr.exe
D:\WINDOWS\System32\taskmgr.exe
D:\WINDOWS\System32\taskmgr.exe
F:\Setups\Hijack This 1.99\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediffmail.com/
F2 - REG:system.ini: Shell=Explorer.exe smsse.exe
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O1 - Hosts: 67.15.104.33 ibank.barclays.co.uk
O1 - Hosts: 67.15.104.33 online-business.lloydstsb.co.uk
O1 - Hosts: 67.15.104.33 online.lloydstsb.co.uk
O1 - Hosts: 67.15.104.33 www.halifax-online.co.uk
O1 - Hosts: 67.15.104.33 www.ukpersonal.hsbc.co.uk
O1 - Hosts: 67.15.104.33 www.nwolb.com
O1 - Hosts: 67.15.104.33 banesnet.banesto.es
O1 - Hosts: 67.15.104.33 extranet.banesto.es
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [REGRUN] C:\dhz.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NAV Auto Updates] slserves.exe
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Samsung] Samsungs.exe
O4 - HKLM\..\RunServices: [Microsoft MediaScope] winmes.exe
O4 - HKLM\..\RunServices: [NVSVC] nvsvc.exe
O4 - HKLM\..\RunServices: [Windows Service Support Call] SVSS32.EXE
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe
O9 - Extra button: MSN Messenger - {978ac263-6169-4969-9ca8-dc16fe0f45aa} - D:\Program Files\MSN Messenger\msnmsgr.exe
O9 - Extra 'Tools' menuitem: MSN Messenger - {978ac263-6169-4969-9ca8-dc16fe0f45aa} - D:\Program Files\MSN Messenger\msnmsgr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2CB7E57-CCA0-4495-B72F-3DD8E47764C8}: NameServer = 202.138.97.193 202.138.96.2
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Also please do tell me from where can I download the lastest version of Hijack This.

Thankx in advance !!

[enoonmai]

Quote:

Originally Posted by nipun_the_gr8

Of late, I have noticed some unknown services which run as soon as i log on to the net ot start my PC...................

Some of those services are:
syshost.exe, ftp.exe, xpjava.exe, tftp.exe, cmd.exe, samsungs.exe, winmes.exe, nvsvc.exe, SVSS32.exe & slserves.exe

Please tell me what are these services & what are they running for. Are they some adware/spyware programs ? If so, please suggest a software that will help me to get rid of these programs/services.

Here is my HijackThis Log File:

Logfile of HijackThis v1.99.0
Scan saved at 11:43:52 AM, on 3/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Messenger Plus! 3\MsgPlus.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\slserves.exe
D:\WINDOWS\System32\taskmgr.exe
D:\WINDOWS\System32\taskmgr.exe
D:\WINDOWS\System32\taskmgr.exe
F:\Setups\Hijack This 1.99\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediffmail.com/
F2 - REG:system.ini: Shell=Explorer.exe smsse.exe
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O1 - Hosts: 67.15.104.33 ibank.barclays.co.uk
O1 - Hosts: 67.15.104.33 online-business.lloydstsb.co.uk
O1 - Hosts: 67.15.104.33 online.lloydstsb.co.uk
O1 - Hosts: 67.15.104.33 www.halifax-online.co.uk
O1 - Hosts: 67.15.104.33 www.ukpersonal.hsbc.co.uk
O1 - Hosts: 67.15.104.33 www.nwolb.com
O1 - Hosts: 67.15.104.33 banesnet.banesto.es
O1 - Hosts: 67.15.104.33 extranet.banesto.es
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [REGRUN] C:\dhz.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [NAV Auto Updates] slserves.exe
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
[b][color=red]O4 - HKLM\..\RunServices: [Samsung] Samsungs.exe
O4 - HKLM\..\RunServices: [Microsoft MediaScope] winmes.exe
O4 - HKLM\..\RunServices: [NVSVC] nvsvc.exe
O4 - HKLM\..\RunServices: [Windows Service Support Call] SVSS32.EXE
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe
O9 - Extra button: MSN Messenger - {978ac263-6169-4969-9ca8-dc16fe0f45aa} - D:\Program Files\MSN Messenger\msnmsgr.exe
O9 - Extra 'Tools' menuitem: MSN Messenger - {978ac263-6169-4969-9ca8-dc16fe0f45aa} - D:\Program Files\MSN Messenger\msnmsgr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2CB7E57-CCA0-4495-B72F-3DD8E47764C8}: NameServer = 202.138.97.193 202.138.96.2
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Also please do tell me from where can I download the lastest version of Hijack This.

Thankx in advance !!

First, press Ctrl+Shift+Esc, go to Task Manager>Processes and kill these processes by selecting them and pressing the "End Task" button:
slserves.exe

You can download the latest version of HJT from here:
http://www.spychecker.com/program/hijackthis.html

Run HJT again and select the ones marked in red and click "Fix" Also, about the Hosts entry in blue, if you have not added these yourself and dont use them often, then select these too and select "Fix" Next, search your computer for the following files and delete them:
xpjava.exe
smsse.exe
winmes.exe
svss32.exe
samsungs.exe
nvsvc32.exe - DO NOT DELETE THIS FILE IF YOU HAVE AN NVIDIA CARD!
slserves.exe
syshost.exe


As for the file information:
syshost.exe - W32.Francette virus/worm
ftp.exe - The FTP client for Windows.
xpjava.exe - A virus/adware - W32/Rbot-XU
tftp.exe - The Trivial FTP Service of Windows.
cmd.exe - The command shell for Windows.
samsungs.exe - Again, malware that should be removed.
winmes.exe - A virus/malware - W32/Rbot-XU
nvsvc.exe - Its the Nvidia display driver service, but can also be a virus/malware
SVSS32.exe - Malware again
slserves.exe - Malware again, I think. I am not aware of NAV using this file. Once again, swatkat can check this out for me. I think this is still spyware/malware.

Once, you're done, download CleanUp! and run it and rescan using HJT and post back the log file. Also download Spybot S&D and install and update it and make sure it runs the TeaTimer protection at all times.

EDIT: Also, if you're not using the FTP/TFTP services yourself, feel free to terminate those processes too. And since FTP/TFTP are bound to the cmd.exe file, you can terminate that too, if you're not using the Command Prompt right then.

@enoonmai : What 'bout the entries which are in colour ?

[enoonmai]

Like I said, select the ones in Red, and check "Fix" and if you have not entered the values in Blue, select those also and fix them. First kill the process that I listed via the Task Manager, the slserves.exe process and then follow the steps I outlined.

[it_waaznt_me]

Also check this entry in HijackThis ...

Code:

O4 - HKLM\..\Run: [NAV Auto Updates] slserves.exe

Also I notice you are not running SP2 .. You should bettter install Service Pack 2 for Win XP if you wanna stay protected ...

@enoonmai: Thankx d00d !!

@it_waazant_me: Thankx to you also & I'll make sure That I install SP2

@enoonmai: Here is my latest HijackThis Log File :

Logfile of HijackThis v1.99.1
Scan saved at 11:50:31 AM, on 3/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Messenger Plus! 3\MsgPlus.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\iexplorer.exe
D:\WINDOWS\System32\winmgr.exe
F:\Setups\Hijack This 1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediffmail.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [blah service] iexplorer.exe
O4 - HKLM\..\Run: [Windows Time] winmgr.exe
O4 - HKLM\..\RunServices: [blah service] iexplorer.exe
O4 - HKLM\..\RunServices: [Windows Time] winmgr.exe
O4 - HKCU\..\Run: [Windows Time] winmgr.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Please tell me if there is anything wrong in this log file.

Also do tell me how can I permanently remove these options from the Classic Start Menu :





Also please advice that should I install Recovery Console as a Startup Option or not..............

Thankx in advance !!

[enoonmai]

Quote:

Originally Posted by nipun_the_gr8

@enoonmai: Here is my latest HijackThis Log File :

Logfile of HijackThis v1.99.1
Scan saved at 11:50:31 AM, on 3/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Messenger Plus! 3\MsgPlus.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\iexplorer.exe
D:\WINDOWS\System32\winmgr.exe
F:\Setups\Hijack This 1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediffmail.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [blah service] iexplorer.exe
O4 - HKLM\..\Run: [Windows Time] winmgr.exe
O4 - HKLM\..\RunServices: [blah service] iexplorer.exe
O4 - HKLM\..\RunServices: [Windows Time] winmgr.exe
O4 - HKCU\..\Run: [Windows Time] winmgr.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Please tell me if there is anything wrong in this log file.

Also do tell me how can I permanently remove these options from the Classic Start Menu :





Also please advice that should I install Recovery Console as a Startup Option or not..............

Thankx in advance !!

First, hit Ctrl+Shift+Esc, and then navigate to the Task Manager>Processes tab and kill these processes:
iexplorer.exe
winmgr.exe

Once again, run HJT and select the entries in red and click Fix! Then download and run CleanUp! and also download Spybot Search and Destroy. When you install Spybot S&D, you will be given an option to install System Protection (TeaTimer.exe) and to leave it running at all times. Check the box and make sure the TeaTimer file runs at all times. If you have a system change, it will pop up with a message asking you to confirm/deny the change and keeping your system safe. Once you're done, search for these files and delete them from your system:
iexplorer.exe
winmgr.exe

To permanently remove Documents and Help and Support from the Classic Start Menu, click Start>Run and type in:
gpedit.msc
and then press enter. In the Group Policy Editor window that opens up, navigate to User Configuration>Administrative Templates>Start Menu and Taskbar. On the right side pane, you will have to click these two options and set their properties to "Enabled" and then click Apply/OK
Remove Documents Menu from Start Menu
Remove Help Menu from Start Menu
Quit the application and they should be gone.

And no, I wouldn't recommend you install Recovery Console as a startup option unless you really need it. Remember to keep Spybot S&D updated at all times. Also, every time you update, open the program's Immunize page and click the Immunize button at the top (not the one on the right) until you see a "All known bad products are blocked" message.

@enoonmai: THANK YOU VERY MUCH !!

I've noticed another service which starts as soon as I start my PC. Here is my HijackThis Log File :

Logfile of HijackThis v1.99.1
Scan saved at 11:18:04 AM, on 3/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Messenger Plus! 3\MsgPlus.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Setups\Hijack This 1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediffmail.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - D:\WINDOWS\System32\hwclock.exe

Please tell me what does the service in Bold alphabets do ??

[digen]

Quote:

This is a malware, or unsafe, program.

This file has been identified as malware (Spyware, Virus, Trojan, Worm, etc). You should immediately run a spyware removal program and a antivirus scanner. If that does not help, feel free to ask us for assistance in the forums.

Name: Hardware Clock Driver
Filename: HWCLOCK.EXE
Location: %System%
Description: Added by the W32/Hwbot-A WORM/IRC backdoor as a new service, it's servicename being Hwclock.
Startup Type: This startup entry is installed as a Windows NT, 2000, 2003, or XP service.
Service Name: Hwclock
Service Display Name: Hardware Clock Driver
Note: %System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP.

Source
More Info

Try fixing it from hijackthis,restart the system & perform a scan again.Also perform a full scan from your anti-virus which I hope is fully updated.You can then perform a spybot & ms anti-spyware scan just to be sure.

Thankx digen !!

For some reason whenever I stop the hwclock.exe process in the Windows Task Manager, it reappears again as soon as I end it. As a result, I am unable to remove the virus.

Please Help !!